Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
01-07-2024 00:36
General
-
Target
9c15135aa3b66b89f5070a049524fd93111390cc470a667a7d0de6bcca33762b.exe
-
Size
2.6MB
-
MD5
c7c411d41a330167ac7abaa2137b4c53
-
SHA1
3e62689f23ae159b6cf3547fbaaffd425444a653
-
SHA256
9c15135aa3b66b89f5070a049524fd93111390cc470a667a7d0de6bcca33762b
-
SHA512
61a3cf287a61526ca8381cf693b0b3ba6dc8478b0c77f24776eab07244e1b13976688efb3f744cfa64020fcda9e7ea0165679eb97015330cc31e8804346a03a1
-
SSDEEP
49152:+XzhpDtKSK1cb8PGK+Tfuqmpc3elWo8GnQAsYZEVX:+XzhW148Pd+Tf1mpcOldJQ3/VX
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Detects executables packed with Themida 17 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 4 IoCs
-
Themida packer 17 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 5 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Drops file in Windows directory 4 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c15135aa3b66b89f5070a049524fd93111390cc470a667a7d0de6bcca33762b.exe"C:\Users\Admin\AppData\Local\Temp\9c15135aa3b66b89f5070a049524fd93111390cc470a667a7d0de6bcca33762b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:39 /f5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:40 /f5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:41 /f5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Resources\Themes\explorer.exeFilesize
2.6MB
MD5d6d7e32d80eebd2f70085cbd597cbff8
SHA1b6127656e400d8a55b05e0465292a66612a22bf7
SHA256d1e9d2311676c05cfbf25ffb77710e14db2a71a675eae1d483804c2af903c01b
SHA512609ca32f6f515e0834eea954261bf3bed32e394e04eb9a37fdd5fae2e176d42c3d882ee993a0d2e5e0caf33df59f78dcde20951185f71d5d878252fda881595b
-
C:\Windows\Resources\spoolsv.exeFilesize
2.6MB
MD5b4cf877e1c909ad2e3222c19608f582e
SHA15a98dc97424b3d1ddde1dd84ab22a8f326979f19
SHA256d166feb8d24ddcc8f58ad6b9c5c008c9b06b47fcdedd11da7cb20f2a8a1d2119
SHA512be2cdb7cf0fb74c1c232179577e9b1575698d56a874ff2195582184e6d3ded175e79c195d3842bad3a6414046b7d07ca0f9490fe9c56ac6ed1255f6dba105c1c
-
\Windows\Resources\svchost.exeFilesize
2.6MB
MD531b71ae390f245e2dfa9a258e09ba483
SHA14b9ccb7245df5107cfc9c091814ef551c2b7fe47
SHA256b99c54ca5e5a6b14d7e64d137f59c522cb9aaa0e3a616de0ad9010577af45a04
SHA512bdc2fd9447f441a65fff8ad6548b515381230f9e581582d1130ee259a6d7ae910d8e780ea8ee923ef101013e1e0babac286a815b8189346f3b6b367dfed26d22
-
memory/1624-52-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/1624-12-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/1624-66-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/1624-62-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/1624-58-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/1624-53-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/1624-54-0x0000000003850000-0x0000000003E66000-memory.dmpFilesize
6.1MB
-
memory/2380-50-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2380-34-0x0000000003700000-0x0000000003D16000-memory.dmpFilesize
6.1MB
-
memory/2380-23-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2740-42-0x0000000003400000-0x0000000003A16000-memory.dmpFilesize
6.1MB
-
memory/2740-35-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2740-55-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2804-51-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2804-0-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2804-1-0x00000000770B0000-0x00000000770B2000-memory.dmpFilesize
8KB
-
memory/2804-11-0x00000000038A0000-0x0000000003EB6000-memory.dmpFilesize
6.1MB
-
memory/2808-43-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2808-49-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB