Analysis
-
max time kernel
27s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
07-02-2023 00:24
General
-
Target
LolScriptV13.1/LolScriptV13.1/LolScript/LolScript.exe
-
Size
11.0MB
-
MD5
15f8670edce8902831bf9541c8749e90
-
SHA1
bcb53912c22a7328e3ead74b5dd01400d6ee5536
-
SHA256
f8bae3cd04ff1b52391dc3c62f5e47a44be2271dcba9964290ce5f81b0e32e85
-
SHA512
8ce3d82ffa17d5e1a15f37f08f0af54a86e9100806dda7c099e1758fff41c9a60b0658e93cbeec0465e70280296ef545054d1d3927fdbcd6468361528fb8c5fc
-
SSDEEP
196608:QsKmZRO75oqIqZzeYZ14asm96c0p7rUMNsMC/pb4jKooMFteo4XTi22MXW1jAiJn:QsXZIPIaR+UGxrpNsM2pb4jK1osTi20P
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\LolScriptV13.1\LolScriptV13.1\LolScript\LolScript.exe"C:\Users\Admin\AppData\Local\Temp\LolScriptV13.1\LolScriptV13.1\LolScript\LolScript.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "Start_TrackProgs" /t REG_DWORD /d 0 /f >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "Start_TrackProgs" /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "Start_TrackEnabled" /t REG_DWORD /d 0 /f >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "Start_TrackEnabled" /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-66-0x0000000000000000-mapping.dmp
-
memory/524-67-0x0000000000000000-mapping.dmp
-
memory/960-64-0x0000000000000000-mapping.dmp
-
memory/1012-65-0x0000000000000000-mapping.dmp
-
memory/2044-58-0x0000000000DC0000-0x000000000277E000-memory.dmpFilesize
25.7MB
-
memory/2044-59-0x0000000000DC0000-0x000000000277E000-memory.dmpFilesize
25.7MB
-
memory/2044-60-0x0000000000DC0000-0x000000000277E000-memory.dmpFilesize
25.7MB
-
memory/2044-61-0x0000000000DC0000-0x000000000277E000-memory.dmpFilesize
25.7MB
-
memory/2044-62-0x0000000000DC0000-0x000000000277E000-memory.dmpFilesize
25.7MB
-
memory/2044-63-0x0000000000DC0000-0x000000000277E000-memory.dmpFilesize
25.7MB
-
memory/2044-54-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB
-
memory/2044-56-0x0000000000DC0000-0x000000000277E000-memory.dmpFilesize
25.7MB
-
memory/2044-55-0x0000000000DC0000-0x000000000277E000-memory.dmpFilesize
25.7MB
-
memory/2044-57-0x0000000077B10000-0x0000000077C90000-memory.dmpFilesize
1.5MB
-
memory/2044-68-0x0000000000DC0000-0x000000000277E000-memory.dmpFilesize
25.7MB
-
memory/2044-69-0x0000000000DC0000-0x000000000277E000-memory.dmpFilesize
25.7MB
-
memory/2044-70-0x0000000077B10000-0x0000000077C90000-memory.dmpFilesize
1.5MB