Analysis
-
max time kernel
53s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220715-en -
resource tags
arch:x64arch:x86image:win10v2004-20220715-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2022 00:53
Behavioral task
behavioral1
Sample
95dea59c9833cb81c4690d6f644fcbfcbfd9dda3209aaa1fee62c25d010cf1a8.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
95dea59c9833cb81c4690d6f644fcbfcbfd9dda3209aaa1fee62c25d010cf1a8.exe
Resource
win10v2004-20220715-en
General
-
Target
95dea59c9833cb81c4690d6f644fcbfcbfd9dda3209aaa1fee62c25d010cf1a8.exe
-
Size
1.3MB
-
MD5
85c8e01f5ec046ed1922b048749a96dd
-
SHA1
b7d67f0f50dcfd52bf0244b27d2e32f4b37e1d3b
-
SHA256
95dea59c9833cb81c4690d6f644fcbfcbfd9dda3209aaa1fee62c25d010cf1a8
-
SHA512
fdedb6ddb37aba27ff01232aea3a6d9c662f7941d344e172ee51af3d53ca6ed7f1438b6d43d446fedf2f94e2064cfbeaa04b9ecae018dc2c5c55e6424e19449e
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
95dea59c9833cb81c4690d6f644fcbfcbfd9dda3209aaa1fee62c25d010cf1a8.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 95dea59c9833cb81c4690d6f644fcbfcbfd9dda3209aaa1fee62c25d010cf1a8.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
95dea59c9833cb81c4690d6f644fcbfcbfd9dda3209aaa1fee62c25d010cf1a8.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 95dea59c9833cb81c4690d6f644fcbfcbfd9dda3209aaa1fee62c25d010cf1a8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 95dea59c9833cb81c4690d6f644fcbfcbfd9dda3209aaa1fee62c25d010cf1a8.exe -
Processes:
resource yara_rule behavioral2/memory/2124-130-0x00007FF7AB8A0000-0x00007FF7ABD09000-memory.dmp themida behavioral2/memory/2124-131-0x00007FF7AB8A0000-0x00007FF7ABD09000-memory.dmp themida behavioral2/memory/2124-132-0x00007FF7AB8A0000-0x00007FF7ABD09000-memory.dmp themida behavioral2/memory/2124-133-0x00007FF7AB8A0000-0x00007FF7ABD09000-memory.dmp themida behavioral2/memory/2124-134-0x00007FF7AB8A0000-0x00007FF7ABD09000-memory.dmp themida behavioral2/memory/2124-135-0x00007FF7AB8A0000-0x00007FF7ABD09000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
95dea59c9833cb81c4690d6f644fcbfcbfd9dda3209aaa1fee62c25d010cf1a8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2280897447-3291712302-3137480060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32Com = "C:\\Users\\Public\\Docs\\95dea59c9833cb81c4690d6f644fcbfcbfd9dda3209aaa1fee62c25d010cf1a8.exe" 95dea59c9833cb81c4690d6f644fcbfcbfd9dda3209aaa1fee62c25d010cf1a8.exe -
Processes:
95dea59c9833cb81c4690d6f644fcbfcbfd9dda3209aaa1fee62c25d010cf1a8.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95dea59c9833cb81c4690d6f644fcbfcbfd9dda3209aaa1fee62c25d010cf1a8.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
95dea59c9833cb81c4690d6f644fcbfcbfd9dda3209aaa1fee62c25d010cf1a8.exepid process 2124 95dea59c9833cb81c4690d6f644fcbfcbfd9dda3209aaa1fee62c25d010cf1a8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\95dea59c9833cb81c4690d6f644fcbfcbfd9dda3209aaa1fee62c25d010cf1a8.exe"C:\Users\Admin\AppData\Local\Temp\95dea59c9833cb81c4690d6f644fcbfcbfd9dda3209aaa1fee62c25d010cf1a8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:2124
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2124-130-0x00007FF7AB8A0000-0x00007FF7ABD09000-memory.dmpFilesize
4.4MB
-
memory/2124-131-0x00007FF7AB8A0000-0x00007FF7ABD09000-memory.dmpFilesize
4.4MB
-
memory/2124-132-0x00007FF7AB8A0000-0x00007FF7ABD09000-memory.dmpFilesize
4.4MB
-
memory/2124-133-0x00007FF7AB8A0000-0x00007FF7ABD09000-memory.dmpFilesize
4.4MB
-
memory/2124-134-0x00007FF7AB8A0000-0x00007FF7ABD09000-memory.dmpFilesize
4.4MB
-
memory/2124-135-0x00007FF7AB8A0000-0x00007FF7ABD09000-memory.dmpFilesize
4.4MB