Analysis
-
max time kernel
23s -
max time network
28s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2022 14:47
Behavioral task
behavioral1
Sample
bobux.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
bobux.exe
Resource
win10v2004-20220812-en
Errors
General
-
Target
bobux.exe
-
Size
5.4MB
-
MD5
6afa9397a7cd80ffe2f8d30828269e36
-
SHA1
c7976bb175b4d26cc790f925280551a7fcecfff1
-
SHA256
3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448
-
SHA512
de139d2dd1d569b48b6bb79098ed0198771c3187ae0dae8171ab5a89287492711bd712eb432fb822128df0694820e97161a712ddc4e6dd264d2ec30b3b44b230
-
SSDEEP
98304:NxV6zRhld9E1BlYb9uto2jgrGeweoSYp2prwvLWaNFXvow17IugzlHbGSZBN7fZm:vV8ld98BlON2jnbNswvBXvowJgzl7GSO
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
bobux.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,, C:\\Users\\Admin\\AppData\\Local\\Temp\\bobux.exe" bobux.exe -
Processes:
bobux.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bobux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bobux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bobux.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
bobux.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bobux.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
bobux.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bobux.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bobux.exe -
Loads dropped DLL 1 IoCs
Processes:
bobux.exepid process 4948 bobux.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4948-132-0x000002AC87210000-0x000002AC87776000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\322ea8b2-5b77-44ff-8f35-2130db963898\AgileDotNetRT64.dll themida behavioral2/memory/4948-135-0x00007FFBC4E30000-0x00007FFBC569C000-memory.dmp themida behavioral2/memory/4948-137-0x00007FFBC4E30000-0x00007FFBC569C000-memory.dmp themida behavioral2/memory/4948-139-0x00007FFBC4E30000-0x00007FFBC569C000-memory.dmp themida -
Processes:
bobux.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bobux.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bobux.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
bobux.exepid process 4948 bobux.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "182" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bobux.exedescription pid process Token: SeShutdownPrivilege 4948 bobux.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 788 LogonUI.exe -
System policy modification 1 TTPs 8 IoCs
Processes:
bobux.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bobux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bobux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bobux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bobux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bobux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bobux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" bobux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bobux.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bobux.exe"C:\Users\Admin\AppData\Local\Temp\bobux.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa398f055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\322ea8b2-5b77-44ff-8f35-2130db963898\AgileDotNetRT64.dllFilesize
3.1MB
MD54d8082b3de02f82db9a515e9dab5d2b6
SHA1057a20ade70244601d0fe50f7011c95bae335ea5
SHA256936b1537b6efcece032c05661238b06beefc61ff76e82b7c5d9fe558a9360a4c
SHA5127b9153e9948e0f911fcb0b145678a56cac4abd948fa99e07c331760f02dce096cf3be7d2d8493cf7a76460c7172e24eaa45c1283a28353501b2876c54752c60d
-
memory/4948-132-0x000002AC87210000-0x000002AC87776000-memory.dmpFilesize
5.4MB
-
memory/4948-133-0x00007FFBC8BD0000-0x00007FFBC9691000-memory.dmpFilesize
10.8MB
-
memory/4948-135-0x00007FFBC4E30000-0x00007FFBC569C000-memory.dmpFilesize
8.4MB
-
memory/4948-136-0x00007FFBC9AA0000-0x00007FFBC9BEE000-memory.dmpFilesize
1.3MB
-
memory/4948-137-0x00007FFBC4E30000-0x00007FFBC569C000-memory.dmpFilesize
8.4MB
-
memory/4948-138-0x00007FFBE72D0000-0x00007FFBE74C5000-memory.dmpFilesize
2.0MB
-
memory/4948-139-0x00007FFBC4E30000-0x00007FFBC569C000-memory.dmpFilesize
8.4MB
-
memory/4948-140-0x00007FFBC8BD0000-0x00007FFBC9691000-memory.dmpFilesize
10.8MB
-
memory/4948-141-0x00007FFBE72D0000-0x00007FFBE74C5000-memory.dmpFilesize
2.0MB