Analysis
-
max time kernel
81s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
12-03-2023 21:02
General
-
Target
Roles_External.exe
-
Size
9.0MB
-
MD5
002ad7c91deb54e30a919846fe124eaf
-
SHA1
cb092513ae675fe243d92328310471f09b51267a
-
SHA256
e9d01a1df753a60c21218dc713bf5b2fa95cd82ceb0f760afd1027249812aabe
-
SHA512
2e873b8ec2d32ba60117c6423d7bfca9da830870e0238044a1d50fdb0784598ef20325ff62462c6f88078ddc385dfd854f36f8b47aae9610c83a6d5f92b97fd7
-
SSDEEP
196608:p7tXDri3gUyVl21VNlNNjx4MLm6iE8y4HCh4Iv9o9qmDmHYmGN1:pJTrznCJjxpi6iE8y2Ch4MaPm4mO1
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Roles_External.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Roles_External.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Roles_External.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Roles_External.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Roles_External.exe -
Processes:
resource yara_rule behavioral1/memory/4756-136-0x0000000000540000-0x00000000013FC000-memory.dmp themida behavioral1/memory/4756-137-0x0000000000540000-0x00000000013FC000-memory.dmp themida behavioral1/memory/4756-144-0x0000000000540000-0x00000000013FC000-memory.dmp themida -
Processes:
Roles_External.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Roles_External.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Roles_External.exepid process 4756 Roles_External.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Roles_External.exepid process 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe 4756 Roles_External.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Roles_External.exedescription pid process Token: SeDebugPrivilege 4756 Roles_External.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Roles_External.exe"C:\Users\Admin\AppData\Local\Temp\Roles_External.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4756-133-0x0000000000540000-0x00000000013FC000-memory.dmpFilesize
14.7MB
-
memory/4756-136-0x0000000000540000-0x00000000013FC000-memory.dmpFilesize
14.7MB
-
memory/4756-137-0x0000000000540000-0x00000000013FC000-memory.dmpFilesize
14.7MB
-
memory/4756-138-0x0000000005D10000-0x0000000005DA2000-memory.dmpFilesize
584KB
-
memory/4756-139-0x0000000005B50000-0x0000000005B62000-memory.dmpFilesize
72KB
-
memory/4756-140-0x0000000006360000-0x0000000006904000-memory.dmpFilesize
5.6MB
-
memory/4756-141-0x0000000005C60000-0x0000000005C70000-memory.dmpFilesize
64KB
-
memory/4756-144-0x0000000000540000-0x00000000013FC000-memory.dmpFilesize
14.7MB