Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-12-2021 17:14

General

  • Target

    injector.exe

  • Size

    3.4MB

  • MD5

    cfc3984a2b7c140e79cd2ae42afffe42

  • SHA1

    1a8061504f534700802a6a17ab609b2fc988ab71

  • SHA256

    53c847547c4994568c24fd7381fc7225978bf1aeee758cc247366e4786411818

  • SHA512

    3a5b88caa7e922b559d22eae67a836480bb17af06ebcbae0eb55be4df6e6bb7d721b572d5e25210ee9d2f98155820ba6e62de8fe788d2a8e01e2a67256601589

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Executes dropped EXE 1 IoCs
  • Sets service image path in registry 2 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\injector.exe
    "C:\Users\Admin\AppData\Local\Temp\injector.exe"
    1⤵
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Windows\SoftwareDistribution\Download\1GJmK.exe
      "C:\Windows\SoftwareDistribution\Download\1GJmK.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:1868
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cd C:\Windows\System
      2⤵
        PID:780
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c start C:\Windows\System\thread.exe
        2⤵
          PID:1256

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SoftwareDistribution\Download\1GJmK.exe

        MD5

        34f829bcb896d021e08d8d20b83edcb7

        SHA1

        640a304ed81eb3b6a78e96ead6541255c0c68257

        SHA256

        9cbba5e6d7f0a29d387aec2656c4cb4f095f629c5ca3e05dd38658e87519f081

        SHA512

        2396b2332c25efeb7e088a41a9da1e4eebbad2797e029dca90a41596596847b6606a00973ef2f833c381cae224e332f9de8b35cefd018486f00fde3445545d0a

      • \Windows\SoftwareDistribution\Download\1GJmK.exe

        MD5

        34f829bcb896d021e08d8d20b83edcb7

        SHA1

        640a304ed81eb3b6a78e96ead6541255c0c68257

        SHA256

        9cbba5e6d7f0a29d387aec2656c4cb4f095f629c5ca3e05dd38658e87519f081

        SHA512

        2396b2332c25efeb7e088a41a9da1e4eebbad2797e029dca90a41596596847b6606a00973ef2f833c381cae224e332f9de8b35cefd018486f00fde3445545d0a

      • memory/780-61-0x0000000000000000-mapping.dmp

      • memory/1256-62-0x0000000000000000-mapping.dmp

      • memory/1436-54-0x000000013FAB0000-0x0000000140406000-memory.dmp

        Filesize

        9.3MB

      • memory/1436-55-0x000000013FAB0000-0x0000000140406000-memory.dmp

        Filesize

        9.3MB

      • memory/1436-56-0x000000013FAB0000-0x0000000140406000-memory.dmp

        Filesize

        9.3MB

      • memory/1436-57-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmp

        Filesize

        8KB

      • memory/1868-59-0x0000000000000000-mapping.dmp