Analysis
-
max time kernel
140s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
20-03-2023 20:37
Behavioral task
behavioral1
Sample
Android.Physical.NET.exe
Resource
win7-20230220-en
windows7-x64
7 signatures
150 seconds
General
-
Target
Android.Physical.NET.exe
-
Size
4.8MB
-
MD5
dae3dd705e0a212341bc87e802e33d78
-
SHA1
7a1f623c240e9e234f60fb398f5dc76ac7ff1abd
-
SHA256
801ff04c7991bc26427b68f575aa7c6e6b77930b9cadeb3617fe6c6cedb1e67d
-
SHA512
ac8849adfbf59551f9d6bad64d231d4aa1c8d21a46bd225ac5aab96f4e4d27b3634529223bcbc103cb905685471ca12e5c07f2105160f4978bfe92340ee79b4b
-
SSDEEP
98304:AWwOKgOLG3MR6HlLIG73MhX8qXEdbyWKQil51NN0z:qOBPl8GK8q22WGNNs
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Android.Physical.NET.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Android.Physical.NET.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Android.Physical.NET.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Android.Physical.NET.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Android.Physical.NET.exe -
Processes:
resource yara_rule behavioral1/memory/1396-54-0x0000000000F40000-0x0000000001B40000-memory.dmp themida behavioral1/memory/1396-55-0x0000000000F40000-0x0000000001B40000-memory.dmp themida -
Processes:
Android.Physical.NET.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Android.Physical.NET.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Android.Physical.NET.exepid process 1396 Android.Physical.NET.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2012 1396 WerFault.exe Android.Physical.NET.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Android.Physical.NET.exedescription pid process target process PID 1396 wrote to memory of 2012 1396 Android.Physical.NET.exe WerFault.exe PID 1396 wrote to memory of 2012 1396 Android.Physical.NET.exe WerFault.exe PID 1396 wrote to memory of 2012 1396 Android.Physical.NET.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Android.Physical.NET.exe"C:\Users\Admin\AppData\Local\Temp\Android.Physical.NET.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1396 -s 5482⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1396-54-0x0000000000F40000-0x0000000001B40000-memory.dmpFilesize
12.0MB
-
memory/1396-55-0x0000000000F40000-0x0000000001B40000-memory.dmpFilesize
12.0MB
-
memory/1396-56-0x00000000005F0000-0x00000000005F1000-memory.dmpFilesize
4KB
-
memory/1396-57-0x000007FE80010000-0x000007FE80011000-memory.dmpFilesize
4KB
-
memory/1396-59-0x0000000000F40000-0x0000000001B40000-memory.dmpFilesize
12.0MB