7c7956bf7741138d599fa191f5f7d6245e04c6695e4a7847407f666e2a641ffc

General

Target

729dc7530d64899b1b98e4029a0901c3.exe
Size

56.5MB
MD5

729dc7530d64899b1b98e4029a0901c3
SHA1

a913ac448bc46b4d12a1e1fc1dbbb7215ddda29a
SHA256

7c7956bf7741138d599fa191f5f7d6245e04c6695e4a7847407f666e2a641ffc
SHA512

716c9b9dbd5f4c93efaf6de1deeaf17c497a10cca5d861e61e18f87a8e9af2bc42b0ea36f82d4e9b80766229ca9f2925f5912b194615ff8eb39ec1b3e76431bc
SSDEEP

1572864:amKm5eNXA90p2N+iUgK1EEZBplhSwPTMSnhXQYoeQBPB:t5ec6C+imvrM0QYoeuZ

Score

9^/10

evasion execution persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	729dc7530d64899b1b98e4029a0901c3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\winhb.sys	Loader.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	729dc7530d64899b1b98e4029a0901c3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	729dc7530d64899b1b98e4029a0901c3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe

Executes dropped EXE 1 IoCs

pid	Process
2740	Loader.exe

Loads dropped DLL 4 IoCs

pid	Process
2308	729dc7530d64899b1b98e4029a0901c3.exe
1256	Process not Found
1256	Process not Found
2712	Process not Found

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	729dc7530d64899b1b98e4029a0901c3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Power Settings 1 TTPs 2 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2520	powercfg.exe
2764	cmd.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2859}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2869}	Loader.exe
File opened for modification	C:\Windows\System32\IME\IMETC\{69CD1F2D-DF68-4E23-9108-1B70783F2879}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2879}	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2308	729dc7530d64899b1b98e4029a0901c3.exe
2740	Loader.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2893}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2892}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2859}	Loader.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
324	sc.exe
1448	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2636	reg.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2308	729dc7530d64899b1b98e4029a0901c3.exe
2740	Loader.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2780	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2520	powercfg.exe
Token: SeShutdownPrivilege	2520	powercfg.exe
Token: SeShutdownPrivilege	2520	powercfg.exe
Token: SeShutdownPrivilege	2520	powercfg.exe
Token: SeShutdownPrivilege	2520	powercfg.exe
Token: SeCreatePagefilePrivilege	2520	powercfg.exe
Token: SeDebugPrivilege	2780	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2308	729dc7530d64899b1b98e4029a0901c3.exe
2740	Loader.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2740	2308	729dc7530d64899b1b98e4029a0901c3.exe	32
PID 2308 wrote to memory of 2740	2308	729dc7530d64899b1b98e4029a0901c3.exe	32
PID 2308 wrote to memory of 2740	2308	729dc7530d64899b1b98e4029a0901c3.exe	32
PID 2740 wrote to memory of 2764	2740	Loader.exe	34
PID 2740 wrote to memory of 2764	2740	Loader.exe	34
PID 2740 wrote to memory of 2764	2740	Loader.exe	34
PID 2740 wrote to memory of 2692	2740	Loader.exe	35
PID 2740 wrote to memory of 2692	2740	Loader.exe	35
PID 2740 wrote to memory of 2692	2740	Loader.exe	35
PID 2692 wrote to memory of 2780	2692	cmd.exe	37
PID 2692 wrote to memory of 2780	2692	cmd.exe	37
PID 2692 wrote to memory of 2780	2692	cmd.exe	37
PID 2764 wrote to memory of 2520	2764	cmd.exe	38
PID 2764 wrote to memory of 2520	2764	cmd.exe	38
PID 2764 wrote to memory of 2520	2764	cmd.exe	38
PID 2740 wrote to memory of 2572	2740	Loader.exe	39
PID 2740 wrote to memory of 2572	2740	Loader.exe	39
PID 2740 wrote to memory of 2572	2740	Loader.exe	39
PID 2740 wrote to memory of 2608	2740	Loader.exe	40
PID 2740 wrote to memory of 2608	2740	Loader.exe	40
PID 2740 wrote to memory of 2608	2740	Loader.exe	40
PID 2572 wrote to memory of 2636	2572	cmd.exe	41
PID 2572 wrote to memory of 2636	2572	cmd.exe	41
PID 2572 wrote to memory of 2636	2572	cmd.exe	41
PID 2740 wrote to memory of 3024	2740	Loader.exe	43
PID 2740 wrote to memory of 3024	2740	Loader.exe	43
PID 2740 wrote to memory of 3024	2740	Loader.exe	43

C:\Users\Admin\AppData\Local\Temp\729dc7530d64899b1b98e4029a0901c3.exe
"C:\Users\Admin\AppData\Local\Temp\729dc7530d64899b1b98e4029a0901c3.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powercfg -h off
    3⤵
    - Power Settings
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\system32\powercfg.exe
      Powercfg -h off
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell "Confirm-SecureBootUEFI" > C:\secureboot_status.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "Confirm-SecureBootUEFI"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:2636
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
    3⤵
    PID:2608
  - - C:\Windows\system32\sc.exe
      sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
      4⤵
      Launches sc.exe
      PID:1448
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc start windowsproc
    3⤵
    PID:3024
  - - C:\Windows\system32\sc.exe
      sc start windowsproc
      4⤵
      Launches sc.exe
      PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

Power Settings

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}\favicon1.ico

Filesize
244KB

MD5
894384c5a192fe45e6d2e29b60a10a11

SHA1
56f43d42367b86e439bb640df007649386c5be91

SHA256
f0dcfacc6d28747a0ff8c3a9001fe4c7c4c387bd150a82895f8ea21ce201eec8

SHA512
95776900db01834bf0652cda1e96cb108c062cf5a71d9d6423b8f601fb116620293738e7ed31dff9886612be099683a9ee1078d5d0c81ec457c629d54960cf14

Download Submit
C:\secureboot_status.txt

Filesize
447B

MD5
cf8355d29a9d97cf5d6a673e64f9fcda

SHA1
9050f2dd8c50258f22fea4278268357d4133668f

SHA256
7fc3a10f21c5405061e1eff734790d1a640ddc1971a84e60070288af8bb161d3

SHA512
9669cb9c7100047e4f0c0478edc3c390fde9fa8ae98e5aaf4c204520f6eb3e57c11eb388f72986afd21781c24b2796c39e1aa291d34f481b0de9c94b81bd1a48

Download Submit
memory/2308-0-0x0000000077A10000-0x0000000077A12000-memory.dmp

Filesize
8KB

Download
memory/2308-1-0x0000000140000000-0x0000000141000000-memory.dmp

Filesize
16.0MB

Download
memory/2308-13-0x0000000140000000-0x0000000141000000-memory.dmp

Filesize
16.0MB

Download
memory/2740-65-0x0000000004110000-0x000000000411A000-memory.dmp

Filesize
40KB

Download
memory/2740-64-0x0000000004110000-0x000000000411A000-memory.dmp

Filesize
40KB

Download
memory/2780-28-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2780-29-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads