Analysis
-
max time kernel
57s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 14:42
Behavioral task
behavioral1
Sample
amd software.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
amd software.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
icucnv67.msi
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
icucnv67.msi
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
icudt67.msi
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
icudt67.msi
Resource
win10v2004-20220812-en
General
-
Target
amd software.exe
-
Size
739.9MB
-
MD5
d4d01f5de39d146d4f9390b900acf9a5
-
SHA1
3c062831149093b704d5174e9f29accae7d8925b
-
SHA256
f5f3ce00dd2f262becf2f2d1ed5b3bcb71ce40b17fdc2aa849ec8399baa4a794
-
SHA512
71fedced374d6bf81d7c1825a3f673a43392e8ffeaaf98e520ef64f9104e706b7c1a3fb446a4fbeffc36715ef3cc3b4c40757cbf6cd27b02cc9f0564ffce7583
-
SSDEEP
98304:ejUUwRb9ct9mIc3vtlIpf2H1UjlEV9gMTZi4qNFTs1Fy0fStI0y:6wRbpFIpfsUjloPuNuFytZ
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
amd software.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amd software.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
amd software.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amd software.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amd software.exe -
Processes:
resource yara_rule behavioral1/memory/1508-56-0x0000000001100000-0x00000000019A4000-memory.dmp themida behavioral1/memory/1508-57-0x0000000001100000-0x00000000019A4000-memory.dmp themida -
Processes:
amd software.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA amd software.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
amd software.exepid process 1508 amd software.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 744 1508 WerFault.exe amd software.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
amd software.exedescription pid process target process PID 1508 wrote to memory of 744 1508 amd software.exe WerFault.exe PID 1508 wrote to memory of 744 1508 amd software.exe WerFault.exe PID 1508 wrote to memory of 744 1508 amd software.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\amd software.exe"C:\Users\Admin\AppData\Local\Temp\amd software.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1508 -s 5362⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/744-58-0x0000000000000000-mapping.dmp
-
memory/1508-54-0x0000000001100000-0x00000000019A4000-memory.dmpFilesize
8.6MB
-
memory/1508-55-0x0000000077090000-0x0000000077239000-memory.dmpFilesize
1.7MB
-
memory/1508-56-0x0000000001100000-0x00000000019A4000-memory.dmpFilesize
8.6MB
-
memory/1508-57-0x0000000001100000-0x00000000019A4000-memory.dmpFilesize
8.6MB
-
memory/1508-59-0x0000000077090000-0x0000000077239000-memory.dmpFilesize
1.7MB