Analysis Overview
SHA256
3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3
Threat Level: Known bad
The file 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3 was found to be: Known bad.
Malicious Activity Summary
Echelon
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Themida packer
Checks BIOS information in registry
Reads user/profile data of web browsers
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-28 12:02
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-28 12:02
Reported
2021-09-28 12:05
Platform
win10-en-20210920
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Echelon
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe
"C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 1124
Network
| Country | Destination | Domain | Proto |
| FR | 2.16.119.157:443 | tcp | |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.13:443 | g.api.mega.co.nz | tcp |
Files
memory/440-115-0x0000000077700000-0x000000007788E000-memory.dmp
memory/440-117-0x0000000000CA0000-0x0000000000CA1000-memory.dmp
memory/440-119-0x0000000006050000-0x0000000006051000-memory.dmp
memory/440-120-0x0000000006C30000-0x0000000006C31000-memory.dmp
memory/440-121-0x00000000067C0000-0x00000000067C1000-memory.dmp
memory/440-122-0x0000000005FE0000-0x0000000006046000-memory.dmp
memory/440-123-0x0000000005FE0000-0x0000000006046000-memory.dmp
memory/440-124-0x0000000007130000-0x0000000007131000-memory.dmp
memory/440-125-0x0000000005FE0000-0x0000000006046000-memory.dmp
memory/440-126-0x0000000007C30000-0x0000000007C31000-memory.dmp