Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2022 21:36
Behavioral task
behavioral1
Sample
EFB17623F04C4018000E57DA2874F594.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
EFB17623F04C4018000E57DA2874F594.exe
Resource
win10v2004-20220721-en
General
-
Target
EFB17623F04C4018000E57DA2874F594.exe
-
Size
5.8MB
-
MD5
efb17623f04c4018000e57da2874f594
-
SHA1
5061791d84c91e9a8e818e351729f3bf780eb7ef
-
SHA256
64d8cc20d5a9f8fbcf68f2b2242ac8346a82e6b72015cc0633bbad2833712036
-
SHA512
7abe0bb16320df8347901cf6333b1f2c23af047e22a942a2f9f9957e25f6a1d346d3b1beaa9cafde2f6e089eed35b0e72fc82f15ba97307154c2890623d102e1
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
EFB17623F04C4018000E57DA2874F594.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ EFB17623F04C4018000E57DA2874F594.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
EFB17623F04C4018000E57DA2874F594.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion EFB17623F04C4018000E57DA2874F594.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion EFB17623F04C4018000E57DA2874F594.exe -
Processes:
resource yara_rule behavioral2/memory/868-132-0x0000000000CF0000-0x0000000001527000-memory.dmp themida behavioral2/memory/868-131-0x0000000000CF0000-0x0000000001527000-memory.dmp themida behavioral2/memory/868-134-0x0000000000CF0000-0x0000000001527000-memory.dmp themida behavioral2/memory/868-135-0x0000000000CF0000-0x0000000001527000-memory.dmp themida behavioral2/memory/868-136-0x0000000000CF0000-0x0000000001527000-memory.dmp themida behavioral2/memory/868-138-0x0000000000CF0000-0x0000000001527000-memory.dmp themida -
Processes:
EFB17623F04C4018000E57DA2874F594.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EFB17623F04C4018000E57DA2874F594.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
EFB17623F04C4018000E57DA2874F594.exepid process 868 EFB17623F04C4018000E57DA2874F594.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
EFB17623F04C4018000E57DA2874F594.exepid process 868 EFB17623F04C4018000E57DA2874F594.exe 868 EFB17623F04C4018000E57DA2874F594.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EFB17623F04C4018000E57DA2874F594.exe"C:\Users\Admin\AppData\Local\Temp\EFB17623F04C4018000E57DA2874F594.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/868-132-0x0000000000CF0000-0x0000000001527000-memory.dmpFilesize
8.2MB
-
memory/868-131-0x0000000000CF0000-0x0000000001527000-memory.dmpFilesize
8.2MB
-
memory/868-133-0x0000000077A60000-0x0000000077C03000-memory.dmpFilesize
1.6MB
-
memory/868-134-0x0000000000CF0000-0x0000000001527000-memory.dmpFilesize
8.2MB
-
memory/868-135-0x0000000000CF0000-0x0000000001527000-memory.dmpFilesize
8.2MB
-
memory/868-136-0x0000000000CF0000-0x0000000001527000-memory.dmpFilesize
8.2MB
-
memory/868-137-0x0000000077A60000-0x0000000077C03000-memory.dmpFilesize
1.6MB
-
memory/868-138-0x0000000000CF0000-0x0000000001527000-memory.dmpFilesize
8.2MB
-
memory/868-139-0x0000000077A60000-0x0000000077C03000-memory.dmpFilesize
1.6MB