Analysis
-
max time kernel
29s -
max time network
31s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-12-2021 12:50
Static task
static1
Behavioral task
behavioral1
Sample
aInjector Win64_x32.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
aInjector Win64_x32.exe
-
Size
3.6MB
-
MD5
45539053a6c4a180b590a7af970fc3ab
-
SHA1
8a091f013cdbe5b0f7308692a75bd95c544a7e5a
-
SHA256
e341a13e9d2d6974d68018a8d8f28f4a40ef8b1fe063384eda97ebbbad7ab80a
-
SHA512
498c61bb0949ef48e1bf834e3fce02ddc7b857e794ce02d97c615f03d2c93420799cd7476bdd4bb15768396cd28668060da0c6e9914039d6bc010f32ddafea85
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 884 created 3732 884 WerFault.exe aInjector Win64_x32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
aInjector Win64_x32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aInjector Win64_x32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aInjector Win64_x32.exe -
Processes:
resource yara_rule behavioral2/memory/3732-119-0x0000000000070000-0x0000000000071000-memory.dmp themida -
Processes:
aInjector Win64_x32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aInjector Win64_x32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
aInjector Win64_x32.exepid process 3732 aInjector Win64_x32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 884 3732 WerFault.exe aInjector Win64_x32.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 884 WerFault.exe 884 WerFault.exe 884 WerFault.exe 884 WerFault.exe 884 WerFault.exe 884 WerFault.exe 884 WerFault.exe 884 WerFault.exe 884 WerFault.exe 884 WerFault.exe 884 WerFault.exe 884 WerFault.exe 884 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
aInjector Win64_x32.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3732 aInjector Win64_x32.exe Token: SeRestorePrivilege 884 WerFault.exe Token: SeBackupPrivilege 884 WerFault.exe Token: SeDebugPrivilege 884 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aInjector Win64_x32.exe"C:\Users\Admin\AppData\Local\Temp\aInjector Win64_x32.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 1140082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3732-118-0x0000000077A60000-0x0000000077BEE000-memory.dmpFilesize
1.6MB
-
memory/3732-119-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/3732-121-0x00000000054C0000-0x000000000551A000-memory.dmpFilesize
360KB
-
memory/3732-122-0x00000000031D0000-0x00000000031D1000-memory.dmpFilesize
4KB
-
memory/3732-123-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/3732-124-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/3732-125-0x0000000006D40000-0x0000000006D41000-memory.dmpFilesize
4KB
-
memory/3732-126-0x00000000064F0000-0x00000000064F1000-memory.dmpFilesize
4KB