Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
03-10-2022 07:27
General
-
Target
CloudWare.exe
-
Size
4.4MB
-
MD5
05c3c77aaa506ab0c4e3843753c7ede4
-
SHA1
5b067f0b0d97a7a7f617f89b043209c09157fe32
-
SHA256
fc25988009a922636bbff1bae10c81bd29a9cc5dec7c731d6eae2c26b7fbd2e0
-
SHA512
520bc2d0fa5ecdd86eaba7a159840c7cd8eaf668d950c68bb3f88029d173f6afe04cc839dc36e0f30902f989f86b4e32d7b60d045c674c34dc5df5574e03caff
-
SSDEEP
98304:KQGyk/JdYF4ZtmD4fiKzSCrQtaIoZ4SbxJsm0E42RjolX4wGtS7UQ:KQfkhdYaZq4fRSGQAIqFd0c2lbT7H
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Program crash 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\CloudWare.exe"C:\Users\Admin\AppData\Local\Temp\CloudWare.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2956 -s 17322⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 2956 -ip 29561⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2956-133-0x00007FF6FED90000-0x00007FF6FF9A2000-memory.dmpFilesize
12.1MB
-
memory/2956-134-0x00007FF6FED90000-0x00007FF6FF9A2000-memory.dmpFilesize
12.1MB
-
memory/2956-135-0x00007FF6FED90000-0x00007FF6FF9A2000-memory.dmpFilesize
12.1MB
-
memory/2956-136-0x00007FF8B3910000-0x00007FF8B3B05000-memory.dmpFilesize
2.0MB
-
memory/2956-137-0x00000186DB5F0000-0x00000186DB602000-memory.dmpFilesize
72KB
-
memory/2956-138-0x00007FF893F20000-0x00007FF8949E1000-memory.dmpFilesize
10.8MB
-
memory/2956-139-0x00000186DB660000-0x00000186DB69C000-memory.dmpFilesize
240KB
-
memory/2956-140-0x00007FF6FED90000-0x00007FF6FF9A2000-memory.dmpFilesize
12.1MB
-
memory/2956-141-0x00007FF8B3910000-0x00007FF8B3B05000-memory.dmpFilesize
2.0MB
-
memory/2956-142-0x00007FF893F20000-0x00007FF8949E1000-memory.dmpFilesize
10.8MB
-
memory/2956-143-0x00007FF6FED90000-0x00007FF6FF9A2000-memory.dmpFilesize
12.1MB
-
memory/2956-144-0x00007FF893F20000-0x00007FF8949E1000-memory.dmpFilesize
10.8MB