Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 20:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
free+fn.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
150 seconds
General
-
Target
free+fn.exe
-
Size
1.7MB
-
MD5
21d0503591599d833536e4d1bb7cb352
-
SHA1
9664ffc0a92896b89911c35d73cab84605ab3b8b
-
SHA256
cc9a7ddcb53c96c1b2acb8a77f0259319cc51f3405e8b00036bddc612ee56db6
-
SHA512
2ea754b0eca571ce0536651b8d7127d35a8079006773af892b5ceb985be67710bc8297d426779cc7b4c26c4e35ae0eb8542e16da97a2b9f3178bbb291bef8848
-
SSDEEP
24576:BI5g2vzFqkz5PTCtzRGhLArFVlebI+Jnmb2+ocKrREOKSS2u2Kr:e/NLOXfond+ocwEfXD
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ free+fn.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions free+fn.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion free+fn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion free+fn.exe -
Executes dropped EXE 1 IoCs
pid Process 2324 mp.exe -
Loads dropped DLL 1 IoCs
pid Process 2084 cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2516 free+fn.exe 2516 free+fn.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN free+fn.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe 2516 free+fn.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2516 wrote to memory of 2416 2516 free+fn.exe 31 PID 2516 wrote to memory of 2416 2516 free+fn.exe 31 PID 2516 wrote to memory of 2416 2516 free+fn.exe 31 PID 2516 wrote to memory of 2556 2516 free+fn.exe 32 PID 2516 wrote to memory of 2556 2516 free+fn.exe 32 PID 2516 wrote to memory of 2556 2516 free+fn.exe 32 PID 2516 wrote to memory of 2044 2516 free+fn.exe 33 PID 2516 wrote to memory of 2044 2516 free+fn.exe 33 PID 2516 wrote to memory of 2044 2516 free+fn.exe 33 PID 2516 wrote to memory of 2084 2516 free+fn.exe 34 PID 2516 wrote to memory of 2084 2516 free+fn.exe 34 PID 2516 wrote to memory of 2084 2516 free+fn.exe 34 PID 2084 wrote to memory of 2324 2084 cmd.exe 35 PID 2084 wrote to memory of 2324 2084 cmd.exe 35 PID 2084 wrote to memory of 2324 2084 cmd.exe 35 PID 2516 wrote to memory of 3044 2516 free+fn.exe 36 PID 2516 wrote to memory of 3044 2516 free+fn.exe 36 PID 2516 wrote to memory of 3044 2516 free+fn.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\free+fn.exe"C:\Users\Admin\AppData\Local\Temp\free+fn.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 22⤵PID:2044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\mp.exe C:\Users\dr.sys2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\mp.exeC:\Users\mp.exe C:\Users\dr.sys3⤵
- Executes dropped EXE
PID:2324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 72⤵PID:3044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
530KB
MD554ed683eba9340abf6783bd8d7b39445
SHA1950e3c11c71354097c8440529b31f8ac2b3c32a8
SHA2562d0a9d5ca563ffa82a974903bb43411b22c863311ec926449f08d16f483e4e70
SHA5129ff8c110823bad1e0a79a810b151e1d5557022080af0c8aaa9ff76996bd040747346f62459c50468cf86f49389c0e5fb7f057e9bd30fa31fed49ae5692d50ae2