Analysis
-
max time kernel
115s -
max time network
220s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
02-08-2022 02:16
Behavioral task
behavioral1
Sample
File.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
File.exe
Resource
win10v2004-20220721-en
General
-
Target
File.exe
-
Size
399.1MB
-
MD5
da68a47812b9fc6d8f58bc98503c55f9
-
SHA1
22f68cb818335552220eea6a38498f4688c7ea0a
-
SHA256
1d7c6b200ac9d76d30f825ecbdc9be885ce7698cef93c39f1fa2753eead4389b
-
SHA512
ee8535fa38381942124851abc10ebbef9e29fcee7f65b6709c21348cc4c7bc88ae71adf2ef5715796a5cdc02e62809fc67565ce72b112373033008bfb73ea713
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
File.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ File.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
File.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion File.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion File.exe -
Processes:
resource yara_rule behavioral1/memory/1924-55-0x00000000001C0000-0x00000000009A0000-memory.dmp themida behavioral1/memory/1924-56-0x00000000001C0000-0x00000000009A0000-memory.dmp themida behavioral1/memory/1924-57-0x00000000001C0000-0x00000000009A0000-memory.dmp themida behavioral1/memory/1924-59-0x00000000001C0000-0x00000000009A0000-memory.dmp themida behavioral1/memory/1924-58-0x00000000001C0000-0x00000000009A0000-memory.dmp themida behavioral1/memory/1924-61-0x00000000001C0000-0x00000000009A0000-memory.dmp themida -
Processes:
File.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA File.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
File.exepid process 1924 File.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1484 1924 WerFault.exe File.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
File.exepid process 1924 File.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
File.exedescription pid process target process PID 1924 wrote to memory of 1484 1924 File.exe WerFault.exe PID 1924 wrote to memory of 1484 1924 File.exe WerFault.exe PID 1924 wrote to memory of 1484 1924 File.exe WerFault.exe PID 1924 wrote to memory of 1484 1924 File.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 13682⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1484-62-0x0000000000000000-mapping.dmp
-
memory/1924-54-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB
-
memory/1924-55-0x00000000001C0000-0x00000000009A0000-memory.dmpFilesize
7.9MB
-
memory/1924-56-0x00000000001C0000-0x00000000009A0000-memory.dmpFilesize
7.9MB
-
memory/1924-57-0x00000000001C0000-0x00000000009A0000-memory.dmpFilesize
7.9MB
-
memory/1924-59-0x00000000001C0000-0x00000000009A0000-memory.dmpFilesize
7.9MB
-
memory/1924-58-0x00000000001C0000-0x00000000009A0000-memory.dmpFilesize
7.9MB
-
memory/1924-60-0x0000000077700000-0x0000000077880000-memory.dmpFilesize
1.5MB
-
memory/1924-61-0x00000000001C0000-0x00000000009A0000-memory.dmpFilesize
7.9MB