Analysis
-
max time kernel
120s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
07-02-2023 00:24
General
-
Target
LolScriptV13.1/LolScriptV13.1/LolScript/LolScript.exe
-
Size
11.0MB
-
MD5
15f8670edce8902831bf9541c8749e90
-
SHA1
bcb53912c22a7328e3ead74b5dd01400d6ee5536
-
SHA256
f8bae3cd04ff1b52391dc3c62f5e47a44be2271dcba9964290ce5f81b0e32e85
-
SHA512
8ce3d82ffa17d5e1a15f37f08f0af54a86e9100806dda7c099e1758fff41c9a60b0658e93cbeec0465e70280296ef545054d1d3927fdbcd6468361528fb8c5fc
-
SSDEEP
196608:QsKmZRO75oqIqZzeYZ14asm96c0p7rUMNsMC/pb4jKooMFteo4XTi22MXW1jAiJn:QsXZIPIaR+UGxrpNsM2pb4jK1osTi20P
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Program crash 1 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\LolScriptV13.1\LolScriptV13.1\LolScript\LolScript.exe"C:\Users\Admin\AppData\Local\Temp\LolScriptV13.1\LolScriptV13.1\LolScript\LolScript.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "Start_TrackProgs" /t REG_DWORD /d 0 /f >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "Start_TrackProgs" /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "Start_TrackEnabled" /t REG_DWORD /d 0 /f >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "Start_TrackEnabled" /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 7322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3272 -ip 32721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1136-141-0x0000000000000000-mapping.dmp
-
memory/2648-142-0x0000000000000000-mapping.dmp
-
memory/3272-135-0x00000000007C0000-0x000000000217E000-memory.dmpFilesize
25.7MB
-
memory/3272-132-0x00000000007C0000-0x000000000217E000-memory.dmpFilesize
25.7MB
-
memory/3272-136-0x00000000007C0000-0x000000000217E000-memory.dmpFilesize
25.7MB
-
memory/3272-137-0x00000000007C0000-0x000000000217E000-memory.dmpFilesize
25.7MB
-
memory/3272-138-0x00000000007C0000-0x000000000217E000-memory.dmpFilesize
25.7MB
-
memory/3272-139-0x00000000007C0000-0x000000000217E000-memory.dmpFilesize
25.7MB
-
memory/3272-140-0x00000000007C0000-0x000000000217E000-memory.dmpFilesize
25.7MB
-
memory/3272-134-0x00000000007C0000-0x000000000217E000-memory.dmpFilesize
25.7MB
-
memory/3272-133-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/3272-145-0x00000000007C0000-0x000000000217E000-memory.dmpFilesize
25.7MB
-
memory/3272-146-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/3500-143-0x0000000000000000-mapping.dmp
-
memory/4544-144-0x0000000000000000-mapping.dmp