Analysis
-
max time kernel
44s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
02-08-2022 04:25
Behavioral task
behavioral1
Sample
5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exe
Resource
win7-20220715-en
windows7-x64
8 signatures
150 seconds
General
-
Target
5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exe
-
Size
5.3MB
-
MD5
0bff1d9de75f50b96dbad3bbee4e7813
-
SHA1
211c9882266d68f405e03a6c65ca6c17e906e70c
-
SHA256
5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c
-
SHA512
d22984ab0ba91f20dc37cc25c82bced14b401b0c29452c62027e32659767687d64fb64c897620b44ac0e2b31c2c9b9e85065a7e5efd24aa7d5dcb456729f15c0
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exe -
Processes:
resource yara_rule behavioral1/memory/912-54-0x000000013F3F0000-0x000000014024D000-memory.dmp themida behavioral1/memory/912-55-0x000000013F3F0000-0x000000014024D000-memory.dmp themida behavioral1/memory/912-56-0x000000013F3F0000-0x000000014024D000-memory.dmp themida behavioral1/memory/912-57-0x000000013F3F0000-0x000000014024D000-memory.dmp themida behavioral1/memory/912-58-0x000000013F3F0000-0x000000014024D000-memory.dmp themida behavioral1/memory/912-60-0x000000013F3F0000-0x000000014024D000-memory.dmp themida behavioral1/memory/912-62-0x000000013F3F0000-0x000000014024D000-memory.dmp themida -
Processes:
5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exepid process 912 5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 608 912 WerFault.exe 5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exepid process 912 5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exedescription pid process target process PID 912 wrote to memory of 608 912 5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exe WerFault.exe PID 912 wrote to memory of 608 912 5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exe WerFault.exe PID 912 wrote to memory of 608 912 5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exe"C:\Users\Admin\AppData\Local\Temp\5a3269689eeb0b116891cf656fdcdb472d452aa563bb56b9d25c1d83766c354c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 912 -s 7242⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/608-61-0x0000000000000000-mapping.dmp
-
memory/912-54-0x000000013F3F0000-0x000000014024D000-memory.dmpFilesize
14.4MB
-
memory/912-55-0x000000013F3F0000-0x000000014024D000-memory.dmpFilesize
14.4MB
-
memory/912-56-0x000000013F3F0000-0x000000014024D000-memory.dmpFilesize
14.4MB
-
memory/912-57-0x000000013F3F0000-0x000000014024D000-memory.dmpFilesize
14.4MB
-
memory/912-59-0x0000000076CC0000-0x0000000076E69000-memory.dmpFilesize
1.7MB
-
memory/912-58-0x000000013F3F0000-0x000000014024D000-memory.dmpFilesize
14.4MB
-
memory/912-60-0x000000013F3F0000-0x000000014024D000-memory.dmpFilesize
14.4MB
-
memory/912-62-0x000000013F3F0000-0x000000014024D000-memory.dmpFilesize
14.4MB
-
memory/912-63-0x0000000076CC0000-0x0000000076E69000-memory.dmpFilesize
1.7MB