Resubmissions
17-01-2025 20:14
250117-yz7h3s1qfw 1017-01-2025 20:12
250117-yy9l2sslcr 1017-01-2025 17:25
250117-vy9p9sxpez 1017-01-2025 17:21
250117-vw8eesyjfp 1017-01-2025 14:16
250117-rk9ass1rhk 1017-01-2025 14:12
250117-rhv1ds1lds 1016-01-2025 12:52
250116-p4et7a1mez 1016-01-2025 12:50
250116-p29xjssjep 10Analysis
-
max time kernel
900s -
max time network
450s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
16-01-2025 12:50
General
-
Target
Malware-1-master/mo332.exe
-
Size
14.0MB
-
MD5
552326e3f16df1857e7918a569dcca50
-
SHA1
3a3fd7027c65c75b3e8930535b27e29b4681814c
-
SHA256
f5d20a2ef757dd374b1651a955a80113b33b87578e3484fd3589565d296d55cc
-
SHA512
a3d00cc28de8131484ebe29d1addfc9e27c9e782a6ec07bee2a19c88ee3afe0f867f8c0c933b6a83946266d46606483d87c8d57b5679cafeeae09eeae1ba41f3
-
SSDEEP
196608:OSfbf3vp28hgy4ohRID4CUAq52Zdm4nKJJmbmChthPtbSttLPSwYJQ:ffT3XhgQRI8C82ZP+MblGttLSpJQ
Malware Config
Signatures
-
UAC bypass 3 TTPs 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 3 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\mo332.exe"C:\Users\Admin\AppData\Local\Temp\Malware-1-master\mo332.exe"1⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\obuzanle\qgqupnsjzz.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\obuzanle\qgqupnsjzz.exeC:\Windows\obuzanle\qgqupnsjzz.exe3⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\PLA\userplus.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\PLA\userplus.exeC:\Windows\PLA\userplus.exe5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 18884⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Malware-1-master\mokill.bat" "2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3428 -ip 34281⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52db7a58f4892054c7077dab88fd68b86
SHA1acf198a9160a872bc8633fc9185ad317e69bf2a4
SHA25601701b302ab45f11729fac64ba33cd7b53abbc94963578d9813a1f5848e75618
SHA51201926e211445f72f6637f7be04af33339f4acd78b3d2e8f4b6b4e0c28ea6c2662ea0aec976cc8a4f875ab1d12ca20eec7ebf59fe3704f76dc4adac3a0766511c
-
Filesize
233B
MD5d0d780da4a079ec4b25ea31cbe7fafff
SHA155010d852ff80dc34dac1f6bb606d6b0693f9ce2
SHA2562b5053f22f1696811156f544b57813b671d079c85e2c081691a1e9ee343eadc1
SHA5123e65cc88a0445250fe58203e0a85e1801f469d308a03579e1fd4f4c8184f090c505f5da6744895975a9efdaf56dec2eaa66dff43f5132228e980d0ff7e6c56d9
-
Filesize
50B
MD545218adff3ea5bde8a8f61987f0f458b
SHA1cf7fffa410795cc2f7703755f0acd17b51a44ad7
SHA256f95361b82464704675f559b13c007c9567e5914984042f537122383e747194d4
SHA5128442cac48931075ec5bd31ea82faffc4f64d7b6845d5c477d06fc3d7eefeac1fa366b6880a85709a520a343b5dd3771e69bc4b7482cde50e69e04215927a2018
-
Filesize
2.3MB
MD5336cd9b9a8f4ce243c889407bcdcfa21
SHA14acf0664e7df5c87f9387bc7243b57050d7ce143
SHA256c17d51aac55953b4ca8b3d8c4725528e1eef8f53ac78bd9bdda512daeb1cc3da
SHA512033dd5bf02801ad34e6ea9b5571e9af74f5dc9e0aaf3b9f958a3052b0a579581da857269ddba3dd74f53e251dbcad396fba35ae5b4ae2d72e6e481b6eaa79fd0
-
Filesize
4KB
MD561830234ea9c313c27d2891f333328f9
SHA195cc2252ea481dc7d54838cd67e35e387bc8eb79
SHA256984f780ecbc97d108c0591f10acfb64866de14024626f07467d6c2d5156ed881
SHA512dcce834d90c3fc9d25a5d2727d54e669b65629ffc84fc15b6fadac1b2534cd32d8b006afc086748b2a5d430ddfa95494561c5b2e7bd8d1ff3620e56fccebb921
-
Filesize
4KB
MD5c685dc1895bf128edc1c815ddc8d245b
SHA17d55c48b38844385ab3134bc60a88c4ba619b4bb
SHA256083d4167ddbdcaddb02d6445447ec5604c5cab3ed39b105780287913aa553417
SHA512ca9afa2c8b0fb9573dcb3d15e4d09890fcba0b5808de36309783436fb7d8303f95776dfc30930bc4993defb955e5c83e322f3a934351dd73434edb33a7717751
-
Filesize
6.7MB
MD59f1facb9f7dd07342a07b0856c5b48f2
SHA144a23fe809534a90b31ac0c290aee432edc542c2
SHA256afbfdbfdda5fd42a6b4ea7b37f7222651e5461d8138355b9b233eba26766fa58
SHA512868371102c2f4559b5316d85ce6ce197ad60566c9ea81c47707e57b64c5c2c5a18615d9918fee1fc1250996b86ba0a375bfa896f0b3145e9d451de046256745f
-
Filesize
100KB
MD5ca43974f638606af7259397a344e0434
SHA102b7cf6e2a7fd77f619e27c7584180a950aa7fe8
SHA2564f394c128557a3f05c817aae8ddd005e2f462b298b858b1d49277fe574ce6752
SHA512ab986229c156f1404895983399c64513cc13be3083309b9b61413024922fbf3322e203184e19bb5090c78b813a28362d345a1cb229e61e67d91dd803512a4786
-
Filesize
67KB
MD5b1a562ae50903a943e6e0884a7c3aa28
SHA157fcd5de222c7f99bd82372056127841fbc80e6e
SHA2568402155eb3a3fb0fdc7ce7bbea87e8a59d81ae03e46d5d2ff041663d7051d3fc
SHA512a1b7bcce916e80c2cf83029471f665bb0dfe411341c1817a0a3b0bdc758f24a45676b2b000890578320cbb6c4457ed23535188cff2d7fddcacedebcd8a414dab
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.7MB
-
Filesize
160KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.7MB
-
Filesize
9.7MB
-
Filesize
9.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
64KB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB