Analysis
-
max time kernel
10s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-03-2021 18:22
Static task
static1
Behavioral task
behavioral1
Sample
Build.exe
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
Build.exe
-
Size
3.4MB
-
MD5
74b5bc34a2b3c3dd453560ee4bcb136a
-
SHA1
c86f8b33e5852b986b41318205e18caf7d0e7f30
-
SHA256
c3ee35c8830cb3f6083fe15cd7325e14edbf77880b227473b6c3e39999b41493
-
SHA512
fb68159225c3c518305413ef483765d063be7367f4c43bd08f11ea1d4d50fa1360407050aaf9792788f1391bae1ba389d9ad642a2a2d711af407006e813a9211
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Build.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Build.exe -
Processes:
resource yara_rule behavioral2/memory/4640-4-0x0000000000B80000-0x0000000000B81000-memory.dmp themida behavioral2/memory/4204-10-0x00000000046F0000-0x00000000046F1000-memory.dmp themida -
Processes:
Build.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Build.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Build.exepid process 4640 Build.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4204 4640 WerFault.exe Build.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Build.exeWerFault.exepid process 4640 Build.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe 4204 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Build.exeWerFault.exedescription pid process Token: SeDebugPrivilege 4640 Build.exe Token: SeRestorePrivilege 4204 WerFault.exe Token: SeBackupPrivilege 4204 WerFault.exe Token: SeDebugPrivilege 4204 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Build.exe"C:\Users\Admin\AppData\Local\Temp\Build.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4640 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 18602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204
-