Analysis
-
max time kernel
3s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 19:56
Behavioral task
behavioral1
Sample
d60931ac230ffd0dca4f8e372fb3c82716a3f71fe7c199b4c6a517aafc55305e.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
d60931ac230ffd0dca4f8e372fb3c82716a3f71fe7c199b4c6a517aafc55305e.exe
-
Size
10.2MB
-
MD5
f29a86fa16fc8c55acbfabe4fb388743
-
SHA1
e0e74d9f4454df636fd2fec10561af4fd5412353
-
SHA256
d60931ac230ffd0dca4f8e372fb3c82716a3f71fe7c199b4c6a517aafc55305e
-
SHA512
8e419c8ab1586151fa174e65e2b2505a499ab24a303a655d900619ebaaa24528f058409e04961b6bde2d8c131155f28c3d885fe46a148726467408475b806ebb
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
d60931ac230ffd0dca4f8e372fb3c82716a3f71fe7c199b4c6a517aafc55305e.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d60931ac230ffd0dca4f8e372fb3c82716a3f71fe7c199b4c6a517aafc55305e.exe -
XMRig Miner Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2024-54-0x000000013F880000-0x00000001405D5000-memory.dmp xmrig -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
d60931ac230ffd0dca4f8e372fb3c82716a3f71fe7c199b4c6a517aafc55305e.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d60931ac230ffd0dca4f8e372fb3c82716a3f71fe7c199b4c6a517aafc55305e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d60931ac230ffd0dca4f8e372fb3c82716a3f71fe7c199b4c6a517aafc55305e.exe -
Processes:
resource yara_rule behavioral1/memory/2024-54-0x000000013F880000-0x00000001405D5000-memory.dmp themida -
Processes:
d60931ac230ffd0dca4f8e372fb3c82716a3f71fe7c199b4c6a517aafc55305e.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d60931ac230ffd0dca4f8e372fb3c82716a3f71fe7c199b4c6a517aafc55305e.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d60931ac230ffd0dca4f8e372fb3c82716a3f71fe7c199b4c6a517aafc55305e.exedescription pid process Token: SeLockMemoryPrivilege 2024 d60931ac230ffd0dca4f8e372fb3c82716a3f71fe7c199b4c6a517aafc55305e.exe Token: SeLockMemoryPrivilege 2024 d60931ac230ffd0dca4f8e372fb3c82716a3f71fe7c199b4c6a517aafc55305e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d60931ac230ffd0dca4f8e372fb3c82716a3f71fe7c199b4c6a517aafc55305e.exe"C:\Users\Admin\AppData\Local\Temp\d60931ac230ffd0dca4f8e372fb3c82716a3f71fe7c199b4c6a517aafc55305e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken