Analysis

  • max time kernel
    7s
  • max time network
    10s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 20:02

General

  • Target

    SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe

  • Size

    3.4MB

  • MD5

    ca34ecc57bbde323ee50484654a0964b

  • SHA1

    419b3bd758d1226b25e54b1bbfc679b5ede0c56b

  • SHA256

    d1eb54cb3aa9ba1fc585cf676c4a814b11786b962da1b1959768794d281084ab

  • SHA512

    20eb4460bbaef8236c70e26ad58b70e9b4ce7202f18c234e5d4b52cb1577c32c134e8453c73bffd0156b28d129137eddcf7eac6abd428cb77302b4bb1a4d29cd

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • themida 1 IoCs

    Detects Themida, Advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C taskkill /F /PID 1732 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /PID 1732
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1648
      • C:\Windows\SysWOW64\choice.exe
        choice /C Y /N /D Y /T 3
        3⤵
          PID:1472

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1732-1-0x00000000748A0000-0x0000000074F8E000-memory.dmp

      Filesize

      6.9MB

    • memory/1732-2-0x0000000000A70000-0x0000000000A71000-memory.dmp

      Filesize

      4KB