Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02-01-2023 10:39
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.GenericKD.64662634.30711.13556.exe
Resource
win7-20221111-en
General
-
Target
SecuriteInfo.com.Trojan.GenericKD.64662634.30711.13556.exe
-
Size
3.9MB
-
MD5
fc9eaee53296ad6fa5994952aa070110
-
SHA1
a575e56b486486fbb696df8f8b3403e6ec266344
-
SHA256
7acc9b90cf11c071880a627ef389107d55f2cbc845c52d5f265e5b2855d6a575
-
SHA512
b268c6124cf09fa1202fe428fa8d0e5bdd543c42523323a79e24236187842171f6d17acb5f02de5b8c6dfb0d2a949c98b88e7e186832516be878aef6aee1ecc1
-
SSDEEP
98304:FXePazT+6i8quQA7Yb+jWe4Cfrwq6l0D7PaidBZcFz+mpJu6J:FXOai8qREYbyhpjR6lSR26C3
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Trojan.GenericKD.64662634.30711.13556.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SecuriteInfo.com.Trojan.GenericKD.64662634.30711.13556.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Trojan.GenericKD.64662634.30711.13556.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.Trojan.GenericKD.64662634.30711.13556.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.Trojan.GenericKD.64662634.30711.13556.exe -
Processes:
resource yara_rule behavioral1/memory/2024-55-0x0000000000BF0000-0x0000000001758000-memory.dmp themida -
Processes:
SecuriteInfo.com.Trojan.GenericKD.64662634.30711.13556.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecuriteInfo.com.Trojan.GenericKD.64662634.30711.13556.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
SecuriteInfo.com.Trojan.GenericKD.64662634.30711.13556.exepid process 2024 SecuriteInfo.com.Trojan.GenericKD.64662634.30711.13556.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1524 2024 WerFault.exe SecuriteInfo.com.Trojan.GenericKD.64662634.30711.13556.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SecuriteInfo.com.Trojan.GenericKD.64662634.30711.13556.exedescription pid process target process PID 2024 wrote to memory of 1524 2024 SecuriteInfo.com.Trojan.GenericKD.64662634.30711.13556.exe WerFault.exe PID 2024 wrote to memory of 1524 2024 SecuriteInfo.com.Trojan.GenericKD.64662634.30711.13556.exe WerFault.exe PID 2024 wrote to memory of 1524 2024 SecuriteInfo.com.Trojan.GenericKD.64662634.30711.13556.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.64662634.30711.13556.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.64662634.30711.13556.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2024 -s 5802⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1524-58-0x0000000000000000-mapping.dmp
-
memory/2024-55-0x0000000000BF0000-0x0000000001758000-memory.dmpFilesize
11.4MB
-
memory/2024-56-0x0000000000BF0000-0x0000000001758000-memory.dmpFilesize
11.4MB
-
memory/2024-57-0x0000000077200000-0x00000000773A9000-memory.dmpFilesize
1.7MB
-
memory/2024-59-0x0000000000BF0000-0x0000000001758000-memory.dmpFilesize
11.4MB
-
memory/2024-60-0x0000000077200000-0x00000000773A9000-memory.dmpFilesize
1.7MB