Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 19:18
Behavioral task
behavioral1
Sample
06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe
Resource
win10v2004-20241007-en
General
-
Target
06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe
-
Size
2.6MB
-
MD5
7e836a7d8467c672e61bdb89220e9d82
-
SHA1
ac43f7879f0fdc8d160654073289468e1b270eb7
-
SHA256
06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54
-
SHA512
876397e6ab0a02397c7142f4570055137a737bf66bab6311d8aa2c17fc52bb7de4b368b508ca3fbd536f11ea921f699e3d7c9483ca0fe5bb6723d1332dc58beb
-
SSDEEP
49152:ly5IvAG44oOCdcSzNIJG70V6Do4yV/5mc5aNZJ350zg5bEJ60IZGnpw/YW:ly5G4DOT5JGIVzh/5aZX0zgd0IZGpwR
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe -
Executes dropped EXE 4 IoCs
pid Process 2116 explorer.exe 2424 spoolsv.exe 2964 svchost.exe 2888 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2116 explorer.exe 2424 spoolsv.exe 2964 svchost.exe -
resource yara_rule behavioral1/memory/2412-0-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/files/0x0009000000016d0c-7.dat themida behavioral1/memory/2116-11-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/files/0x0008000000016d1c-17.dat themida behavioral1/memory/2116-22-0x0000000003460000-0x0000000003A73000-memory.dmp themida behavioral1/memory/2424-23-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/files/0x000a000000016d3f-30.dat themida behavioral1/memory/2964-41-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/memory/2412-42-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/memory/2888-43-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/memory/2888-48-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/memory/2424-50-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/memory/2412-52-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/memory/2116-53-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/memory/2116-55-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/memory/2964-56-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/memory/2116-64-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/memory/2964-67-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/memory/2116-68-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/memory/2116-80-0x0000000000400000-0x0000000000A13000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2116 explorer.exe 2424 spoolsv.exe 2964 svchost.exe 2888 spoolsv.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2124 schtasks.exe 2860 schtasks.exe 1272 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2116 explorer.exe 2116 explorer.exe 2116 explorer.exe 2116 explorer.exe 2116 explorer.exe 2116 explorer.exe 2116 explorer.exe 2116 explorer.exe 2116 explorer.exe 2116 explorer.exe 2116 explorer.exe 2116 explorer.exe 2116 explorer.exe 2116 explorer.exe 2116 explorer.exe 2116 explorer.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2116 explorer.exe 2116 explorer.exe 2116 explorer.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2964 svchost.exe 2116 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2964 svchost.exe 2116 explorer.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 2116 explorer.exe 2116 explorer.exe 2424 spoolsv.exe 2424 spoolsv.exe 2964 svchost.exe 2964 svchost.exe 2888 spoolsv.exe 2888 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2116 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 29 PID 2412 wrote to memory of 2116 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 29 PID 2412 wrote to memory of 2116 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 29 PID 2412 wrote to memory of 2116 2412 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe 29 PID 2116 wrote to memory of 2424 2116 explorer.exe 30 PID 2116 wrote to memory of 2424 2116 explorer.exe 30 PID 2116 wrote to memory of 2424 2116 explorer.exe 30 PID 2116 wrote to memory of 2424 2116 explorer.exe 30 PID 2424 wrote to memory of 2964 2424 spoolsv.exe 31 PID 2424 wrote to memory of 2964 2424 spoolsv.exe 31 PID 2424 wrote to memory of 2964 2424 spoolsv.exe 31 PID 2424 wrote to memory of 2964 2424 spoolsv.exe 31 PID 2964 wrote to memory of 2888 2964 svchost.exe 32 PID 2964 wrote to memory of 2888 2964 svchost.exe 32 PID 2964 wrote to memory of 2888 2964 svchost.exe 32 PID 2964 wrote to memory of 2888 2964 svchost.exe 32 PID 2116 wrote to memory of 2716 2116 explorer.exe 33 PID 2116 wrote to memory of 2716 2116 explorer.exe 33 PID 2116 wrote to memory of 2716 2116 explorer.exe 33 PID 2116 wrote to memory of 2716 2116 explorer.exe 33 PID 2964 wrote to memory of 2860 2964 svchost.exe 34 PID 2964 wrote to memory of 2860 2964 svchost.exe 34 PID 2964 wrote to memory of 2860 2964 svchost.exe 34 PID 2964 wrote to memory of 2860 2964 svchost.exe 34 PID 2964 wrote to memory of 1272 2964 svchost.exe 37 PID 2964 wrote to memory of 1272 2964 svchost.exe 37 PID 2964 wrote to memory of 1272 2964 svchost.exe 37 PID 2964 wrote to memory of 1272 2964 svchost.exe 37 PID 2964 wrote to memory of 2124 2964 svchost.exe 39 PID 2964 wrote to memory of 2124 2964 svchost.exe 39 PID 2964 wrote to memory of 2124 2964 svchost.exe 39 PID 2964 wrote to memory of 2124 2964 svchost.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe"C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2888
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:20 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2860
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:21 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1272
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:22 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2124
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2716
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5ed66397f271dc90bfc7869d8e47e16d7
SHA1a3ee6a86b27ab94bc22412546951e3c2dafc1e27
SHA25650a2dbfde26d177653662fe4b53bb472ce0c9e335a82c089a85e87312538bb98
SHA51271ea5d11f1ab9fbfd1a4ed336b24e811e3ece62a8a0743b70a88530aa94df619d587c5e0941f6c848905650c4bcc00f4a216e56414fdaa494f6c83d81356afaf
-
Filesize
2.6MB
MD5900004ffdccf83cbd9502f81c99d3657
SHA1db12edeacf7c1a97bf86fe7946a71848374ecf97
SHA25611ce85487bb65d453c5cc52dd769ffdc5919befa291ee11f581886f8ac07b631
SHA51235413ff57049eb42d21b3d02c6b74b08db6fdf2595837d98d3c921802a325b236d0dad5ed8a6f0bc23cd1f649d23a27554143efec993c74f6c11a25ebb051378
-
Filesize
2.6MB
MD5766cf7fde2c3b0403620d293d4c72d00
SHA1ec973289efba47f37a7b712c6ff1696900df3b26
SHA256ca9b64ada6edd86580e2418ca82023d6220f23b44a20acc475fbe6c8b5d955f5
SHA512697c9b3e74ce470503da4e291f51e9efa98a3fac460eb76e5a4921465e609564159514f1e653918530bce0baeb16646f87d8c40d6bb2c25969e59edad72c9388