Analysis Overview
SHA256
c3ee35c8830cb3f6083fe15cd7325e14edbf77880b227473b6c3e39999b41493
Threat Level: Known bad
The file Build.exe was found to be: Known bad.
Malicious Activity Summary
Echelon
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Echelon log file
themida
Reads user/profile data of web browsers
Checks BIOS information in registry
Checks whether UAC is enabled
Checks installed software on the system
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-03-05 18:22
Signatures
themida
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2021-03-05 18:22
Reported
2021-03-05 18:24
Platform
win7v20201028
Max time kernel
28s
Max time network
30s
Command Line
Signatures
Echelon
Echelon log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
Reads user/profile data of web browsers
themida
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Build.exe
"C:\Users\Admin\AppData\Local\Temp\Build.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.126.66:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | www.download.windowsupdate.com | udp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | ifreegive.gq | udp |
| N/A | 104.21.78.161:80 | ifreegive.gq | tcp |
Files
memory/384-2-0x0000000076241000-0x0000000076243000-memory.dmp
memory/384-4-0x0000000074390000-0x0000000074A7E000-memory.dmp
memory/384-5-0x0000000000D90000-0x0000000000D91000-memory.dmp
memory/384-7-0x0000000006190000-0x0000000006191000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-03-05 18:22
Reported
2021-03-05 18:24
Platform
win10v20201028
Max time kernel
10s
Max time network
112s
Command Line
Signatures
Echelon
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
themida
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Build.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Build.exe
"C:\Users\Admin\AppData\Local\Temp\Build.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1860
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.msftconnecttest.com | udp |
| N/A | 13.107.4.52:80 | www.msftconnecttest.com | tcp |
Files
memory/4640-3-0x0000000073DA0000-0x000000007448E000-memory.dmp
memory/4640-4-0x0000000000B80000-0x0000000000B81000-memory.dmp
memory/4640-6-0x0000000077CD4000-0x0000000077CD5000-memory.dmp
memory/4640-7-0x0000000005570000-0x0000000005571000-memory.dmp
memory/4640-8-0x00000000056B0000-0x00000000056B1000-memory.dmp
memory/4204-9-0x00000000046F0000-0x00000000046F1000-memory.dmp
memory/4204-10-0x00000000046F0000-0x00000000046F1000-memory.dmp