Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 07:27
Behavioral task
behavioral1
Sample
CloudWare.exe
Resource
win7-20220812-en
windows7-x64
10 signatures
150 seconds
General
-
Target
CloudWare.exe
-
Size
4.4MB
-
MD5
05c3c77aaa506ab0c4e3843753c7ede4
-
SHA1
5b067f0b0d97a7a7f617f89b043209c09157fe32
-
SHA256
fc25988009a922636bbff1bae10c81bd29a9cc5dec7c731d6eae2c26b7fbd2e0
-
SHA512
520bc2d0fa5ecdd86eaba7a159840c7cd8eaf668d950c68bb3f88029d173f6afe04cc839dc36e0f30902f989f86b4e32d7b60d045c674c34dc5df5574e03caff
-
SSDEEP
98304:KQGyk/JdYF4ZtmD4fiKzSCrQtaIoZ4SbxJsm0E42RjolX4wGtS7UQ:KQfkhdYaZq4fRSGQAIqFd0c2lbT7H
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
CloudWare.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CloudWare.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
CloudWare.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CloudWare.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CloudWare.exe -
Processes:
resource yara_rule behavioral2/memory/2956-134-0x00007FF6FED90000-0x00007FF6FF9A2000-memory.dmp themida behavioral2/memory/2956-135-0x00007FF6FED90000-0x00007FF6FF9A2000-memory.dmp themida behavioral2/memory/2956-143-0x00007FF6FED90000-0x00007FF6FF9A2000-memory.dmp themida -
Processes:
CloudWare.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CloudWare.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
CloudWare.exepid process 2956 CloudWare.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3976 2956 WerFault.exe CloudWare.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CloudWare.exedescription pid process Token: SeDebugPrivilege 2956 CloudWare.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CloudWare.exe"C:\Users\Admin\AppData\Local\Temp\CloudWare.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2956 -s 17322⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 2956 -ip 29561⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2956-133-0x00007FF6FED90000-0x00007FF6FF9A2000-memory.dmpFilesize
12.1MB
-
memory/2956-134-0x00007FF6FED90000-0x00007FF6FF9A2000-memory.dmpFilesize
12.1MB
-
memory/2956-135-0x00007FF6FED90000-0x00007FF6FF9A2000-memory.dmpFilesize
12.1MB
-
memory/2956-136-0x00007FF8B3910000-0x00007FF8B3B05000-memory.dmpFilesize
2.0MB
-
memory/2956-137-0x00000186DB5F0000-0x00000186DB602000-memory.dmpFilesize
72KB
-
memory/2956-138-0x00007FF893F20000-0x00007FF8949E1000-memory.dmpFilesize
10.8MB
-
memory/2956-139-0x00000186DB660000-0x00000186DB69C000-memory.dmpFilesize
240KB
-
memory/2956-140-0x00007FF6FED90000-0x00007FF6FF9A2000-memory.dmpFilesize
12.1MB
-
memory/2956-141-0x00007FF8B3910000-0x00007FF8B3B05000-memory.dmpFilesize
2.0MB
-
memory/2956-142-0x00007FF893F20000-0x00007FF8949E1000-memory.dmpFilesize
10.8MB
-
memory/2956-143-0x00007FF6FED90000-0x00007FF6FF9A2000-memory.dmpFilesize
12.1MB
-
memory/2956-144-0x00007FF893F20000-0x00007FF8949E1000-memory.dmpFilesize
10.8MB