Analysis
-
max time kernel
15s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:02
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe
-
Size
3.4MB
-
MD5
ca34ecc57bbde323ee50484654a0964b
-
SHA1
419b3bd758d1226b25e54b1bbfc679b5ede0c56b
-
SHA256
d1eb54cb3aa9ba1fc585cf676c4a814b11786b962da1b1959768794d281084ab
-
SHA512
20eb4460bbaef8236c70e26ad58b70e9b4ce7202f18c234e5d4b52cb1577c32c134e8453c73bffd0156b28d129137eddcf7eac6abd428cb77302b4bb1a4d29cd
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe -
resource yara_rule behavioral2/memory/3372-2-0x0000000000120000-0x0000000000121000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3372 SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe -
Kills process with taskkill 1 IoCs
pid Process 2684 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3372 SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe Token: SeDebugPrivilege 2684 taskkill.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3372 wrote to memory of 4052 3372 SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe 75 PID 3372 wrote to memory of 4052 3372 SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe 75 PID 3372 wrote to memory of 4052 3372 SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe 75 PID 4052 wrote to memory of 2684 4052 cmd.exe 77 PID 4052 wrote to memory of 2684 4052 cmd.exe 77 PID 4052 wrote to memory of 2684 4052 cmd.exe 77 PID 4052 wrote to memory of 1448 4052 cmd.exe 78 PID 4052 wrote to memory of 1448 4052 cmd.exe 78 PID 4052 wrote to memory of 1448 4052 cmd.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 3372 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Trojan.Fuerboos.2678.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 33723⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵PID:1448
-
-