b8b9a275dd7074b5169977ea5e71d0399845e88408d94b71878a7950d926c316

Analysis

max time kernel
25s
max time network
29s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SimpleToolZ.exe
Size

56.5MB
MD5

d096ccc62bc5ca43fdaecdeb60579aaf
SHA1

ec7ea18a482a749f7d0c02a3e7c0c695ce28b74e
SHA256

b8b9a275dd7074b5169977ea5e71d0399845e88408d94b71878a7950d926c316
SHA512

006bd3eca1a2d6b16ffd1cb46e0066756eb57abb9b618454a186b1d1fd237bfed23c0bfe197ada61520a9d5e98b2bf360beb528a46687ae5e3c9da60ccd923b2
SSDEEP

1572864:amKm5eNXA90p2N+iUgK1EEZBplhSwPTMSnhXQYoeQBPd:t5ec6C+imvrM0QYoeu1

Score

10^/10

evasion execution persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SimpleToolZ.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\winhb.sys	Loader.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SimpleToolZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SimpleToolZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe

Deletes itself 1 IoCs

pid	Process
2236	Loader.exe

Executes dropped EXE 1 IoCs

pid	Process
2236	Loader.exe

Loads dropped DLL 4 IoCs

pid	Process
2716	SimpleToolZ.exe
1204	Process not Found
1204	Process not Found
2944	Process not Found

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SimpleToolZ.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Power Settings 1 TTPs 2 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2788	cmd.exe
2948	powercfg.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}\favicon1.ico	Loader.exe
File created	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}\female.names	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2879}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2859}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2869}	Loader.exe
File opened for modification	C:\Windows\System32\IME\IMETC\{69CD1F2D-DF68-4E23-9108-1B70783F2879}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}	Loader.exe
File created	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}\male.names	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2716	SimpleToolZ.exe
2236	Loader.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2893}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2892}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2859}	Loader.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2700	sc.exe
2756	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2748	reg.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2716	SimpleToolZ.exe
2236	Loader.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3012	powershell.exe
2236	Loader.exe
2236	Loader.exe
2236	Loader.exe
2236	Loader.exe
2236	Loader.exe
2236	Loader.exe
2236	Loader.exe
2236	Loader.exe
2236	Loader.exe
2236	Loader.exe
2236	Loader.exe
2236	Loader.exe
2236	Loader.exe
2236	Loader.exe
2236	Loader.exe
2236	Loader.exe
2236	Loader.exe
2236	Loader.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2948	powercfg.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeShutdownPrivilege	2948	powercfg.exe
Token: SeShutdownPrivilege	2948	powercfg.exe
Token: SeShutdownPrivilege	2948	powercfg.exe
Token: SeShutdownPrivilege	2948	powercfg.exe
Token: SeCreatePagefilePrivilege	2948	powercfg.exe
Token: SeShutdownPrivilege	2236	Loader.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2716	SimpleToolZ.exe
2236	Loader.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2236	2716	SimpleToolZ.exe	32
PID 2716 wrote to memory of 2236	2716	SimpleToolZ.exe	32
PID 2716 wrote to memory of 2236	2716	SimpleToolZ.exe	32
PID 2236 wrote to memory of 2788	2236	Loader.exe	34
PID 2236 wrote to memory of 2788	2236	Loader.exe	34
PID 2236 wrote to memory of 2788	2236	Loader.exe	34
PID 2236 wrote to memory of 2784	2236	Loader.exe	35
PID 2236 wrote to memory of 2784	2236	Loader.exe	35
PID 2236 wrote to memory of 2784	2236	Loader.exe	35
PID 2784 wrote to memory of 3012	2784	cmd.exe	37
PID 2784 wrote to memory of 3012	2784	cmd.exe	37
PID 2784 wrote to memory of 3012	2784	cmd.exe	37
PID 2788 wrote to memory of 2948	2788	cmd.exe	38
PID 2788 wrote to memory of 2948	2788	cmd.exe	38
PID 2788 wrote to memory of 2948	2788	cmd.exe	38
PID 2236 wrote to memory of 2800	2236	Loader.exe	39
PID 2236 wrote to memory of 2800	2236	Loader.exe	39
PID 2236 wrote to memory of 2800	2236	Loader.exe	39
PID 2236 wrote to memory of 2680	2236	Loader.exe	40
PID 2236 wrote to memory of 2680	2236	Loader.exe	40
PID 2236 wrote to memory of 2680	2236	Loader.exe	40
PID 2800 wrote to memory of 2748	2800	cmd.exe	41
PID 2800 wrote to memory of 2748	2800	cmd.exe	41
PID 2800 wrote to memory of 2748	2800	cmd.exe	41
PID 2236 wrote to memory of 2632	2236	Loader.exe	43
PID 2236 wrote to memory of 2632	2236	Loader.exe	43
PID 2236 wrote to memory of 2632	2236	Loader.exe	43
PID 2632 wrote to memory of 2700	2632	cmd.exe	45
PID 2632 wrote to memory of 2700	2632	cmd.exe	45
PID 2632 wrote to memory of 2700	2632	cmd.exe	45
PID 2680 wrote to memory of 2756	2680	cmd.exe	46
PID 2680 wrote to memory of 2756	2680	cmd.exe	46
PID 2680 wrote to memory of 2756	2680	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\SimpleToolZ.exe
"C:\Users\Admin\AppData\Local\Temp\SimpleToolZ.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Deletes itself
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C Powercfg -h off
    3⤵
    - Power Settings
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\system32\powercfg.exe
      Powercfg -h off
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell "Confirm-SecureBootUEFI" > C:\secureboot_status.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "Confirm-SecureBootUEFI"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2748
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\system32\sc.exe
      sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
      4⤵
      Launches sc.exe
      PID:2756
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc start windowsproc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\system32\sc.exe
      sc start windowsproc
      4⤵
      Launches sc.exe
      PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}\favicon1.ico

Filesize
244KB

MD5
894384c5a192fe45e6d2e29b60a10a11

SHA1
56f43d42367b86e439bb640df007649386c5be91

SHA256
f0dcfacc6d28747a0ff8c3a9001fe4c7c4c387bd150a82895f8ea21ce201eec8

SHA512
95776900db01834bf0652cda1e96cb108c062cf5a71d9d6423b8f601fb116620293738e7ed31dff9886612be099683a9ee1078d5d0c81ec457c629d54960cf14

Download Submit
C:\secureboot_status.txt

Filesize
447B

MD5
cf8355d29a9d97cf5d6a673e64f9fcda

SHA1
9050f2dd8c50258f22fea4278268357d4133668f

SHA256
7fc3a10f21c5405061e1eff734790d1a640ddc1971a84e60070288af8bb161d3

SHA512
9669cb9c7100047e4f0c0478edc3c390fde9fa8ae98e5aaf4c204520f6eb3e57c11eb388f72986afd21781c24b2796c39e1aa291d34f481b0de9c94b81bd1a48

Download Submit
memory/2236-64-0x0000000004980000-0x000000000498A000-memory.dmp

Filesize
40KB

Download
memory/2236-65-0x0000000004980000-0x000000000498A000-memory.dmp

Filesize
40KB

Download
memory/2716-0-0x0000000077260000-0x0000000077262000-memory.dmp

Filesize
8KB

Download
memory/2716-1-0x0000000140000000-0x0000000141000000-memory.dmp

Filesize
16.0MB

Download
memory/2716-13-0x0000000140000000-0x0000000141000000-memory.dmp

Filesize
16.0MB

Download
memory/3012-28-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/3012-29-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download