Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-12-2021 17:14
Static task
static1
Behavioral task
behavioral1
Sample
injector.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
injector.exe
Resource
win10-en-20211208
General
-
Target
injector.exe
-
Size
3.4MB
-
MD5
cfc3984a2b7c140e79cd2ae42afffe42
-
SHA1
1a8061504f534700802a6a17ab609b2fc988ab71
-
SHA256
53c847547c4994568c24fd7381fc7225978bf1aeee758cc247366e4786411818
-
SHA512
3a5b88caa7e922b559d22eae67a836480bb17af06ebcbae0eb55be4df6e6bb7d721b572d5e25210ee9d2f98155820ba6e62de8fe788d2a8e01e2a67256601589
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
1GJmK.exepid process 1868 1GJmK.exe -
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
injector.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion injector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion injector.exe -
Loads dropped DLL 1 IoCs
Processes:
injector.exepid process 1436 injector.exe -
Processes:
resource yara_rule behavioral1/memory/1436-54-0x000000013FAB0000-0x0000000140406000-memory.dmp themida behavioral1/memory/1436-55-0x000000013FAB0000-0x0000000140406000-memory.dmp themida behavioral1/memory/1436-56-0x000000013FAB0000-0x0000000140406000-memory.dmp themida -
Processes:
injector.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA injector.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
injector.exepid process 1436 injector.exe -
Drops file in Windows directory 1 IoCs
Processes:
injector.exedescription ioc process File created C:\Windows\SoftwareDistribution\Download\1GJmK.exe injector.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
1GJmK.exepid process 1868 1GJmK.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1GJmK.exedescription pid process Token: SeLoadDriverPrivilege 1868 1GJmK.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
injector.exedescription pid process target process PID 1436 wrote to memory of 1868 1436 injector.exe 1GJmK.exe PID 1436 wrote to memory of 1868 1436 injector.exe 1GJmK.exe PID 1436 wrote to memory of 1868 1436 injector.exe 1GJmK.exe PID 1436 wrote to memory of 780 1436 injector.exe cmd.exe PID 1436 wrote to memory of 780 1436 injector.exe cmd.exe PID 1436 wrote to memory of 780 1436 injector.exe cmd.exe PID 1436 wrote to memory of 1256 1436 injector.exe cmd.exe PID 1436 wrote to memory of 1256 1436 injector.exe cmd.exe PID 1436 wrote to memory of 1256 1436 injector.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\injector.exe"C:\Users\Admin\AppData\Local\Temp\injector.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SoftwareDistribution\Download\1GJmK.exe"C:\Windows\SoftwareDistribution\Download\1GJmK.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cd C:\Windows\System2⤵PID:780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Windows\System\thread.exe2⤵PID:1256
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
34f829bcb896d021e08d8d20b83edcb7
SHA1640a304ed81eb3b6a78e96ead6541255c0c68257
SHA2569cbba5e6d7f0a29d387aec2656c4cb4f095f629c5ca3e05dd38658e87519f081
SHA5122396b2332c25efeb7e088a41a9da1e4eebbad2797e029dca90a41596596847b6606a00973ef2f833c381cae224e332f9de8b35cefd018486f00fde3445545d0a
-
MD5
34f829bcb896d021e08d8d20b83edcb7
SHA1640a304ed81eb3b6a78e96ead6541255c0c68257
SHA2569cbba5e6d7f0a29d387aec2656c4cb4f095f629c5ca3e05dd38658e87519f081
SHA5122396b2332c25efeb7e088a41a9da1e4eebbad2797e029dca90a41596596847b6606a00973ef2f833c381cae224e332f9de8b35cefd018486f00fde3445545d0a