Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 04:58
Static task
static1
Behavioral task
behavioral1
Sample
a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe
Resource
win7-20240704-en
General
-
Target
a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe
-
Size
2.3MB
-
MD5
6a672bbdc7865a7518441284d853f8d8
-
SHA1
be887b22a197194e90f9a090174f258bdb062562
-
SHA256
a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284
-
SHA512
0e4f83cc50cf975d8ccee5d61b009e877b9fbc680b64e04a540a92c9601462ade0182376053fe15d0b8ef1af89dd46c06b25baafd0a597832600c03900afe5ee
-
SSDEEP
49152:e8GpcxEHvbuWvpD3pQcVTVx5QBUu/ApBsUIjtpULzhhLAJFhr:eRy0pBFrnu/ApBsUIRaLzv6
Malware Config
Extracted
risepro
193.233.132.62
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MlpxPf.exe aspack_v212_v242 -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe -
Executes dropped EXE 1 IoCs
Processes:
MlpxPf.exepid process 2232 MlpxPf.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe -
Loads dropped DLL 2 IoCs
Processes:
a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exepid process 1772 a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe 1772 a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exepid process 1772 a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe -
Drops file in Program Files directory 64 IoCs
Processes:
MlpxPf.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe MlpxPf.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{95CA7C0F-EA8C-4FCD-8952-D8E66C033579}\chrome_installer.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe MlpxPf.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe MlpxPf.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe MlpxPf.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe MlpxPf.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe MlpxPf.exe File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.exe MlpxPf.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe MlpxPf.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe MlpxPf.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe MlpxPf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE MlpxPf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE MlpxPf.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe MlpxPf.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe MlpxPf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE MlpxPf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe MlpxPf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe MlpxPf.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe MlpxPf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE MlpxPf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe MlpxPf.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe MlpxPf.exe File opened for modification C:\Program Files\Windows Mail\wab.exe MlpxPf.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe MlpxPf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE MlpxPf.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe MlpxPf.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe MlpxPf.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe MlpxPf.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe MlpxPf.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe MlpxPf.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe MlpxPf.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe MlpxPf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe MlpxPf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe MlpxPf.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe MlpxPf.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe MlpxPf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE MlpxPf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE MlpxPf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe MlpxPf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exeMlpxPf.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MlpxPf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exepid process 1772 a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exeMlpxPf.exedescription pid process target process PID 1772 wrote to memory of 2232 1772 a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe MlpxPf.exe PID 1772 wrote to memory of 2232 1772 a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe MlpxPf.exe PID 1772 wrote to memory of 2232 1772 a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe MlpxPf.exe PID 1772 wrote to memory of 2232 1772 a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe MlpxPf.exe PID 2232 wrote to memory of 2924 2232 MlpxPf.exe cmd.exe PID 2232 wrote to memory of 2924 2232 MlpxPf.exe cmd.exe PID 2232 wrote to memory of 2924 2232 MlpxPf.exe cmd.exe PID 2232 wrote to memory of 2924 2232 MlpxPf.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe"C:\Users\Admin\AppData\Local\Temp\a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\MlpxPf.exeC:\Users\Admin\AppData\Local\Temp\MlpxPf.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6ed31034.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:2924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD5d8e972e61caaa56c294af0b06689db51
SHA176b29d9d1f7754653db209f23d8f739b94348437
SHA256b1497d6a05c0eb768e719b220a052a220615da99715805d60cf769f356439b27
SHA5129c1f2f74c2d73711648ac88020bf8c45d30d43f2390986e97f6d6aa3ca1fd2ce370d569486b049dda60a4e7923916929a93c74360bd97729b450f83ce71fc96b
-
Filesize
15KB
MD5f7d21de5c4e81341eccd280c11ddcc9a
SHA1d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA2564485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3