Overview

overview

10

Static

static

3

3b692ec6fc...0N.exe

windows7-x64

10

3b692ec6fc...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 08:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b692ec6fca3e494145a9884da1f7470N.exe

  • Size

    1.9MB

  • MD5

    3b692ec6fca3e494145a9884da1f7470

  • SHA1

    f804225b1f72316446f7e2da32ac319027376ba0

  • SHA256

    8c83592274971fd307be6d21fff3a748c0ffec456fcd6f3bb86e947174e4945b

  • SHA512

    9dafe22f9fa466a60a7583c6322478e8483be25eac46d91dfb8c642f99e259d2e473d0d50a0242108382c6a9556802e8615481589395930f942540dbb96a8180

  • SSDEEP

    49152:ISlNHydXboE+2pKWTvP6p9kB/GS0fsXCFC:ISjydNCYn0+/

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b692ec6fca3e494145a9884da1f7470N.exe
    "C:\Users\Admin\AppData\Local\Temp\3b692ec6fca3e494145a9884da1f7470N.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2516
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2628
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1384
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1704
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:1940
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:35 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2492
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:36 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1644
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2304

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Modify Registry

    2
    T1112

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Virtualization/Sandbox Evasion

    2
    T1497

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Windows\Resources\Themes\explorer.exe
      Filesize

      1.9MB

      MD5

      571adcce731da8a7bc0e965e72c88e44

      SHA1

      a0529a6bf892dfacf418636535eeccd478b7ed0e

      SHA256

      6b2c5b886b97d5562854dbf450a9c8e281b94ae4f1e63002c40ddb7f072cecdb

      SHA512

      905785a308ebc84a452a5df431f59ef68a26745621a2c78cad8dc5ac30dd15701afc40c7a6cdad445f37da33849f45eb3847f97195b9d596075d842b21d377c8

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      1.9MB

      MD5

      44dd6b03bdd861af17f286b9c027f9a9

      SHA1

      ab0ca6db8fd9ed526f20f56a34af95428e5a4cde

      SHA256

      96db621f3c2d52cbdcc1134189e43a40f830fe4b517867f00b65853c2ed828d0

      SHA512

      9a742aa1ebfcbaeee79bdc751958e519179dd39833c00450441c44279f925d35f383ead4b11495a36c3bc6ccba7c9d4187608e2dff014cbe4371977fe406ad40

      Download Submit

    • \Windows\Resources\svchost.exe
      Filesize

      1.9MB

      MD5

      69ac9c0fb983c8bc9adeb55a397a46a9

      SHA1

      1d8878e4c36a7508b44cf2fa2c8a5cdfd86732b8

      SHA256

      b233d620f528e31bb5acdcc8d7b28130bee6f65464c108a3915638785a951296

      SHA512

      b657d3404a70c5df917fe970f98bd4066e39f3dd566585f916fefd330fcda04e1c2dbec153116a5f0e1c65b8bf46dc238120a6e214ccb758e9667ad44ca677f0

      Download Submit

    • memory/1384-65-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1384-45-0x0000000005560000-0x00000000059D3000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1384-31-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1704-86-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1704-78-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1704-82-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1704-70-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1704-88-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1704-80-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1704-90-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1704-84-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1704-71-0x00000000051C0000-0x0000000005633000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1704-56-0x00000000051C0000-0x0000000005633000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1704-76-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1704-92-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1704-72-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1704-74-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1940-64-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1940-57-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2516-44-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2516-47-0x0000000075500000-0x00000000755F0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2516-1-0x0000000075510000-0x0000000075511000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2516-67-0x0000000075500000-0x00000000755F0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2516-2-0x0000000075500000-0x00000000755F0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2516-66-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2516-16-0x00000000056D0000-0x0000000005B43000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2516-15-0x00000000056D0000-0x0000000005B43000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2516-0-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2628-75-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2628-85-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2628-77-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2628-81-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2628-32-0x0000000005600000-0x0000000005A73000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2628-83-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2628-58-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2628-79-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2628-69-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2628-87-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2628-17-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2628-89-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2628-73-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2628-91-0x0000000000400000-0x0000000000873000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2628-68-0x0000000005600000-0x0000000005A73000-memory.dmp

      Filesize

      4.4MB

      Download