Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-09-2021 12:02
Static task
static1
General
-
Target
3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe
-
Size
4.8MB
-
MD5
c04496520501bc6a3b3f0b7f5f875a32
-
SHA1
49e280e408a6df27295abf3d504003cbceeb00d8
-
SHA256
3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3
-
SHA512
de333be3cd173a96579e95410fe92b8a4e5976b80451601bcf300eb2f3405be91983edb83881dd7f1d02aef6c0a5cadc00850c0536b2254ad710808d5cf183eb
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/440-117-0x0000000000CA0000-0x0000000000CA1000-memory.dmp themida -
Processes:
3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
Processes:
3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exepid process 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4440 440 WerFault.exe 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exeWerFault.exepid process 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe 4440 WerFault.exe 4440 WerFault.exe 4440 WerFault.exe 4440 WerFault.exe 4440 WerFault.exe 4440 WerFault.exe 4440 WerFault.exe 4440 WerFault.exe 4440 WerFault.exe 4440 WerFault.exe 4440 WerFault.exe 4440 WerFault.exe 4440 WerFault.exe 4440 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exeWerFault.exedescription pid process Token: SeDebugPrivilege 440 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe Token: SeRestorePrivilege 4440 WerFault.exe Token: SeBackupPrivilege 4440 WerFault.exe Token: SeDebugPrivilege 4440 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe"C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:440 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 11242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440