Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
05-09-2024 12:23
General
-
Target
b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe
-
Size
3.2MB
-
MD5
06dcb15ae610d9451fb568bc536069ee
-
SHA1
611af21b221bd004e7546d2603793de501b4f38d
-
SHA256
b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252
-
SHA512
9ce44cf3089f267b8db94ae4bdb3e78655fefe0aab4125cae956f0fbef4aa161e6eaca1f3ac0b755d75e10a1e31a5231c450ac8a04fc461bd1dbf45ee92c19fb
-
SSDEEP
49152:tJkY6l5vePmrlqqZZp/wuERzibxCfAz7x:bkY6l5vePGlp99b/x
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 11 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 5 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe"C:\Users\Admin\AppData\Local\Temp\b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exec:\users\admin\appdata\local\temp\b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 164203⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:25 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:26 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:27 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5161d38715bd4257653337da547ae92be
SHA1144d981483787747f2b3c958d933c15495d3b453
SHA256fce88e7aeaa9877f4e8d7b90f04736adeff57c0906fa26f41133f13a207fe23e
SHA512804a8bebe25a4466bf033b1f2f2c940847823e7a895384f3929fb3505d9fdf755ea41cfdcb5a0de52a01a603ee82f052e8516a2ee967df5c5515bb8cbfec6cdc
-
Filesize
3.1MB
MD50c33284728a138decf9bf5229bc1272a
SHA141bac3740aee663620d82503e7dda4cd3f564eb7
SHA256ad013bc1676f0fb7f9dd576d5d96e4b121770756abeb70379e01d0003dca8681
SHA5120c9a0647418ffdf03ca31db1fbe7152a301953d1fe9a7115f18271c4690ed72af0e2b0acf9f6ad05234e6faa7cba759d815435cb67536a1253f1959a953a6622
-
Filesize
135KB
MD5a082983f3d6f012f8b211bcac9df371d
SHA18f13e36f5ec891cf4eccfc77694b6268f50f07d9
SHA2569a45fb25503111878442721305dfd9f5c9bd9cf3e60e1d5b5e9c754b48166253
SHA512b5d3c96efb0d84ee4d7c968ea90d7c75b8203667ea9beaa655e6507f03d146e5fccbfb45561559085fdba9e016c645959f6e510cb8a43a351aa4ac856253b04a
-
Filesize
135KB
MD50ed9f89a12389b335ee69c44dcfaac6a
SHA118c75b3ff2b8bcc37245ff90fd34059c3fb3e099
SHA2566bc4b6a7be7efea5588ae6d92d66a7aef4ab55ee91344a50b2455e3cf2e3cb69
SHA512b20a9e0f0b0027ba10b8183db6161415c668a4233a5f694f6df5895d769dbfe8dc55f7c591e91ed9683766888be35ba6ece3656612f0dc5586ea775055473fe7
-
Filesize
135KB
MD500d2d5a5babd12bb664e541e94f5482a
SHA1b4772a794b868663fe5573a64a55da6b5e6dac3b
SHA2561c8bc90f425ef05bdd9ff680ebe90f200b952e8b65d0a81ac7bbb514ee0a43c5
SHA51297fd8430b28924ce95b51ecb1527be71ea0063a4e6f415d98662e3f3571b1f7ccd5fc8a983c0e475dcfb2bfead9ac2a0f7172c225a77beb3b9523c70cad0729a
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
1.4MB
-
Filesize
3.1MB
-
Filesize
4KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB