Analysis

  • max time kernel
    25s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 10:30

General

  • Target

    9d805397173fbb94a867a8bfbdfea660N.exe

  • Size

    494KB

  • MD5

    9d805397173fbb94a867a8bfbdfea660

  • SHA1

    0d1f08e58856b2a538b623399318545f022b440d

  • SHA256

    29183c75f39e2489e27ccb917a198bbeb0e4fb3594f7d23ccc067cdac2fa763a

  • SHA512

    342ab7ec48007b3e3bae35564b608154ae6a67d0b0e40b971f98ca9280cbab1a2b771185ce056d9e0b3fe4518ff8eb3761dfbc014415203fef6cb4198e3d9bc4

  • SSDEEP

    12288:C3ma4bE/SPQHqkdTvL7Ff456p9HKuJC7D:C3b4bEiFCVMaX4D

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d805397173fbb94a867a8bfbdfea660N.exe
    "C:\Users\Admin\AppData\Local\Temp\9d805397173fbb94a867a8bfbdfea660N.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Loads dropped DLL
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Users\Admin\AppData\Local\Temp\n8948\s8948.exe
      "C:\Users\Admin\AppData\Local\Temp\n8948\s8948.exe" ins.exe /e 12348374 /u 51938065-e47c-4b97-bfda-2a105bc06f2f /v "C:\Users\Admin\AppData\Local\Temp\9d805397173fbb94a867a8bfbdfea660N.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\n8948\s8948.exe

    Filesize

    284KB

    MD5

    9e24fe7dce5a39ec33319909e3e2e9de

    SHA1

    492d86466cd12c98803a262672cb5171f341e8d1

    SHA256

    05cdd536227ac4ebab76770ed3b2bbc364deb8cfdc1f6a6f598ecb86aa3d268f

    SHA512

    155b353506ef81cf0149178f8dc4b75575dbd0a2d2912038dac1278d8db454fb80edfd84958ebfeb6a3ef9c5de19af1284224bf7bb4af7113c863c3b1be1f4e1

  • memory/2800-14-0x000007FEF5D6E000-0x000007FEF5D6F000-memory.dmp

    Filesize

    4KB

  • memory/2800-15-0x0000000000A70000-0x0000000000A7A000-memory.dmp

    Filesize

    40KB

  • memory/2800-16-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

    Filesize

    9.6MB

  • memory/2800-17-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

    Filesize

    9.6MB

  • memory/2800-18-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

    Filesize

    9.6MB

  • memory/2800-19-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

    Filesize

    9.6MB

  • memory/2800-20-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

    Filesize

    9.6MB