Analysis
-
max time kernel
29s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-es -
resource tags
arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows -
submitted
29-12-2022 22:04
Behavioral task
behavioral1
Sample
Install.exe
Resource
win7-20221111-es
windows7-x64
7 signatures
150 seconds
General
-
Target
Install.exe
-
Size
4.2MB
-
MD5
d8f278167aabd0d6deaf0454ad8c25ed
-
SHA1
bebd64d7584a07cdc9f3334bbeaffe36f137ca67
-
SHA256
356d67eb809b195349d0e32b42a1a6aef4a0d48049dabd3f37d8bca246f191e5
-
SHA512
be6ba32c409cae1647cf2b6dbdc094445103ae5b861a43fb32e3f29f86e256c8f31c25d351f16f001a724fc17f441487cea4b7b6f38fd28b38d1965d605eb5d9
-
SSDEEP
49152:g6O26LhjgYwGesxEbQfe1mBFmS+fglb54/Mf5WiYbogXdDtyxdNZMhPopcNcIfZy:gbBtDePbeeuILgX40skn0Pyc2IfeEy
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Install.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Install.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Install.exe -
Processes:
resource yara_rule behavioral1/memory/2016-55-0x00000000008D0000-0x0000000001500000-memory.dmp themida behavioral1/memory/2016-59-0x00000000008D0000-0x0000000001500000-memory.dmp themida -
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Install.exepid process 2016 Install.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 816 2016 WerFault.exe Install.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Install.exedescription pid process target process PID 2016 wrote to memory of 816 2016 Install.exe WerFault.exe PID 2016 wrote to memory of 816 2016 Install.exe WerFault.exe PID 2016 wrote to memory of 816 2016 Install.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2016 -s 6962⤵
- Program crash
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/816-58-0x0000000000000000-mapping.dmp
-
memory/932-61-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmpFilesize
8KB
-
memory/2016-55-0x00000000008D0000-0x0000000001500000-memory.dmpFilesize
12.2MB
-
memory/2016-56-0x00000000008D0000-0x0000000001500000-memory.dmpFilesize
12.2MB
-
memory/2016-57-0x0000000077280000-0x0000000077429000-memory.dmpFilesize
1.7MB
-
memory/2016-59-0x00000000008D0000-0x0000000001500000-memory.dmpFilesize
12.2MB
-
memory/2016-60-0x0000000077280000-0x0000000077429000-memory.dmpFilesize
1.7MB