Analysis

  • max time kernel
    140s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-10-2024 00:42

General

  • Target

    0BzMzlmT.exe

  • Size

    27.9MB

  • MD5

    34e055a67b10a1a14994b6b3457698e2

  • SHA1

    6b299dca56f55a0656b23fd035f4353dc049343a

  • SHA256

    01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09

  • SHA512

    8437dde18940cf8197d25f729bbaaf0803b81ffa1ed13128c91e6e3a65f01fc8253a19badc6e71c187928832dbabb03cf45ddc392e19e4c5dc6f741ada13d218

  • SSDEEP

    786432:PPhOXo+/5eJC7HRCyM1yMRUEvTHBfBRcda3:3AY+/4JOlQ7PRco3

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Boot or Logon Autostart Execution: Time Providers 1 TTPs 24 IoCs

    The Windows Time service (W32Time) enables time synchronization across and within domains.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • System Time Discovery 1 TTPs 6 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe
    "C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Remove-Item 'C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe.bak' -force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
    • C:\Windows\system32\net.exe
      net stop w32time
      2⤵
      • System Time Discovery
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop w32time
        3⤵
        • System Time Discovery
        PID:2580
    • C:\Windows\system32\w32tm.exe
      w32tm /unregister
      2⤵
        PID:2808
      • C:\Windows\system32\w32tm.exe
        w32tm /register
        2⤵
        • Server Software Component: Terminal Services DLL
        • Boot or Logon Autostart Execution: Time Providers
        PID:2564
      • C:\Windows\system32\net.exe
        net start w32time
        2⤵
        • System Time Discovery
        • Suspicious use of WriteProcessMemory
        PID:2476
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 start w32time
          3⤵
          • System Time Discovery
          PID:376
      • C:\Windows\System32\Wbem\wmic.exe
        wmic cpu get VirtualizationFirmwareEnabled
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1652
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "confirm-securebootuefi"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2372
      • C:\Windows\system32\w32tm.exe
        w32tm /resync /force
        2⤵
          PID:1500
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -command "$env:firmware_type"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1396
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -command "Get-WmiObject -Namespace 'Root\CIMv2\Security\MicrosoftTpm' -Class Win32_Tpm"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1764
        • C:\Windows\system32\net.exe
          net stop w32time
          2⤵
          • System Time Discovery
          • Suspicious use of WriteProcessMemory
          PID:2860
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop w32time
            3⤵
            • System Time Discovery
            PID:1748
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 3028 -s 856
          2⤵
            PID:1028

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          2e67f962576bb2d759848e5a9049ad78

          SHA1

          1b9f514582432f318b4c861dadbd25b881bbdb4c

          SHA256

          3d8a2ca80738bd785f68869b468bfa6fd50359f0b92c59a5bb095c431394d32b

          SHA512

          62d81c3f29c507071c907611e891e29ef0182c3e267f7a9684ed6cde62cc106e95055e754c364b42928f8967bd83daca9aa8e472bc99d4dda171a23f525b0947

        • memory/2372-43-0x0000000002960000-0x0000000002968000-memory.dmp

          Filesize

          32KB

        • memory/2372-38-0x000000001B590000-0x000000001B872000-memory.dmp

          Filesize

          2.9MB

        • memory/2888-12-0x00000000022C0000-0x00000000022C8000-memory.dmp

          Filesize

          32KB

        • memory/2888-10-0x0000000077390000-0x0000000077539000-memory.dmp

          Filesize

          1.7MB

        • memory/2888-11-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

          Filesize

          2.9MB

        • memory/2888-14-0x0000000077390000-0x0000000077539000-memory.dmp

          Filesize

          1.7MB

        • memory/3028-4-0x0000000140000000-0x000000014325E000-memory.dmp

          Filesize

          50.4MB

        • memory/3028-0-0x00000000773E0000-0x00000000773E2000-memory.dmp

          Filesize

          8KB

        • memory/3028-13-0x0000000140000000-0x000000014325E000-memory.dmp

          Filesize

          50.4MB

        • memory/3028-21-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

          Filesize

          64KB

        • memory/3028-5-0x0000000140000000-0x000000014325E000-memory.dmp

          Filesize

          50.4MB

        • memory/3028-2-0x0000000140000000-0x000000014325E000-memory.dmp

          Filesize

          50.4MB

        • memory/3028-3-0x0000000140000000-0x000000014325E000-memory.dmp

          Filesize

          50.4MB

        • memory/3028-1-0x0000000140000000-0x000000014325E000-memory.dmp

          Filesize

          50.4MB

        • memory/3028-49-0x0000000140000000-0x000000014325E000-memory.dmp

          Filesize

          50.4MB