Analysis
-
max time kernel
142s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-05-2022 07:35
Static task
static1
Behavioral task
behavioral1
Sample
c61f9a9059f8b8bd0e69f7df4cb09786.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
c61f9a9059f8b8bd0e69f7df4cb09786.exe
-
Size
3.5MB
-
MD5
c61f9a9059f8b8bd0e69f7df4cb09786
-
SHA1
70fffde0debf4559859617d49dc48c54df3c156d
-
SHA256
84a5a26f1748c3ad1f0b98c438908e8dc842eacc6390484527ee1fe7e56264f5
-
SHA512
6a838d9663517e1f89bf47f9ba85b72cd431f0d61c4db97e69516ffa313d8bdfc9f619eb51ead5215786e523b43cde3186300cf3bfab7408d580c66cd7d00453
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
c61f9a9059f8b8bd0e69f7df4cb09786.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c61f9a9059f8b8bd0e69f7df4cb09786.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c61f9a9059f8b8bd0e69f7df4cb09786.exe -
Processes:
c61f9a9059f8b8bd0e69f7df4cb09786.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c61f9a9059f8b8bd0e69f7df4cb09786.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c61f9a9059f8b8bd0e69f7df4cb09786.exedescription pid process target process PID 388 set thread context of 2724 388 c61f9a9059f8b8bd0e69f7df4cb09786.exe AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 2724 AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
c61f9a9059f8b8bd0e69f7df4cb09786.exedescription pid process target process PID 388 wrote to memory of 2724 388 c61f9a9059f8b8bd0e69f7df4cb09786.exe AppLaunch.exe PID 388 wrote to memory of 2724 388 c61f9a9059f8b8bd0e69f7df4cb09786.exe AppLaunch.exe PID 388 wrote to memory of 2724 388 c61f9a9059f8b8bd0e69f7df4cb09786.exe AppLaunch.exe PID 388 wrote to memory of 2724 388 c61f9a9059f8b8bd0e69f7df4cb09786.exe AppLaunch.exe PID 388 wrote to memory of 2724 388 c61f9a9059f8b8bd0e69f7df4cb09786.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c61f9a9059f8b8bd0e69f7df4cb09786.exe"C:\Users\Admin\AppData\Local\Temp\c61f9a9059f8b8bd0e69f7df4cb09786.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/388-131-0x0000000000320000-0x000000000069E000-memory.dmpFilesize
3.5MB
-
memory/388-130-0x0000000000320000-0x000000000069E000-memory.dmpFilesize
3.5MB
-
memory/388-132-0x0000000000320000-0x000000000069E000-memory.dmpFilesize
3.5MB
-
memory/2724-133-0x0000000000000000-mapping.dmp
-
memory/2724-134-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/2724-139-0x0000000004F30000-0x0000000004F96000-memory.dmpFilesize
408KB
-
memory/2724-140-0x0000000006060000-0x0000000006604000-memory.dmpFilesize
5.6MB
-
memory/2724-141-0x0000000005BB0000-0x0000000005C42000-memory.dmpFilesize
584KB