fee755beaee75b583aa7aed6856c36e6c2ffc1a6b8f9a9ae02a2b44bcf18dfb8

Analysis

max time kernel
86s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 15:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

botlucky-client.exe
Size

9.2MB
MD5

8e48d8237eca1823a6dd88c560a3d9a9
SHA1

d0fecf2c9330f041156b3511ef93738a88972455
SHA256

fee755beaee75b583aa7aed6856c36e6c2ffc1a6b8f9a9ae02a2b44bcf18dfb8
SHA512

ddc3ca913e146b5534133665c679648907d10eef752bcaf38c858fa56469826d1d36776385c56dd68d68c167d44c588befeabe69ecb7ecb035e5e5506c8810d2
SSDEEP

196608:Ydw9Y1Mmx2dXzGo6nsVQ8ITGVFmFJ4FxnA/M3KE91Jaac3:YYmx2dDGo6IQ8fF4qA/MaIDc3

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	botlucky-client.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	botlucky-client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	botlucky-client.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	botlucky-client.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe
536	botlucky-client.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1244	taskmgr.exe
Token: SeSystemProfilePrivilege	1244	taskmgr.exe
Token: SeCreateGlobalPrivilege	1244	taskmgr.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe
1244	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\botlucky-client.exe
"C:\Users\Admin\AppData\Local\Temp\botlucky-client.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:536

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/536-132-0x0000000000EC0000-0x00000000025FD000-memory.dmp

Filesize
23.2MB

Download
memory/536-133-0x0000000077150000-0x00000000772F3000-memory.dmp

Filesize
1.6MB

Download
memory/536-134-0x0000000000EC0000-0x00000000025FD000-memory.dmp

Filesize
23.2MB

Download
memory/536-135-0x0000000000EC0000-0x00000000025FD000-memory.dmp

Filesize
23.2MB

Download
memory/536-136-0x0000000000EC0000-0x00000000025FD000-memory.dmp

Filesize
23.2MB

Download
memory/536-137-0x0000000000EC0000-0x00000000025FD000-memory.dmp

Filesize
23.2MB

Download
memory/536-138-0x0000000000EC0000-0x00000000025FD000-memory.dmp

Filesize
23.2MB

Download
memory/536-139-0x0000000000EC0000-0x00000000025FD000-memory.dmp

Filesize
23.2MB

Download
memory/536-140-0x0000000000EC0000-0x00000000025FD000-memory.dmp

Filesize
23.2MB

Download
memory/536-141-0x0000000000EC0000-0x00000000025FD000-memory.dmp

Filesize
23.2MB

Download
memory/536-142-0x0000000077150000-0x00000000772F3000-memory.dmp

Filesize
1.6MB

Download
memory/536-143-0x0000000077150000-0x00000000772F3000-memory.dmp

Filesize
1.6MB

Download