Overview

overview

9

Static

static

3

SimpleToolZ.exe

windows10-2004-x64

Analysis

  • max time kernel
    7s
  • max time network
    55s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 03:10

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    SimpleToolZ.exe

  • Size

    56.5MB

  • MD5

    d096ccc62bc5ca43fdaecdeb60579aaf

  • SHA1

    ec7ea18a482a749f7d0c02a3e7c0c695ce28b74e

  • SHA256

    b8b9a275dd7074b5169977ea5e71d0399845e88408d94b71878a7950d926c316

  • SHA512

    006bd3eca1a2d6b16ffd1cb46e0066756eb57abb9b618454a186b1d1fd237bfed23c0bfe197ada61520a9d5e98b2bf360beb528a46687ae5e3c9da60ccd923b2

  • SSDEEP

    1572864:amKm5eNXA90p2N+iUgK1EEZBplhSwPTMSnhXQYoeQBPd:t5ec6C+imvrM0QYoeu1

Score
9/10
evasionexecutionpersistencetrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Power Settings 1 TTPs 2 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SimpleToolZ.exe
    "C:\Users\Admin\AppData\Local\Temp\SimpleToolZ.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1012
    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      2⤵
        PID:3248
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C Powercfg -h off
          3⤵
          • Power Settings
          PID:4784
          • C:\Windows\system32\powercfg.exe
            Powercfg -h off
            4⤵
            • Power Settings
            PID:2324
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell "Confirm-SecureBootUEFI" > C:\secureboot_status.txt
          3⤵
            PID:4464
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell "Confirm-SecureBootUEFI"
              4⤵
                PID:4088
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              3⤵
                PID:1180
                • C:\Windows\System32\reg.exe
                  C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                  4⤵
                  • Modifies registry key
                  PID:4880
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
                3⤵
                  PID:4380
                  • C:\Windows\system32\sc.exe
                    sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
                    4⤵
                    • Launches sc.exe
                    PID:3632
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C sc start windowsproc
                  3⤵
                    PID:4988
                    • C:\Windows\system32\sc.exe
                      sc start windowsproc
                      4⤵
                      • Launches sc.exe
                      PID:1980

              Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_icstfdyo.pgp.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}\favicon1.ico
                Filesize

                244KB

                MD5

                894384c5a192fe45e6d2e29b60a10a11

                SHA1

                56f43d42367b86e439bb640df007649386c5be91

                SHA256

                f0dcfacc6d28747a0ff8c3a9001fe4c7c4c387bd150a82895f8ea21ce201eec8

                SHA512

                95776900db01834bf0652cda1e96cb108c062cf5a71d9d6423b8f601fb116620293738e7ed31dff9886612be099683a9ee1078d5d0c81ec457c629d54960cf14

                Download Submit
              • C:\secureboot_status.txt
                Filesize

                420B

                MD5

                de582b589ac295c03fcf52ca102a28c0

                SHA1

                10cc2b1adb41e11abb33383ab102ff204379afa4

                SHA256

                86aea26372f98f717f138713881a44bdb3b9ac666f70328398ceea2ae15d3c1f

                SHA512

                af023664d90c322d6d2c4cd2988e6a5eb23e4506bec588b9247a4e9f11baf0f21c9941e6dde5e3440719ceb2d2c154c6f853d5082a0f2b7c22c8a50fed0cc81d

                Download Submit
              • memory/1012-0-0x0000000140000000-0x0000000141000000-memory.dmp
                Filesize

                16.0MB

                Download
              • memory/1012-14-0x0000000140000000-0x0000000141000000-memory.dmp
                Filesize

                16.0MB

                Download
              • memory/4088-23-0x0000016856760000-0x0000016856782000-memory.dmp
                Filesize

                136KB

                Download