3f0ebe892ab87ea24db172ae96cfc216b591d3967821c9d2581a9e11faccde28

Analysis

max time kernel
141s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc853.exe
Size

1.1MB
MD5

fd8e27f820bdbdf6cb80a46c67fd978a
SHA1

482d1624f9450ca1c99926ceec2606260e7ce544
SHA256

f7f4d18dbc0b822b89ba14ffea24114f92b593be0f287f300bb269b310883039
SHA512

da5c9c219c500c559030eb1e4279bc7182b04adf04060c04666d418ce2dcea1ad7a8c876b11bb9ccdf1ed4395b91347aa66765278a84d7a515982a17a7f6d8b3
SSDEEP

24576:Z35dPpIEchh+rx8BR7Vh868ekY3xDk5+cktrzqFcwobm:ZBEUwRb868o3xi+T/wobm

Score

9^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	reader_sl.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	atiode.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	atiode.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	atiode.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\atitmmxx_Svc = "C:\\Users\\Admin\\AppData\\Roaming\\ATI_Subsystem\\atiode.exe C:\\Users\\Admin\\AppData\\Roaming\\ATI_Subsystem\\atimuixx.dll, ADL_MMD_FeaturesX2_Caps"	atiode.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	atiode.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	reader_sl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	atiode.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 3 IoCs

pid	Process
2636	reader_sl.exe
2040	atiode.exe
2988	atiode.exe

Loads dropped DLL 14 IoCs

pid	Process
2208	doc853.exe
2208	doc853.exe
2208	doc853.exe
2208	doc853.exe
2636	reader_sl.exe
2040	atiode.exe
2040	atiode.exe
2040	atiode.exe
2040	atiode.exe
2040	atiode.exe
2988	atiode.exe
2988	atiode.exe
2988	atiode.exe
2988	atiode.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\atimpc_API = "C:\\Users\\Admin\\AppData\\Roaming\\ATI_Subsystem\\atiode.exe C:\\Users\\Admin\\AppData\\Roaming\\ATI_Subsystem\\atimuixx.dll, ADL_MMD_FeaturesX2_Caps"	atiode.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\atidxx_API = "C:\\Users\\Admin\\AppData\\Roaming\\ATI_Subsystem\\atiode.exe C:\\Users\\Admin\\AppData\\Roaming\\ATI_Subsystem\\atimuixx.dll, ADL_MMD_FeaturesX2_Caps"	atiode.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reader_sl.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	reader_sl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	atiode.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	atiode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	atiode.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	atiode.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	doc853.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reader_sl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atiode.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1128	taskkill.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\CLSID\{603D3801-BD81-11D0-A3A5-00C04FD706EC}	atiode.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\CLSID\{603D3801-BD81-11D0-A3A5-00C04FD706EC}\ = "ShellWindows"	atiode.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\CLSID\{603D3801-BD81-11D0-A3A5-00C04FD706EC}\Parameters = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c0052006f0061006d0069006e0067005c004100540049005f00530075006200730079007300740065006d005c006100740069006f00640065002e00650078006500200043003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c0052006f0061006d0069006e0067005c004100540049005f00530075006200730079007300740065006d005c006100740069006d0075006900780078002e0064006c006c002c002000410044004c005f004d004d0044005f0046006500610074007500720065007300580032005f0043006100700073000000	atiode.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\CLSID\{603D3801-BD81-11D0-A3A5-00C04FD706EC}\InProcServer32	atiode.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\CLSID\{603D3801-BD81-11D0-A3A5-00C04FD706EC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\ATI_Subsystem\\amd_opencl32.dll"	atiode.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\CLSID\{603D3801-BD81-11D0-A3A5-00C04FD706EC}\InProcServer32\ThreadingModel = "Apartment"	atiode.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2636	reader_sl.exe
2040	atiode.exe
2988	atiode.exe
2040	atiode.exe
2988	atiode.exe
2040	atiode.exe
2988	atiode.exe
2040	atiode.exe
2988	atiode.exe
2040	atiode.exe
2988	atiode.exe
2040	atiode.exe
2988	atiode.exe
2040	atiode.exe
2988	atiode.exe
2040	atiode.exe
2988	atiode.exe
2040	atiode.exe
2988	atiode.exe
2040	atiode.exe
2988	atiode.exe
2040	atiode.exe
2988	atiode.exe
2040	atiode.exe
2988	atiode.exe
2040	atiode.exe
2988	atiode.exe
2040	atiode.exe
2988	atiode.exe
2040	atiode.exe
2988	atiode.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2148	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1128	taskkill.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2148	AcroRd32.exe
2148	AcroRd32.exe
2148	AcroRd32.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2636	2208	doc853.exe	30
PID 2208 wrote to memory of 2636	2208	doc853.exe	30
PID 2208 wrote to memory of 2636	2208	doc853.exe	30
PID 2208 wrote to memory of 2636	2208	doc853.exe	30
PID 2208 wrote to memory of 2636	2208	doc853.exe	30
PID 2208 wrote to memory of 2636	2208	doc853.exe	30
PID 2208 wrote to memory of 2636	2208	doc853.exe	30
PID 2208 wrote to memory of 2148	2208	doc853.exe	31
PID 2208 wrote to memory of 2148	2208	doc853.exe	31
PID 2208 wrote to memory of 2148	2208	doc853.exe	31
PID 2208 wrote to memory of 2148	2208	doc853.exe	31
PID 2208 wrote to memory of 2148	2208	doc853.exe	31
PID 2208 wrote to memory of 2148	2208	doc853.exe	31
PID 2208 wrote to memory of 2148	2208	doc853.exe	31
PID 2636 wrote to memory of 2040	2636	reader_sl.exe	32
PID 2636 wrote to memory of 2040	2636	reader_sl.exe	32
PID 2636 wrote to memory of 2040	2636	reader_sl.exe	32
PID 2636 wrote to memory of 2040	2636	reader_sl.exe	32
PID 2636 wrote to memory of 2040	2636	reader_sl.exe	32
PID 2636 wrote to memory of 2040	2636	reader_sl.exe	32
PID 2636 wrote to memory of 2040	2636	reader_sl.exe	32
PID 2040 wrote to memory of 2528	2040	atiode.exe	33
PID 2040 wrote to memory of 2528	2040	atiode.exe	33
PID 2040 wrote to memory of 2528	2040	atiode.exe	33
PID 2040 wrote to memory of 2528	2040	atiode.exe	33
PID 2040 wrote to memory of 2528	2040	atiode.exe	33
PID 2040 wrote to memory of 2528	2040	atiode.exe	33
PID 2040 wrote to memory of 2528	2040	atiode.exe	33
PID 2528 wrote to memory of 1128	2528	cmd.exe	35
PID 2528 wrote to memory of 1128	2528	cmd.exe	35
PID 2528 wrote to memory of 1128	2528	cmd.exe	35
PID 2528 wrote to memory of 1128	2528	cmd.exe	35
PID 2528 wrote to memory of 1128	2528	cmd.exe	35
PID 2528 wrote to memory of 1128	2528	cmd.exe	35
PID 2528 wrote to memory of 1128	2528	cmd.exe	35
PID 2040 wrote to memory of 2988	2040	atiode.exe	37
PID 2040 wrote to memory of 2988	2040	atiode.exe	37
PID 2040 wrote to memory of 2988	2040	atiode.exe	37
PID 2040 wrote to memory of 2988	2040	atiode.exe	37
PID 2040 wrote to memory of 2988	2040	atiode.exe	37
PID 2040 wrote to memory of 2988	2040	atiode.exe	37
PID 2040 wrote to memory of 2988	2040	atiode.exe	37

C:\Users\Admin\AppData\Local\Temp\doc853.exe
"C:\Users\Admin\AppData\Local\Temp\doc853.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\reader_sl.exe
  "C:\Users\Admin\AppData\Local\Temp\reader_sl.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\AppData\Roaming\ATI_Subsystem\atiode.exe
    C:\Users\Admin\AppData\Roaming\ATI_Subsystem\atiode.exe C:\Users\Admin\AppData\Roaming\ATI_Subsystem\atimuixx.dll, ADL_MMD_FeaturesX2_Caps pid=2636 "C:\Users\Admin\AppData\Local\Temp\reader_sl.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Adds policy Run key to start application
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      /Q /C TASKKILL /F /PID 2636 > NUL & DEL /F /Q C:\Users\Admin\AppData\Local\Temp\reader_sl.exe > NUL
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /PID 2636
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
  - - C:\Users\Admin\AppData\Roaming\ATI_Subsystem\atiode.exe
      "C:\Users\Admin\AppData\Roaming\ATI_Subsystem\atiode.exe" "C:\Users\Admin\AppData\Roaming\ATI_Subsystem\atimuixx.dll", ADL_MMD_FeaturesX2_Caps
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2988
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\doc853.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\doc853.pdf

Filesize
181KB

MD5
93176df76e351b3ea829e0e6c6832bdf

SHA1
c8fe2296565c211e019cdad3918a5736d4b12d44

SHA256
950c8f9dbec3a2a1603f9202408cf49ea5a9573c7296e5940a42581cbd6fc8c2

SHA512
70560716842a62449b7c5e00e2094afa6c7c5604bdfcc07b9f60c463cfa47c700a13e9013da733c5a188b7bcb1d36897f0f3e5d79160d942ad27b096cf342eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\reader_sl.exe

Filesize
580KB

MD5
9ad55b83f2eec0c19873a770b0c86a2f

SHA1
9b56155b82f14000f0ec027f29ff20e6ae5205c2

SHA256
7cdb9c2e8b6ca7f0a683a39c0bdadc7a512cff5d8264fdec012c541fd19c0522

SHA512
5bb7949a8c581d01861f1f54518f9f124952670eaedd436e5fed58f54bb6c99af86144dbacabf4003a42091db62c765c3e6f67ebe2f85802e385baddba9c307a

Download Submit
C:\Users\Admin\AppData\Roaming\ATI_Subsystem\atimuixx.dll

Filesize
850KB

MD5
f16629ad4bc9473ef4978d6a3dd551f1

SHA1
c3fde950fe7d668805b40b1680d519f20c18b899

SHA256
ea8357db1071cda3e9a63592e584410d071673433a89215c220e0e7310729229

SHA512
7d97dd94a765c8567926764c65cdc51d10cd26688406f822b2ce055045b423e8f1f04ffcde17f644eca41a2ed23ddaafe22efa88d18452380cd6870bf5495d49

Download Submit
C:\Users\Admin\AppData\Roaming\ATI_Subsystem\racss.dat

Filesize
6KB

MD5
c3d654682fdf05776d0a524591a9406f

SHA1
5d3b82cdea4ae066efd5d127c7dd222adee62d0b

SHA256
b1402a803edfa3e07db1265290775c6a0a7e35c71acab4b29f865b2e7983eb49

SHA512
fe111d54083da1622f64bf4f1240b76ba509df2dee519ef6b00263454a9dd0515cb218ff12c38506d710a5415a7d757808633a33e2c2b328d8e865f1180d8e21

Download Submit
C:\Users\Admin\AppData\Roaming\ATI_Subsystem\racss.dat

Filesize
6KB

MD5
2887ab4ce37f33ff5aa15ddfc5a38fea

SHA1
c49de7704fe516e6188979b5b604f93cdf42abaf

SHA256
194e69c8ee5443c5ef5b9e05f14f6a9643440904d94663936d7674171d7dd5eb

SHA512
04d03038cca25894617d1ad8ad518dcbbaa5fe1df1139d97fd05ca04d8fac66b5fd68281a5be00285a2b10623be73c3bf6c5e6ed31b8e888e0cb121ecd6bda64

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f145d87c9d231b3557759e73083d04fe

SHA1
1e9ef3c83b84d8b4b952befef3ce9290f369a567

SHA256
3b12255524b628c910ca3c7b51681045139736109bffcef78ab36ba0512d93e3

SHA512
b522b6814d43c283cc8926a312684fddea3d734f7b13f970d04f6e1b95df4a6448a01fbf34a7e9e19a63897a0f0523231fed6f7eb0795423ed91c4d199b60657

Download Submit
\Users\Admin\AppData\Roaming\ATI_Subsystem\atiode.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit