Analysis
-
max time kernel
151s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14/05/2023, 20:19
Behavioral task
behavioral1
Sample
InvChanger/InvChanger.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
InvChanger/InvChanger.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
InvChanger/injector_imgui.exe
Resource
win7-20230220-en
General
-
Target
InvChanger/injector_imgui.exe
-
Size
3.4MB
-
MD5
00b703e2dd4b6080d4dcec7cab4373d6
-
SHA1
78a9621f44be60150f784b68c2e4367af07a3d1a
-
SHA256
2a673052ee30c8193ff3e03be32f980452e63695211080ab0513d84106db443c
-
SHA512
f0164eabdaed93be1218e5b68bfe86a025c0498585bc0d3b5057b8ebd58935330e338be06cfd6965863b0af9cc86298d935fe2f0ce3ed5bf3e576c812cde4d9f
-
SSDEEP
98304:Jt4igwu/cqS8jQ+zRwLjwqzMznCYG0U78p:JicqS4Q+Vw3VGG0a8p
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ injector_imgui.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion injector_imgui.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion injector_imgui.exe -
resource yara_rule behavioral4/memory/3764-133-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-134-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-136-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-137-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-138-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-152-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-153-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-154-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-155-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-156-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-157-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-158-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-159-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-160-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-161-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-162-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-163-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-164-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-165-0x0000000000D80000-0x000000000159B000-memory.dmp themida behavioral4/memory/3764-166-0x0000000000D80000-0x000000000159B000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA injector_imgui.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe 3764 injector_imgui.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3764 injector_imgui.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3764 injector_imgui.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\InvChanger\injector_imgui.exe"C:\Users\Admin\AppData\Local\Temp\InvChanger\injector_imgui.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\3BE49DB41453FA8CD85E7B49F6C27A127813995F08346D443579AD1A3E8BBDD000[1].blob
Filesize1.6MB
MD51783ed29e40fb68b6854166f0cb5e3a2
SHA12b39cf51e4dc37dda5b261d8be6685f79a8a62ce
SHA256a8d9cb62596c85e3c48d259f941123cee62a3e7fa39f8aae3bfa88f671bad48f
SHA5125db332e607a003f2aae739ee256fac927a5c3ea30593aa6cd605dff9fef6586ce62c8fa3c2384ddb5cf9bfcadec73866a840bb3375597bea39588d8faa7ee46d