Analysis
-
max time kernel
131s -
max time network
72s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
28-05-2020 12:16
General
-
Target
apphost1.exe
-
Size
2.8MB
-
MD5
19dbfa49c5ecc6054420a62f7fd890d6
-
SHA1
8a1aeb1445917ae186ff09932085b18564d08187
-
SHA256
608097b33943a9a4b14bee255680724f2fe830474766fe6462ccfffaefd517cf
-
SHA512
5bd992dbfdbe4faf922cef59aed28a37cfa111ac6cc568ac881a6288520e34353ba30a399096f10b1c93d80ec51de382976103b676a4f32a86343c101cdb7b21
Score
9/10
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
VMProtect packed file 1 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Loads dropped DLL 1 IoCs
-
Program crash 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes
-
C:\Users\Admin\AppData\Local\Temp\apphost1.exe"C:\Users\Admin\AppData\Local\Temp\apphost1.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks whether UAC is enabled
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Checks BIOS information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 18482⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Program crash
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB