Analysis
-
max time kernel
65s -
max time network
66s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 13:22
Static task
static1
General
-
Target
2pepmrlmy0x0.exe
-
Size
14.3MB
-
MD5
ab72e8b99c9274312b59d887842170ec
-
SHA1
0a01e7f3520be3834e0669d2ce139e5aee667ba6
-
SHA256
899114d9c98d45ee0d715190897c4bab7e9fef5c3bade2330020dd243cd04ce9
-
SHA512
0b4cb9dd74f70906c3e52dd0c18065d3ece34da536a6555264e7bee136ff47ba3a5da36fbd794b79b14d7073b7c60dadc8013514ebb61aacfe00abe01aaf2cec
-
SSDEEP
393216:KM+wSvBVMRNEe5khbrHQmNJPCtqwZukp8znE:KM+3BiNEVtHvgqTkpmE
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2pepmrlmy0x0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2pepmrlmy0x0.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2pepmrlmy0x0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2pepmrlmy0x0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2pepmrlmy0x0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2pepmrlmy0x0.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation ldrupd.bin -
Deletes itself 1 IoCs
pid Process 3652 ldrupd.bin -
Executes dropped EXE 2 IoCs
pid Process 3652 ldrupd.bin 2028 2pepmrlmy0x0.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2pepmrlmy0x0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2pepmrlmy0x0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2028 2pepmrlmy0x0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSystemEnvironmentPrivilege 1948 2pepmrlmy0x0.exe Token: SeSystemEnvironmentPrivilege 2028 2pepmrlmy0x0.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2028 2pepmrlmy0x0.exe 2028 2pepmrlmy0x0.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1948 wrote to memory of 4972 1948 2pepmrlmy0x0.exe 88 PID 1948 wrote to memory of 4972 1948 2pepmrlmy0x0.exe 88 PID 1948 wrote to memory of 4972 1948 2pepmrlmy0x0.exe 88 PID 1948 wrote to memory of 4892 1948 2pepmrlmy0x0.exe 90 PID 1948 wrote to memory of 4892 1948 2pepmrlmy0x0.exe 90 PID 1948 wrote to memory of 4892 1948 2pepmrlmy0x0.exe 90 PID 1948 wrote to memory of 3652 1948 2pepmrlmy0x0.exe 91 PID 1948 wrote to memory of 3652 1948 2pepmrlmy0x0.exe 91 PID 3652 wrote to memory of 2028 3652 ldrupd.bin 92 PID 3652 wrote to memory of 2028 3652 ldrupd.bin 92 PID 2028 wrote to memory of 4340 2028 2pepmrlmy0x0.exe 96 PID 2028 wrote to memory of 4340 2028 2pepmrlmy0x0.exe 96 PID 2028 wrote to memory of 4340 2028 2pepmrlmy0x0.exe 96 PID 2028 wrote to memory of 876 2028 2pepmrlmy0x0.exe 97 PID 2028 wrote to memory of 876 2028 2pepmrlmy0x0.exe 97 PID 2028 wrote to memory of 876 2028 2pepmrlmy0x0.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\2pepmrlmy0x0.exe"C:\Users\Admin\AppData\Local\Temp\2pepmrlmy0x0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵PID:4972
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵PID:4892
-
-
C:\Users\Admin\AppData\Local\ldrupd.bin"C:\Users\Admin\AppData\Local\ldrupd.bin"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\2pepmrlmy0x0.exe"C:\Users\Admin\AppData\Local\Temp\2pepmrlmy0x0.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"4⤵PID:4340
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"4⤵PID:876
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.2MB
MD5e9ea5a514cb676c11c648404679ce098
SHA1c84c9bdce8635aac67d87c7142caaf98928744c1
SHA2567d87db18117d75975f758e9d901426fa1f4365effa2c5529cd3ac60310c1e0c5
SHA5125f04a8b94541518892e072dbdcf7c35360d62f198a7a79fbfcf54ce8648aaa79e0d36ac981d0971d1f551710c0285bfdd56bf2ce6c2f5ac0efbca27abe286509
-
Filesize
3KB
MD5a24978a6b77e2cd99823e24c6eb4d055
SHA105aab593ba8e0c21f2859d04d4810fdd1ce453c3
SHA25680ac94c086eb6e52bc3bbebd86e0795f6cb7476153af0c767b9ae4b7e9931140
SHA51224356ce42d0fd7839166416604fd7bd101cab8754de095676c921bfb664bc110e8a87cb863afefb5fd98450496c1b3e303851943f13a3e19f206350239c2a8db