Analysis
-
max time kernel
35s -
max time network
39s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
15-01-2023 10:35
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
3.2MB
-
MD5
031b4e1936f8758b15a7a26045162e3a
-
SHA1
5de003a965dde33ca504abc1d4f524e5a285b328
-
SHA256
4718af9354fd4c3f45bcd3ac66cf3e66f90004a9703dfc757690cbd669773aad
-
SHA512
2b99a219704c7bfcc21e0831c691d482230daa0781705ae1b2fa7c7410a3bb63797f69d0efe64c6edd55de2e5f7c876c72fc3ca76ad369db11b59498c1fbb394
-
SSDEEP
98304:5C7tc/q94MEjFFbK2gD4iyA9GZ5aICRdbw+a:pDMKbAExeIWbha
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ tmp.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion tmp.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1260-58-0x0000000001060000-0x00000000018F6000-memory.dmp agile_net behavioral1/memory/1260-59-0x0000000001060000-0x00000000018F6000-memory.dmp agile_net behavioral1/memory/1260-60-0x0000000001060000-0x00000000018F6000-memory.dmp agile_net -
Processes:
resource yara_rule behavioral1/memory/1260-57-0x0000000001060000-0x00000000018F6000-memory.dmp themida behavioral1/memory/1260-58-0x0000000001060000-0x00000000018F6000-memory.dmp themida behavioral1/memory/1260-59-0x0000000001060000-0x00000000018F6000-memory.dmp themida behavioral1/memory/1260-60-0x0000000001060000-0x00000000018F6000-memory.dmp themida -
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tmp.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
tmp.exepid process 1260 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmp.exedescription pid process Token: SeDebugPrivilege 1260 tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1260-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/1260-57-0x0000000001060000-0x00000000018F6000-memory.dmpFilesize
8.6MB
-
memory/1260-58-0x0000000001060000-0x00000000018F6000-memory.dmpFilesize
8.6MB
-
memory/1260-59-0x0000000001060000-0x00000000018F6000-memory.dmpFilesize
8.6MB
-
memory/1260-60-0x0000000001060000-0x00000000018F6000-memory.dmpFilesize
8.6MB