Analysis
-
max time kernel
4294181s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
21/03/2022, 21:38
Static task
static1
Behavioral task
behavioral1
Sample
0x00080000000122ea-60.exe
Resource
win7-20220311-en
0 signatures
0 seconds
General
-
Target
0x00080000000122ea-60.exe
-
Size
7.7MB
-
MD5
b61ae72b50a40197085687a8df2c4f32
-
SHA1
ccc71c89853966f7001c6ea43287d9c396884bc6
-
SHA256
a262c8414eafbd3587c395b4a6b08ba010efcb4681c1759396386de7d223a50b
-
SHA512
83ce36d6bf70f2afc0bb07f403f797e2b3207501fe67a94ae69c5ae8f2530f8bd31fea6b8ad5c1f97fcff046818f2adfd1b16ed2ab89a601d15bb4162bc7c1ae
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0x00080000000122ea-60.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0x00080000000122ea-60.exe -
Deletes itself 1 IoCs
pid Process 844 cmd.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0x00080000000122ea-60.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe 1328 0x00080000000122ea-60.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1328 0x00080000000122ea-60.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1328 wrote to memory of 844 1328 0x00080000000122ea-60.exe 28 PID 1328 wrote to memory of 844 1328 0x00080000000122ea-60.exe 28 PID 1328 wrote to memory of 844 1328 0x00080000000122ea-60.exe 28 PID 844 wrote to memory of 1660 844 cmd.exe 30 PID 844 wrote to memory of 1660 844 cmd.exe 30 PID 844 wrote to memory of 1660 844 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe"C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\system32\cmd.exe"cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "0x00080000000122ea-60.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 13⤵PID:1660
-
-