Analysis
-
max time kernel
140s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-10-2024 00:42
Behavioral task
behavioral1
Sample
0BzMzlmT.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0BzMzlmT.exe
Resource
win10v2004-20241007-en
General
-
Target
0BzMzlmT.exe
-
Size
27.9MB
-
MD5
34e055a67b10a1a14994b6b3457698e2
-
SHA1
6b299dca56f55a0656b23fd035f4353dc049343a
-
SHA256
01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09
-
SHA512
8437dde18940cf8197d25f729bbaaf0803b81ffa1ed13128c91e6e3a65f01fc8253a19badc6e71c187928832dbabb03cf45ddc392e19e4c5dc6f741ada13d218
-
SSDEEP
786432:PPhOXo+/5eJC7HRCyM1yMRUEvTHBfBRcda3:3AY+/4JOlQ7PRco3
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0BzMzlmT.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\Parameters\ServiceDll = "C:\\Windows\\system32\\w32time.DLL" w32tm.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0BzMzlmT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0BzMzlmT.exe -
resource yara_rule behavioral1/memory/3028-1-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/3028-3-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/3028-2-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/3028-5-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/3028-4-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/3028-13-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/3028-49-0x0000000140000000-0x000000014325E000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0BzMzlmT.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3028 0BzMzlmT.exe -
Boot or Logon Autostart Execution: Time Providers 1 TTPs 24 IoCs
The Windows Time service (W32Time) enables time synchronization across and within domains.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\VMICTimeProvider\InputProvider = "1" w32tm.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\DllName = "C:\\Windows\\system32\\w32time.DLL" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\SpecialPollInterval = "604800" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\Enabled = "0" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\Enabled = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes = "7" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\CompatibilityFlags = "2147483648" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\EventLogFlags = "0" w32tm.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\DllName = "C:\\Windows\\system32\\w32time.DLL" w32tm.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\VMICTimeProvider\DllName = "%SystemRoot%\\System32\\vmictimeprovider.dll" w32tm.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient w32tm.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider\Parameters w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\AllowNonstandardModeCombinations = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\AllowNonstandardModeCombinations = "1" w32tm.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpServer w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\InputProvider = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\CrossSiteSyncFlags = "2" w32tm.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 0000 w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\InputProvider = "0" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\VMICTimeProvider\Enabled = "1" w32tm.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes = "15" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\EventLogFlags = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\LargeSampleSkew = "3" w32tm.exe -
pid Process 1396 powershell.exe 1764 powershell.exe 2372 powershell.exe -
System Time Discovery 1 TTPs 6 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 1748 net1.exe 2556 net.exe 2580 net1.exe 2476 net.exe 376 net1.exe 2860 net.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2888 powershell.exe 2372 powershell.exe 1396 powershell.exe 1764 powershell.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 2888 powershell.exe Token: SeIncreaseQuotaPrivilege 1652 wmic.exe Token: SeSecurityPrivilege 1652 wmic.exe Token: SeTakeOwnershipPrivilege 1652 wmic.exe Token: SeLoadDriverPrivilege 1652 wmic.exe Token: SeSystemProfilePrivilege 1652 wmic.exe Token: SeSystemtimePrivilege 1652 wmic.exe Token: SeProfSingleProcessPrivilege 1652 wmic.exe Token: SeIncBasePriorityPrivilege 1652 wmic.exe Token: SeCreatePagefilePrivilege 1652 wmic.exe Token: SeBackupPrivilege 1652 wmic.exe Token: SeRestorePrivilege 1652 wmic.exe Token: SeShutdownPrivilege 1652 wmic.exe Token: SeDebugPrivilege 1652 wmic.exe Token: SeSystemEnvironmentPrivilege 1652 wmic.exe Token: SeRemoteShutdownPrivilege 1652 wmic.exe Token: SeUndockPrivilege 1652 wmic.exe Token: SeManageVolumePrivilege 1652 wmic.exe Token: 33 1652 wmic.exe Token: 34 1652 wmic.exe Token: 35 1652 wmic.exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeIncreaseQuotaPrivilege 1652 wmic.exe Token: SeSecurityPrivilege 1652 wmic.exe Token: SeTakeOwnershipPrivilege 1652 wmic.exe Token: SeLoadDriverPrivilege 1652 wmic.exe Token: SeSystemProfilePrivilege 1652 wmic.exe Token: SeSystemtimePrivilege 1652 wmic.exe Token: SeProfSingleProcessPrivilege 1652 wmic.exe Token: SeIncBasePriorityPrivilege 1652 wmic.exe Token: SeCreatePagefilePrivilege 1652 wmic.exe Token: SeBackupPrivilege 1652 wmic.exe Token: SeRestorePrivilege 1652 wmic.exe Token: SeShutdownPrivilege 1652 wmic.exe Token: SeDebugPrivilege 1652 wmic.exe Token: SeSystemEnvironmentPrivilege 1652 wmic.exe Token: SeRemoteShutdownPrivilege 1652 wmic.exe Token: SeUndockPrivilege 1652 wmic.exe Token: SeManageVolumePrivilege 1652 wmic.exe Token: 33 1652 wmic.exe Token: 34 1652 wmic.exe Token: 35 1652 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3028 0BzMzlmT.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2888 3028 0BzMzlmT.exe 31 PID 3028 wrote to memory of 2888 3028 0BzMzlmT.exe 31 PID 3028 wrote to memory of 2888 3028 0BzMzlmT.exe 31 PID 3028 wrote to memory of 2556 3028 0BzMzlmT.exe 33 PID 3028 wrote to memory of 2556 3028 0BzMzlmT.exe 33 PID 3028 wrote to memory of 2556 3028 0BzMzlmT.exe 33 PID 2556 wrote to memory of 2580 2556 net.exe 35 PID 2556 wrote to memory of 2580 2556 net.exe 35 PID 2556 wrote to memory of 2580 2556 net.exe 35 PID 3028 wrote to memory of 2808 3028 0BzMzlmT.exe 36 PID 3028 wrote to memory of 2808 3028 0BzMzlmT.exe 36 PID 3028 wrote to memory of 2808 3028 0BzMzlmT.exe 36 PID 3028 wrote to memory of 2564 3028 0BzMzlmT.exe 38 PID 3028 wrote to memory of 2564 3028 0BzMzlmT.exe 38 PID 3028 wrote to memory of 2564 3028 0BzMzlmT.exe 38 PID 3028 wrote to memory of 2476 3028 0BzMzlmT.exe 40 PID 3028 wrote to memory of 2476 3028 0BzMzlmT.exe 40 PID 3028 wrote to memory of 2476 3028 0BzMzlmT.exe 40 PID 3028 wrote to memory of 1652 3028 0BzMzlmT.exe 42 PID 3028 wrote to memory of 1652 3028 0BzMzlmT.exe 42 PID 3028 wrote to memory of 1652 3028 0BzMzlmT.exe 42 PID 3028 wrote to memory of 2372 3028 0BzMzlmT.exe 43 PID 3028 wrote to memory of 2372 3028 0BzMzlmT.exe 43 PID 3028 wrote to memory of 2372 3028 0BzMzlmT.exe 43 PID 2476 wrote to memory of 376 2476 net.exe 45 PID 2476 wrote to memory of 376 2476 net.exe 45 PID 2476 wrote to memory of 376 2476 net.exe 45 PID 3028 wrote to memory of 1500 3028 0BzMzlmT.exe 46 PID 3028 wrote to memory of 1500 3028 0BzMzlmT.exe 46 PID 3028 wrote to memory of 1500 3028 0BzMzlmT.exe 46 PID 3028 wrote to memory of 1396 3028 0BzMzlmT.exe 47 PID 3028 wrote to memory of 1396 3028 0BzMzlmT.exe 47 PID 3028 wrote to memory of 1396 3028 0BzMzlmT.exe 47 PID 3028 wrote to memory of 1764 3028 0BzMzlmT.exe 48 PID 3028 wrote to memory of 1764 3028 0BzMzlmT.exe 48 PID 3028 wrote to memory of 1764 3028 0BzMzlmT.exe 48 PID 3028 wrote to memory of 2860 3028 0BzMzlmT.exe 53 PID 3028 wrote to memory of 2860 3028 0BzMzlmT.exe 53 PID 3028 wrote to memory of 2860 3028 0BzMzlmT.exe 53 PID 2860 wrote to memory of 1748 2860 net.exe 55 PID 2860 wrote to memory of 1748 2860 net.exe 55 PID 2860 wrote to memory of 1748 2860 net.exe 55 PID 3028 wrote to memory of 1028 3028 0BzMzlmT.exe 57 PID 3028 wrote to memory of 1028 3028 0BzMzlmT.exe 57 PID 3028 wrote to memory of 1028 3028 0BzMzlmT.exe 57
Processes
-
C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe"C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command Remove-Item 'C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe.bak' -force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\system32\net.exenet stop w32time2⤵
- System Time Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop w32time3⤵
- System Time Discovery
PID:2580
-
-
-
C:\Windows\system32\w32tm.exew32tm /unregister2⤵PID:2808
-
-
C:\Windows\system32\w32tm.exew32tm /register2⤵
- Server Software Component: Terminal Services DLL
- Boot or Logon Autostart Execution: Time Providers
PID:2564
-
-
C:\Windows\system32\net.exenet start w32time2⤵
- System Time Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start w32time3⤵
- System Time Discovery
PID:376
-
-
-
C:\Windows\System32\Wbem\wmic.exewmic cpu get VirtualizationFirmwareEnabled2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "confirm-securebootuefi"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\system32\w32tm.exew32tm /resync /force2⤵PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "$env:firmware_type"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-WmiObject -Namespace 'Root\CIMv2\Security\MicrosoftTpm' -Class Win32_Tpm"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Windows\system32\net.exenet stop w32time2⤵
- System Time Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop w32time3⤵
- System Time Discovery
PID:1748
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3028 -s 8562⤵PID:1028
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Time Providers
1Server Software Component
1Terminal Services DLL
1Defense Evasion
Indicator Removal
1File Deletion
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52e67f962576bb2d759848e5a9049ad78
SHA11b9f514582432f318b4c861dadbd25b881bbdb4c
SHA2563d8a2ca80738bd785f68869b468bfa6fd50359f0b92c59a5bb095c431394d32b
SHA51262d81c3f29c507071c907611e891e29ef0182c3e267f7a9684ed6cde62cc106e95055e754c364b42928f8967bd83daca9aa8e472bc99d4dda171a23f525b0947