Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
05-09-2024 06:31
General
-
Target
b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe
-
Size
3.2MB
-
MD5
06dcb15ae610d9451fb568bc536069ee
-
SHA1
611af21b221bd004e7546d2603793de501b4f38d
-
SHA256
b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252
-
SHA512
9ce44cf3089f267b8db94ae4bdb3e78655fefe0aab4125cae956f0fbef4aa161e6eaca1f3ac0b755d75e10a1e31a5231c450ac8a04fc461bd1dbf45ee92c19fb
-
SSDEEP
49152:tJkY6l5vePmrlqqZZp/wuERzibxCfAz7x:bkY6l5vePGlp99b/x
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 11 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 5 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe"C:\Users\Admin\AppData\Local\Temp\b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exec:\users\admin\appdata\local\temp\b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 159283⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:33 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:34 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:35 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD57e1668bf577b94e7f6298c10aa7383e1
SHA1af303863e88020aaa49199b11e93c8f528de4ad9
SHA256e165600a74730906a04de38f40e2f32c2e7ae1e90f8df612c719ffa054457651
SHA512050c8440962906c0c8b39c2b5c5db38ff6fcc8fcc754a53c31741892d632a074b49672c6f026e984e92e1d0a97760b25a979a96366e5a2876878dc41b8700443
-
Filesize
3.1MB
MD50c33284728a138decf9bf5229bc1272a
SHA141bac3740aee663620d82503e7dda4cd3f564eb7
SHA256ad013bc1676f0fb7f9dd576d5d96e4b121770756abeb70379e01d0003dca8681
SHA5120c9a0647418ffdf03ca31db1fbe7152a301953d1fe9a7115f18271c4690ed72af0e2b0acf9f6ad05234e6faa7cba759d815435cb67536a1253f1959a953a6622
-
Filesize
135KB
MD5a082983f3d6f012f8b211bcac9df371d
SHA18f13e36f5ec891cf4eccfc77694b6268f50f07d9
SHA2569a45fb25503111878442721305dfd9f5c9bd9cf3e60e1d5b5e9c754b48166253
SHA512b5d3c96efb0d84ee4d7c968ea90d7c75b8203667ea9beaa655e6507f03d146e5fccbfb45561559085fdba9e016c645959f6e510cb8a43a351aa4ac856253b04a
-
Filesize
135KB
MD53de30eda060d3eefbd8bbc92f973190b
SHA10260059883dd482b662de17801298696930d8350
SHA2564c53e465cd7d084a6161ee31e30b464c54a24a926fc8053194d54c690fcd1aea
SHA5121676168a0881e85e51cd5761d287cbd98daf0ca6f0a1173679efc79a0e4fe462b08920eec1f348bc0580db731481c6ed7207cad98375c1d755e405a7a4e52999
-
Filesize
135KB
MD545888558373395c4659939aa289ed11c
SHA1aeac5f5226ec986cbf49d6a39b692d209939079b
SHA25603964bf45119090b76da246efd3f636a2a6245ee099c3e175798a91368b650bc
SHA5127ac889899b14f910e5ee8c3157ab215a7eaa2a4ea975d9d86b7cf8dec326682b7d00404315583bd791ff308e62c7566a6ebd2e658318a85ecae4ae9129937582
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
1.4MB
-
Filesize
3.1MB
-
Filesize
4KB