Analysis
-
max time kernel
41s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-12-2022 12:32
Behavioral task
behavioral1
Sample
Install.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
General
-
Target
Install.exe
-
Size
4.2MB
-
MD5
d8f278167aabd0d6deaf0454ad8c25ed
-
SHA1
bebd64d7584a07cdc9f3334bbeaffe36f137ca67
-
SHA256
356d67eb809b195349d0e32b42a1a6aef4a0d48049dabd3f37d8bca246f191e5
-
SHA512
be6ba32c409cae1647cf2b6dbdc094445103ae5b861a43fb32e3f29f86e256c8f31c25d351f16f001a724fc17f441487cea4b7b6f38fd28b38d1965d605eb5d9
-
SSDEEP
49152:g6O26LhjgYwGesxEbQfe1mBFmS+fglb54/Mf5WiYbogXdDtyxdNZMhPopcNcIfZy:gbBtDePbeeuILgX40skn0Pyc2IfeEy
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Install.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Install.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Install.exe -
Processes:
resource yara_rule behavioral1/memory/1248-55-0x0000000000A20000-0x0000000001650000-memory.dmp themida behavioral1/memory/1248-57-0x0000000000A20000-0x0000000001650000-memory.dmp themida behavioral1/memory/1248-59-0x0000000000A20000-0x0000000001650000-memory.dmp themida -
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Install.exepid process 1248 Install.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 908 1248 WerFault.exe Install.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Install.exedescription pid process target process PID 1248 wrote to memory of 908 1248 Install.exe WerFault.exe PID 1248 wrote to memory of 908 1248 Install.exe WerFault.exe PID 1248 wrote to memory of 908 1248 Install.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1248 -s 7002⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/908-58-0x0000000000000000-mapping.dmp
-
memory/1248-55-0x0000000000A20000-0x0000000001650000-memory.dmpFilesize
12.2MB
-
memory/1248-56-0x0000000077440000-0x00000000775E9000-memory.dmpFilesize
1.7MB
-
memory/1248-57-0x0000000000A20000-0x0000000001650000-memory.dmpFilesize
12.2MB
-
memory/1248-59-0x0000000000A20000-0x0000000001650000-memory.dmpFilesize
12.2MB
-
memory/1248-60-0x0000000077440000-0x00000000775E9000-memory.dmpFilesize
1.7MB