Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-02-2022 17:34
Static task
static1
Behavioral task
behavioral1
Sample
e7c38d73ae221bd89f9da8e0e8db70bac34ad6e7f71f3bd7b78432228fcfface.exe
Resource
win7-en-20211208
0 signatures
0 seconds
General
-
Target
e7c38d73ae221bd89f9da8e0e8db70bac34ad6e7f71f3bd7b78432228fcfface.exe
-
Size
10.9MB
-
MD5
b26d9fb58f3eecaf0d49b6849e533d73
-
SHA1
3d4627e0fa8a473c5348234bafa8d471b81bb008
-
SHA256
e7c38d73ae221bd89f9da8e0e8db70bac34ad6e7f71f3bd7b78432228fcfface
-
SHA512
ae645ea18a8ee0ff51857cd7dffdfa53f9483fd1a6b30201072f50571629471cbefa80dd19062bc4f0f481397c22b0baafef31fd83221b843004d8791a8a11ec
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
e7c38d73ae221bd89f9da8e0e8db70bac34ad6e7f71f3bd7b78432228fcfface.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e7c38d73ae221bd89f9da8e0e8db70bac34ad6e7f71f3bd7b78432228fcfface.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e7c38d73ae221bd89f9da8e0e8db70bac34ad6e7f71f3bd7b78432228fcfface.exe -
Processes:
resource yara_rule behavioral1/memory/1068-54-0x000000013FE20000-0x00000001416E7000-memory.dmp themida behavioral1/memory/1068-55-0x000000013FE20000-0x00000001416E7000-memory.dmp themida behavioral1/memory/1068-56-0x000000013FE20000-0x00000001416E7000-memory.dmp themida behavioral1/memory/1068-57-0x000000013FE20000-0x00000001416E7000-memory.dmp themida behavioral1/memory/1068-58-0x000000013FE20000-0x00000001416E7000-memory.dmp themida -
Processes:
e7c38d73ae221bd89f9da8e0e8db70bac34ad6e7f71f3bd7b78432228fcfface.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e7c38d73ae221bd89f9da8e0e8db70bac34ad6e7f71f3bd7b78432228fcfface.exe -
Drops file in System32 directory 1 IoCs
Processes:
e7c38d73ae221bd89f9da8e0e8db70bac34ad6e7f71f3bd7b78432228fcfface.exedescription ioc process File created C:\Windows\system32\xqczfyxgvz.ini e7c38d73ae221bd89f9da8e0e8db70bac34ad6e7f71f3bd7b78432228fcfface.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
e7c38d73ae221bd89f9da8e0e8db70bac34ad6e7f71f3bd7b78432228fcfface.exepid process 1068 e7c38d73ae221bd89f9da8e0e8db70bac34ad6e7f71f3bd7b78432228fcfface.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
e7c38d73ae221bd89f9da8e0e8db70bac34ad6e7f71f3bd7b78432228fcfface.exepid process 1068 e7c38d73ae221bd89f9da8e0e8db70bac34ad6e7f71f3bd7b78432228fcfface.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7c38d73ae221bd89f9da8e0e8db70bac34ad6e7f71f3bd7b78432228fcfface.exe"C:\Users\Admin\AppData\Local\Temp\e7c38d73ae221bd89f9da8e0e8db70bac34ad6e7f71f3bd7b78432228fcfface.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1068-53-0x00000000772A0000-0x00000000772A2000-memory.dmpFilesize
8KB
-
memory/1068-54-0x000000013FE20000-0x00000001416E7000-memory.dmpFilesize
24.8MB
-
memory/1068-55-0x000000013FE20000-0x00000001416E7000-memory.dmpFilesize
24.8MB
-
memory/1068-56-0x000000013FE20000-0x00000001416E7000-memory.dmpFilesize
24.8MB
-
memory/1068-57-0x000000013FE20000-0x00000001416E7000-memory.dmpFilesize
24.8MB
-
memory/1068-58-0x000000013FE20000-0x00000001416E7000-memory.dmpFilesize
24.8MB