ff24b9da6cddd77f8c19169134eb054130567825eee1008b5a32244e1028e76f

Resubmissions

24/08/2024, 17:28

240824-v148kasgpr 9

24/08/2024, 17:17

240824-vtnx1a1aqc 9

Analysis

max time kernel
425s
max time network
423s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
24/08/2024, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pafish64.exe
Size

118KB
MD5

4b6229d1b32d7346cf4c8312a8bc7925
SHA1

4d83e18a7e1650b4f9bb5e866ea4ad97a21522bd
SHA256

ff24b9da6cddd77f8c19169134eb054130567825eee1008b5a32244e1028e76f
SHA512

804f7e663f3a4e03f99e19f7ad8e89362c9d11793ece2e0716f86bce020f6ce95766fc4f6e686375b73d0b6765cc75029d8d6527abe0777b91ec807f81c7146a
SSDEEP

3072:wgjIzC10pKQ6PbNehdv3I0lmPendNyrOMGTkrNRD:wgSCuMDendVMGTuNR

Score

9^/10

discovery evasion

Malware Config

Signatures

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	pafish64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	pafish64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	pafish64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	pafish64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	pafish64.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	pafish64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	pafish64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	pafish64.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	pafish64.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	pafish64.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	pafish64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	pafish64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	pafish64.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\SOFTWARE\Wine	pafish64.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	pafish64.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe

Runs regedit.exe 1 IoCs

pid	Process
4192	regedit.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1688	explorer.exe
1440	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2872	pafish64.exe
2872	pafish64.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
4192	regedit.exe
1688	explorer.exe
400	mmc.exe
1440	vlc.exe
3456	msinfo32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4916	control.exe
Token: SeCreatePagefilePrivilege	4916	control.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe
Token: 33	400	mmc.exe
Token: SeIncBasePriorityPrivilege	400	mmc.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1688	explorer.exe
1440	vlc.exe
1440	vlc.exe
1440	vlc.exe
1440	vlc.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1440	vlc.exe
1440	vlc.exe
1440	vlc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4472	MiniSearchHost.exe
2872	pafish64.exe
2872	pafish64.exe
400	mmc.exe
400	mmc.exe
1440	vlc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 4192	1688	explorer.exe	103
PID 1688 wrote to memory of 4192	1688	explorer.exe	103
PID 1688 wrote to memory of 400	1688	explorer.exe	105
PID 1688 wrote to memory of 400	1688	explorer.exe	105
PID 1688 wrote to memory of 3456	1688	explorer.exe	109
PID 1688 wrote to memory of 3456	1688	explorer.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\pafish64.exe
"C:\Users\Admin\AppData\Local\Temp\pafish64.exe"
1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2872

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4472

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2836

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:724

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\regedit.exe
  "C:\Windows\regedit.exe"
  2⤵
  - Runs regedit.exe
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4192
- C:\Windows\system32\mmc.exe
  "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:400
- C:\Windows\system32\msinfo32.exe
  "C:\Windows\system32\msinfo32.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Enumerates system info in registry
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3456

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ResolveSet.mov"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
30f9f69bd4cb3ca8ed4af465e6bf3b72

SHA1
1f7bf3625d683c1af38485d1eb39152949648749

SHA256
fbb114871abc3901711a5f204cb370f1cc1602ad89fa0c8155288ec72e4eaf36

SHA512
ae96746716d0b47912c191ca52db48ee40aca9591444c1f0ffbc913346be1fff1e9f71c6e66cb4c175fd308e04a504367dd56bf84920f94c65142cd8508258c2

Download Submit
memory/1440-72-0x00007FF66EE50000-0x00007FF66EF48000-memory.dmp

Filesize
992KB

Download
memory/1440-73-0x00007FF81D400000-0x00007FF81D434000-memory.dmp

Filesize
208KB

Download
memory/1440-74-0x00007FF804720000-0x00007FF8049D6000-memory.dmp

Filesize
2.7MB

Download
memory/1440-75-0x00007FF802170000-0x00007FF803220000-memory.dmp

Filesize
16.7MB

Download
memory/2872-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2872-14-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2872-18-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2872-22-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download