Analysis
-
max time kernel
52s -
max time network
85s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 18:25
Behavioral task
behavioral1
Sample
e66a001712595492e31b33bd698e1d7fbaeb3b2f49b04389d1177d9adefe72c0.exe
Resource
win7-20220715-en
windows7-x64
5 signatures
150 seconds
General
-
Target
e66a001712595492e31b33bd698e1d7fbaeb3b2f49b04389d1177d9adefe72c0.exe
-
Size
3.1MB
-
MD5
542298aa62750cd818d3dad2290313aa
-
SHA1
1cd88165dca314a4363f50d59596c03362b01bae
-
SHA256
e66a001712595492e31b33bd698e1d7fbaeb3b2f49b04389d1177d9adefe72c0
-
SHA512
10fca949c1467fff74764f399c1f9795b5bafd9d8895aa68795f5ea6516c333856b034e9e2b03beb3e989397cc1e12cf38703338775fa503093215e197e27919
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
e66a001712595492e31b33bd698e1d7fbaeb3b2f49b04389d1177d9adefe72c0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e66a001712595492e31b33bd698e1d7fbaeb3b2f49b04389d1177d9adefe72c0.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
e66a001712595492e31b33bd698e1d7fbaeb3b2f49b04389d1177d9adefe72c0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e66a001712595492e31b33bd698e1d7fbaeb3b2f49b04389d1177d9adefe72c0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e66a001712595492e31b33bd698e1d7fbaeb3b2f49b04389d1177d9adefe72c0.exe -
Processes:
resource yara_rule behavioral2/memory/2820-132-0x0000000000400000-0x0000000000C14000-memory.dmp themida behavioral2/memory/2820-133-0x0000000000400000-0x0000000000C14000-memory.dmp themida behavioral2/memory/2820-134-0x0000000000400000-0x0000000000C14000-memory.dmp themida behavioral2/memory/2820-136-0x0000000000400000-0x0000000000C14000-memory.dmp themida behavioral2/memory/2820-137-0x0000000000400000-0x0000000000C14000-memory.dmp themida -
Processes:
e66a001712595492e31b33bd698e1d7fbaeb3b2f49b04389d1177d9adefe72c0.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e66a001712595492e31b33bd698e1d7fbaeb3b2f49b04389d1177d9adefe72c0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
e66a001712595492e31b33bd698e1d7fbaeb3b2f49b04389d1177d9adefe72c0.exepid process 2820 e66a001712595492e31b33bd698e1d7fbaeb3b2f49b04389d1177d9adefe72c0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e66a001712595492e31b33bd698e1d7fbaeb3b2f49b04389d1177d9adefe72c0.exe"C:\Users\Admin\AppData\Local\Temp\e66a001712595492e31b33bd698e1d7fbaeb3b2f49b04389d1177d9adefe72c0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2820-132-0x0000000000400000-0x0000000000C14000-memory.dmpFilesize
8.1MB
-
memory/2820-133-0x0000000000400000-0x0000000000C14000-memory.dmpFilesize
8.1MB
-
memory/2820-135-0x0000000077B10000-0x0000000077CB3000-memory.dmpFilesize
1.6MB
-
memory/2820-134-0x0000000000400000-0x0000000000C14000-memory.dmpFilesize
8.1MB
-
memory/2820-136-0x0000000000400000-0x0000000000C14000-memory.dmpFilesize
8.1MB
-
memory/2820-137-0x0000000000400000-0x0000000000C14000-memory.dmpFilesize
8.1MB