Analysis
-
max time kernel
7s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:02
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe
-
Size
3.4MB
-
MD5
ca34ecc57bbde323ee50484654a0964b
-
SHA1
419b3bd758d1226b25e54b1bbfc679b5ede0c56b
-
SHA256
d1eb54cb3aa9ba1fc585cf676c4a814b11786b962da1b1959768794d281084ab
-
SHA512
20eb4460bbaef8236c70e26ad58b70e9b4ce7202f18c234e5d4b52cb1577c32c134e8453c73bffd0156b28d129137eddcf7eac6abd428cb77302b4bb1a4d29cd
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe -
resource yara_rule behavioral1/memory/1732-2-0x0000000000A70000-0x0000000000A71000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1732 SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe -
Kills process with taskkill 1 IoCs
pid Process 1648 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1732 SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe Token: SeDebugPrivilege 1648 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1428 1732 SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe 29 PID 1732 wrote to memory of 1428 1732 SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe 29 PID 1732 wrote to memory of 1428 1732 SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe 29 PID 1732 wrote to memory of 1428 1732 SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe 29 PID 1428 wrote to memory of 1648 1428 cmd.exe 31 PID 1428 wrote to memory of 1648 1428 cmd.exe 31 PID 1428 wrote to memory of 1648 1428 cmd.exe 31 PID 1428 wrote to memory of 1648 1428 cmd.exe 31 PID 1428 wrote to memory of 1472 1428 cmd.exe 33 PID 1428 wrote to memory of 1472 1428 cmd.exe 33 PID 1428 wrote to memory of 1472 1428 cmd.exe 33 PID 1428 wrote to memory of 1472 1428 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 1732 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 17323⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵PID:1472
-
-