035a82de22713080aa43c483c1c1cef63b827bd575a0486996f3a70ce5477e49

Analysis

max time kernel
36s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240802-de
resource tags

arch:x64arch:x86image:win10v2004-20240802-delocale:de-deos:windows10-2004-x64systemwindows
submitted
05-09-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Immortal Woofer.exe
Size

151.1MB
MD5

b3a420741d0c3ef020daa5332bcba7b6
SHA1

fab88334908bd6ac99ae2e98c7aa7b7412ebfc7d
SHA256

035a82de22713080aa43c483c1c1cef63b827bd575a0486996f3a70ce5477e49
SHA512

12b7af549557e9b705d4a11bdc023dcd2cab2dcb8673bb359a2ccfa284567f17fa9e97142352f416bc2b0edf198e56d900c69644198822fb16205fc98282f8e6
SSDEEP

786432:UPKYRuO3mOTgbr/skQsh/SgaNkbks5GoE3yKZ1fX36n:UPKCuO3mSgfkCKqksYoE3ySA

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Fruit Cleener.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Fruit Cleener.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Fruit Cleener.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Immortal Woofer.exe

Executes dropped EXE 2 IoCs

pid	Process
1912	LOADER_HERE.exe
4764	Fruit Cleener.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00070000000234f6-16.dat	themida
behavioral1/memory/4764-17-0x00007FF68E5B0000-0x00007FF68EF4B000-memory.dmp	themida
behavioral1/memory/4764-20-0x00007FF68E5B0000-0x00007FF68EF4B000-memory.dmp	themida
behavioral1/memory/4764-21-0x00007FF68E5B0000-0x00007FF68EF4B000-memory.dmp	themida
behavioral1/memory/4764-19-0x00007FF68E5B0000-0x00007FF68EF4B000-memory.dmp	themida
behavioral1/memory/4764-22-0x00007FF68E5B0000-0x00007FF68EF4B000-memory.dmp	themida
behavioral1/memory/4764-24-0x00007FF68E5B0000-0x00007FF68EF4B000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Fruit Cleener.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4764	Fruit Cleener.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\IME\serial_checker.bat	Immortal Woofer.exe
File created	C:\Windows\IME\Fruit Cleener.exe	Immortal Woofer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4884	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Immortal Woofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Immortal Woofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Immortal Woofer.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2028	taskkill.exe
3992	taskkill.exe
4376	taskkill.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3268	WMIC.exe
Token: SeSecurityPrivilege	3268	WMIC.exe
Token: SeTakeOwnershipPrivilege	3268	WMIC.exe
Token: SeLoadDriverPrivilege	3268	WMIC.exe
Token: SeSystemProfilePrivilege	3268	WMIC.exe
Token: SeSystemtimePrivilege	3268	WMIC.exe
Token: SeProfSingleProcessPrivilege	3268	WMIC.exe
Token: SeIncBasePriorityPrivilege	3268	WMIC.exe
Token: SeCreatePagefilePrivilege	3268	WMIC.exe
Token: SeBackupPrivilege	3268	WMIC.exe
Token: SeRestorePrivilege	3268	WMIC.exe
Token: SeShutdownPrivilege	3268	WMIC.exe
Token: SeDebugPrivilege	3268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3268	WMIC.exe
Token: SeRemoteShutdownPrivilege	3268	WMIC.exe
Token: SeUndockPrivilege	3268	WMIC.exe
Token: SeManageVolumePrivilege	3268	WMIC.exe
Token: 33	3268	WMIC.exe
Token: 34	3268	WMIC.exe
Token: 35	3268	WMIC.exe
Token: 36	3268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3268	WMIC.exe
Token: SeSecurityPrivilege	3268	WMIC.exe
Token: SeTakeOwnershipPrivilege	3268	WMIC.exe
Token: SeLoadDriverPrivilege	3268	WMIC.exe
Token: SeSystemProfilePrivilege	3268	WMIC.exe
Token: SeSystemtimePrivilege	3268	WMIC.exe
Token: SeProfSingleProcessPrivilege	3268	WMIC.exe
Token: SeIncBasePriorityPrivilege	3268	WMIC.exe
Token: SeCreatePagefilePrivilege	3268	WMIC.exe
Token: SeBackupPrivilege	3268	WMIC.exe
Token: SeRestorePrivilege	3268	WMIC.exe
Token: SeShutdownPrivilege	3268	WMIC.exe
Token: SeDebugPrivilege	3268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3268	WMIC.exe
Token: SeRemoteShutdownPrivilege	3268	WMIC.exe
Token: SeUndockPrivilege	3268	WMIC.exe
Token: SeManageVolumePrivilege	3268	WMIC.exe
Token: 33	3268	WMIC.exe
Token: 34	3268	WMIC.exe
Token: 35	3268	WMIC.exe
Token: 36	3268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1004	WMIC.exe
Token: SeSecurityPrivilege	1004	WMIC.exe
Token: SeTakeOwnershipPrivilege	1004	WMIC.exe
Token: SeLoadDriverPrivilege	1004	WMIC.exe
Token: SeSystemProfilePrivilege	1004	WMIC.exe
Token: SeSystemtimePrivilege	1004	WMIC.exe
Token: SeProfSingleProcessPrivilege	1004	WMIC.exe
Token: SeIncBasePriorityPrivilege	1004	WMIC.exe
Token: SeCreatePagefilePrivilege	1004	WMIC.exe
Token: SeBackupPrivilege	1004	WMIC.exe
Token: SeRestorePrivilege	1004	WMIC.exe
Token: SeShutdownPrivilege	1004	WMIC.exe
Token: SeDebugPrivilege	1004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1004	WMIC.exe
Token: SeRemoteShutdownPrivilege	1004	WMIC.exe
Token: SeUndockPrivilege	1004	WMIC.exe
Token: SeManageVolumePrivilege	1004	WMIC.exe
Token: 33	1004	WMIC.exe
Token: 34	1004	WMIC.exe
Token: 35	1004	WMIC.exe
Token: 36	1004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1004	WMIC.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 1912	3860	Immortal Woofer.exe	94
PID 3860 wrote to memory of 1912	3860	Immortal Woofer.exe	94
PID 3860 wrote to memory of 2156	3860	Immortal Woofer.exe	96
PID 3860 wrote to memory of 2156	3860	Immortal Woofer.exe	96
PID 2156 wrote to memory of 3268	2156	cmd.exe	98
PID 2156 wrote to memory of 3268	2156	cmd.exe	98
PID 2156 wrote to memory of 1004	2156	cmd.exe	99
PID 2156 wrote to memory of 1004	2156	cmd.exe	99
PID 2156 wrote to memory of 1140	2156	cmd.exe	100
PID 2156 wrote to memory of 1140	2156	cmd.exe	100
PID 2156 wrote to memory of 1660	2156	cmd.exe	101
PID 2156 wrote to memory of 1660	2156	cmd.exe	101
PID 2156 wrote to memory of 1556	2156	cmd.exe	102
PID 2156 wrote to memory of 1556	2156	cmd.exe	102
PID 2156 wrote to memory of 4720	2156	cmd.exe	103
PID 2156 wrote to memory of 4720	2156	cmd.exe	103
PID 2156 wrote to memory of 4608	2156	cmd.exe	105
PID 2156 wrote to memory of 4608	2156	cmd.exe	105
PID 2156 wrote to memory of 3904	2156	cmd.exe	106
PID 2156 wrote to memory of 3904	2156	cmd.exe	106
PID 2156 wrote to memory of 3428	2156	cmd.exe	107
PID 2156 wrote to memory of 3428	2156	cmd.exe	107
PID 2156 wrote to memory of 1748	2156	cmd.exe	108
PID 2156 wrote to memory of 1748	2156	cmd.exe	108
PID 2156 wrote to memory of 908	2156	cmd.exe	109
PID 2156 wrote to memory of 908	2156	cmd.exe	109
PID 2156 wrote to memory of 748	2156	cmd.exe	110
PID 2156 wrote to memory of 748	2156	cmd.exe	110
PID 3860 wrote to memory of 4764	3860	Immortal Woofer.exe	112
PID 3860 wrote to memory of 4764	3860	Immortal Woofer.exe	112
PID 4764 wrote to memory of 2320	4764	Fruit Cleener.exe	114
PID 4764 wrote to memory of 2320	4764	Fruit Cleener.exe	114
PID 2320 wrote to memory of 2028	2320	cmd.exe	115
PID 2320 wrote to memory of 2028	2320	cmd.exe	115
PID 4764 wrote to memory of 4884	4764	Fruit Cleener.exe	116
PID 4764 wrote to memory of 4884	4764	Fruit Cleener.exe	116
PID 4884 wrote to memory of 3992	4884	cmd.exe	117
PID 4884 wrote to memory of 3992	4884	cmd.exe	117
PID 4764 wrote to memory of 3404	4764	Fruit Cleener.exe	118
PID 4764 wrote to memory of 3404	4764	Fruit Cleener.exe	118
PID 3404 wrote to memory of 4376	3404	cmd.exe	119
PID 3404 wrote to memory of 4376	3404	cmd.exe	119
PID 4764 wrote to memory of 4276	4764	Fruit Cleener.exe	120
PID 4764 wrote to memory of 4276	4764	Fruit Cleener.exe	120
PID 4276 wrote to memory of 2484	4276	cmd.exe	121
PID 4276 wrote to memory of 2484	4276	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\Immortal Woofer.exe
"C:\Users\Admin\AppData\Local\Temp\Immortal Woofer.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe
  "C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe" C:\Users\Admin\AppData\Local\Temp\gay.sys
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\IME\serial_checker.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get model, serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3268
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    PID:1140
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:1660
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:1556
- - C:\Windows\system32\getmac.exe
    getmac
    3⤵
    PID:4720
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get model, serialnumber
    3⤵
    PID:4608
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get serialnumber
    3⤵
    PID:3904
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    PID:3428
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:1748
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:908
- - C:\Windows\system32\getmac.exe
    getmac
    3⤵
    PID:748
- C:\Windows\IME\Fruit Cleener.exe
  "C:\Windows\IME\Fruit Cleener.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3404
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Battle.net.exe
      4⤵
      Kills process with taskkill
      PID:4376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start https://applecheats.cc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/
      4⤵
      PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe

Filesize
534KB

MD5
cd4d08af76e7614f46bc853cf82cebc6

SHA1
94e75dac14976227c1c33ae48866e820db52aa1a

SHA256
f03d6b156974af96b66b3913bbcdf49609720f37f2e69c4222c2d0920f442f58

SHA512
b24396f3973156d8aef58203a0bcf1d542362e8591509e054488d6562fcf60e3cd628db0252a45ead220b4c7e82f065092e8a6145fcbfc399b4ca86f17084d99

Download Submit
C:\Windows\IME\Fruit Cleener.exe

Filesize
3.6MB

MD5
5d55189c4f5b49069859724f34597158

SHA1
c79a67cc70d2a8994d1c1480114c1890ae550f15

SHA256
027d32bf28bf27f41e1a4a883cedf922d0ea1928f5c8024b2702eb70cee6710a

SHA512
bae030f2075d6cdef0ba02533dbd0f5a5ea05a75634af7a7e231c836978e7512e8b237fb6197634b39278383927eec7410b437c52e926623164c3a17b643d00e

Download Submit
C:\Windows\IME\serial_checker.bat

Filesize
456B

MD5
cafc57aca6d10f9dcdc9d3aec9a35b72

SHA1
2e0e30ac79878b3d4d326f00735aaa7ff4b4a3df

SHA256
1c63492020872da13d2b35aa8eb02517376e1a7391bfaa1584d828bd5aa916ad

SHA512
d0e14f1eb2077b455f0a42a60b37c625badae4084734ce0e050e992a7b759d969c6d86e2be49ae20712c70c2453cb9efd3de8cb8124f0b489826f8f80f93fb95

Download Submit
memory/1912-7-0x00007FF6BF3E0000-0x00007FF6BF493000-memory.dmp

Filesize
716KB

Download
memory/1912-9-0x00007FF6BF3E0000-0x00007FF6BF493000-memory.dmp

Filesize
716KB

Download
memory/4764-17-0x00007FF68E5B0000-0x00007FF68EF4B000-memory.dmp

Filesize
9.6MB

Download
memory/4764-20-0x00007FF68E5B0000-0x00007FF68EF4B000-memory.dmp

Filesize
9.6MB

Download
memory/4764-21-0x00007FF68E5B0000-0x00007FF68EF4B000-memory.dmp

Filesize
9.6MB

Download
memory/4764-19-0x00007FF68E5B0000-0x00007FF68EF4B000-memory.dmp

Filesize
9.6MB

Download
memory/4764-22-0x00007FF68E5B0000-0x00007FF68EF4B000-memory.dmp

Filesize
9.6MB

Download
memory/4764-24-0x00007FF68E5B0000-0x00007FF68EF4B000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads