Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 09:52
Static task
static1
Behavioral task
behavioral1
Sample
downloader (5).exe
Resource
win7-20240729-en
General
-
Target
downloader (5).exe
-
Size
70.1MB
-
MD5
990cb2c6cadc8c36bdf40fb70419f141
-
SHA1
18b2151d37dd6dea520d92127fc1518a8f344601
-
SHA256
adaaba0fa5907074e6e35be2d3f1bf97e32b7630ba8bb9eb91797c0795c37e2e
-
SHA512
a15bd95e953d2c9e4361535f3097e07a049419e14456e54f22d38295e3348e149b1dc703097f00f00f500b7684b63ed1f86dba74139cb9e10c9ab59f55bfb9f9
-
SSDEEP
393216:lWxQN89qQk4adiJCuE2fUCdod+OvqKkZHzXhJ/KTe8uiBUtkc0k3qjsGg4GUo3NV:lWoI7zGF5ahWc3ImL
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ XClient.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion XClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion XClient.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.lnk XClient.exe -
Executes dropped EXE 1 IoCs
pid Process 2912 XClient.exe -
Loads dropped DLL 1 IoCs
pid Process 2912 XClient.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x002d000000019c34-6.dat agile_net behavioral1/memory/2912-8-0x0000000000A20000-0x0000000001128000-memory.dmp agile_net -
resource yara_rule behavioral1/files/0x0006000000019dbf-14.dat themida behavioral1/memory/2912-15-0x000007FEED390000-0x000007FEEDF14000-memory.dmp themida behavioral1/memory/2912-17-0x000007FEED390000-0x000007FEEDF14000-memory.dmp themida behavioral1/memory/2912-32-0x000007FEED390000-0x000007FEEDF14000-memory.dmp themida behavioral1/memory/2912-33-0x000007FEED390000-0x000007FEEDF14000-memory.dmp themida behavioral1/memory/2912-34-0x000007FEED390000-0x000007FEEDF14000-memory.dmp themida behavioral1/memory/2912-36-0x000007FEED390000-0x000007FEEDF14000-memory.dmp themida behavioral1/memory/2912-37-0x000007FEED390000-0x000007FEEDF14000-memory.dmp themida behavioral1/memory/2912-39-0x000007FEED390000-0x000007FEEDF14000-memory.dmp themida behavioral1/memory/2912-40-0x000007FEED390000-0x000007FEEDF14000-memory.dmp themida behavioral1/memory/2912-41-0x000007FEED390000-0x000007FEEDF14000-memory.dmp themida behavioral1/memory/2912-42-0x000007FEED390000-0x000007FEEDF14000-memory.dmp themida behavioral1/memory/2912-43-0x000007FEED390000-0x000007FEEDF14000-memory.dmp themida behavioral1/memory/2912-44-0x000007FEED390000-0x000007FEEDF14000-memory.dmp themida behavioral1/memory/2912-45-0x000007FEED390000-0x000007FEEDF14000-memory.dmp themida behavioral1/memory/2912-46-0x000007FEED390000-0x000007FEEDF14000-memory.dmp themida behavioral1/memory/2912-47-0x000007FEED390000-0x000007FEEDF14000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA XClient.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2912 XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2912 XClient.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2912 XClient.exe 2912 XClient.exe 2912 XClient.exe 2912 XClient.exe 2912 XClient.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2912 XClient.exe Token: SeDebugPrivilege 2912 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2912 XClient.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2312 wrote to memory of 612 2312 downloader (5).exe 31 PID 2312 wrote to memory of 612 2312 downloader (5).exe 31 PID 2312 wrote to memory of 612 2312 downloader (5).exe 31 PID 2312 wrote to memory of 2892 2312 downloader (5).exe 32 PID 2312 wrote to memory of 2892 2312 downloader (5).exe 32 PID 2312 wrote to memory of 2892 2312 downloader (5).exe 32 PID 2892 wrote to memory of 2912 2892 cmd.exe 33 PID 2892 wrote to memory of 2912 2892 cmd.exe 33 PID 2892 wrote to memory of 2912 2892 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\downloader (5).exe"C:\Users\Admin\AppData\Local\Temp\downloader (5).exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Xbox.exe""2⤵PID:612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\XClient.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2912
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD505b012457488a95a05d0541e0470d392
SHA174f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA2561f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA5126d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6
-
Filesize
7.0MB
MD54fdd953a53303a4dd38242fee3b3c53a
SHA18d962de4d2f783a35b2666755e97928e446ceb1e
SHA2565243fc913cc5de56bb4a58e73f9ee9715a8779146737fc7c865d4d5390ae750f
SHA5125329acc05f07c5e82222877183e1e197cd6506a1cea24017930bf9f03159ea86f6853fc057378a646e8da79713e06f0f147c4b76135f058a9f21f737d8359737