Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2023 13:30
Behavioral task
behavioral1
Sample
49037.exe
Resource
win7-20230220-en
General
-
Target
49037.exe
-
Size
6.7MB
-
MD5
b1f6556ce2648139c4faea68dd226520
-
SHA1
6bd326258e1536aa4a3a7a8bae18e8de5af69f9f
-
SHA256
397fbdb4b1a71350d390873d70ff32ff992ed73ce699b49794518fa93dfd5f20
-
SHA512
53428e7145472c4171d8fead376721cdf3b207ef27093b095fa3054863436b79a4d497e2a498c7e4e9af6f55edf24341e9d572c9f96ace20c2ee90c5c6db097f
-
SSDEEP
196608:e8DQkHOCvp51n5Zt/MA6zBH9Pe8bpQgdYYut5LgQ:39OMjZvm9xFQgdKtD
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
description pid Process procid_target PID 4084 created 3144 4084 49037.exe 55 PID 4084 created 3144 4084 49037.exe 55 PID 4084 created 3144 4084 49037.exe 55 PID 1432 created 3144 1432 updater.exe 55 PID 1432 created 3144 1432 updater.exe 55 PID 1432 created 3144 1432 updater.exe 55 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 49037.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
XMRig Miner payload 8 IoCs
resource yara_rule behavioral2/memory/1432-185-0x00007FF6DA8E0000-0x00007FF6DB5CE000-memory.dmp xmrig behavioral2/memory/3504-188-0x00007FF75D820000-0x00007FF75E00F000-memory.dmp xmrig behavioral2/memory/3504-189-0x00007FF75D820000-0x00007FF75E00F000-memory.dmp xmrig behavioral2/memory/3504-191-0x00007FF75D820000-0x00007FF75E00F000-memory.dmp xmrig behavioral2/memory/3504-193-0x00007FF75D820000-0x00007FF75E00F000-memory.dmp xmrig behavioral2/memory/3504-194-0x00007FF75D820000-0x00007FF75E00F000-memory.dmp xmrig behavioral2/memory/3504-195-0x00007FF75D820000-0x00007FF75E00F000-memory.dmp xmrig behavioral2/memory/3504-196-0x00007FF75D820000-0x00007FF75E00F000-memory.dmp xmrig -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 49037.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 49037.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe -
Executes dropped EXE 1 IoCs
pid Process 1432 updater.exe -
resource yara_rule behavioral2/memory/4084-133-0x00007FF6ED810000-0x00007FF6EE4FE000-memory.dmp themida behavioral2/memory/4084-134-0x00007FF6ED810000-0x00007FF6EE4FE000-memory.dmp themida behavioral2/memory/4084-135-0x00007FF6ED810000-0x00007FF6EE4FE000-memory.dmp themida behavioral2/memory/4084-136-0x00007FF6ED810000-0x00007FF6EE4FE000-memory.dmp themida behavioral2/memory/4084-137-0x00007FF6ED810000-0x00007FF6EE4FE000-memory.dmp themida behavioral2/memory/4084-138-0x00007FF6ED810000-0x00007FF6EE4FE000-memory.dmp themida behavioral2/memory/4084-157-0x00007FF6ED810000-0x00007FF6EE4FE000-memory.dmp themida behavioral2/files/0x000500000001db2d-158.dat themida behavioral2/memory/1432-159-0x00007FF6DA8E0000-0x00007FF6DB5CE000-memory.dmp themida behavioral2/memory/1432-160-0x00007FF6DA8E0000-0x00007FF6DB5CE000-memory.dmp themida behavioral2/memory/1432-161-0x00007FF6DA8E0000-0x00007FF6DB5CE000-memory.dmp themida behavioral2/memory/1432-162-0x00007FF6DA8E0000-0x00007FF6DB5CE000-memory.dmp themida behavioral2/memory/1432-163-0x00007FF6DA8E0000-0x00007FF6DB5CE000-memory.dmp themida behavioral2/memory/1432-164-0x00007FF6DA8E0000-0x00007FF6DB5CE000-memory.dmp themida behavioral2/memory/1432-185-0x00007FF6DA8E0000-0x00007FF6DB5CE000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 49037.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4084 49037.exe 1432 updater.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1432 set thread context of 3504 1432 updater.exe 110 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4084 49037.exe 4084 49037.exe 4084 49037.exe 4084 49037.exe 1840 powershell.exe 1840 powershell.exe 4084 49037.exe 4084 49037.exe 1432 updater.exe 1432 updater.exe 1432 updater.exe 1432 updater.exe 4504 powershell.exe 4504 powershell.exe 1432 updater.exe 1432 updater.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 672 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3892 powercfg.exe Token: SeCreatePagefilePrivilege 3892 powercfg.exe Token: SeDebugPrivilege 1840 powershell.exe Token: SeShutdownPrivilege 1504 powercfg.exe Token: SeCreatePagefilePrivilege 1504 powercfg.exe Token: SeShutdownPrivilege 2344 powercfg.exe Token: SeCreatePagefilePrivilege 2344 powercfg.exe Token: SeShutdownPrivilege 2244 powercfg.exe Token: SeCreatePagefilePrivilege 2244 powercfg.exe Token: SeIncreaseQuotaPrivilege 1840 powershell.exe Token: SeSecurityPrivilege 1840 powershell.exe Token: SeTakeOwnershipPrivilege 1840 powershell.exe Token: SeLoadDriverPrivilege 1840 powershell.exe Token: SeSystemProfilePrivilege 1840 powershell.exe Token: SeSystemtimePrivilege 1840 powershell.exe Token: SeProfSingleProcessPrivilege 1840 powershell.exe Token: SeIncBasePriorityPrivilege 1840 powershell.exe Token: SeCreatePagefilePrivilege 1840 powershell.exe Token: SeBackupPrivilege 1840 powershell.exe Token: SeRestorePrivilege 1840 powershell.exe Token: SeShutdownPrivilege 1840 powershell.exe Token: SeDebugPrivilege 1840 powershell.exe Token: SeSystemEnvironmentPrivilege 1840 powershell.exe Token: SeRemoteShutdownPrivilege 1840 powershell.exe Token: SeUndockPrivilege 1840 powershell.exe Token: SeManageVolumePrivilege 1840 powershell.exe Token: 33 1840 powershell.exe Token: 34 1840 powershell.exe Token: 35 1840 powershell.exe Token: 36 1840 powershell.exe Token: SeIncreaseQuotaPrivilege 1840 powershell.exe Token: SeSecurityPrivilege 1840 powershell.exe Token: SeTakeOwnershipPrivilege 1840 powershell.exe Token: SeLoadDriverPrivilege 1840 powershell.exe Token: SeSystemProfilePrivilege 1840 powershell.exe Token: SeSystemtimePrivilege 1840 powershell.exe Token: SeProfSingleProcessPrivilege 1840 powershell.exe Token: SeIncBasePriorityPrivilege 1840 powershell.exe Token: SeCreatePagefilePrivilege 1840 powershell.exe Token: SeBackupPrivilege 1840 powershell.exe Token: SeRestorePrivilege 1840 powershell.exe Token: SeShutdownPrivilege 1840 powershell.exe Token: SeDebugPrivilege 1840 powershell.exe Token: SeSystemEnvironmentPrivilege 1840 powershell.exe Token: SeRemoteShutdownPrivilege 1840 powershell.exe Token: SeUndockPrivilege 1840 powershell.exe Token: SeManageVolumePrivilege 1840 powershell.exe Token: 33 1840 powershell.exe Token: 34 1840 powershell.exe Token: 35 1840 powershell.exe Token: 36 1840 powershell.exe Token: SeIncreaseQuotaPrivilege 1840 powershell.exe Token: SeSecurityPrivilege 1840 powershell.exe Token: SeTakeOwnershipPrivilege 1840 powershell.exe Token: SeLoadDriverPrivilege 1840 powershell.exe Token: SeSystemProfilePrivilege 1840 powershell.exe Token: SeSystemtimePrivilege 1840 powershell.exe Token: SeProfSingleProcessPrivilege 1840 powershell.exe Token: SeIncBasePriorityPrivilege 1840 powershell.exe Token: SeCreatePagefilePrivilege 1840 powershell.exe Token: SeBackupPrivilege 1840 powershell.exe Token: SeRestorePrivilege 1840 powershell.exe Token: SeShutdownPrivilege 1840 powershell.exe Token: SeDebugPrivilege 1840 powershell.exe -
Suspicious use of FindShellTrayWindow 55 IoCs
pid Process 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe -
Suspicious use of SendNotifyMessage 55 IoCs
pid Process 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe 3504 explorer.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4652 wrote to memory of 3892 4652 cmd.exe 93 PID 4652 wrote to memory of 3892 4652 cmd.exe 93 PID 4652 wrote to memory of 1504 4652 cmd.exe 94 PID 4652 wrote to memory of 1504 4652 cmd.exe 94 PID 4652 wrote to memory of 2344 4652 cmd.exe 95 PID 4652 wrote to memory of 2344 4652 cmd.exe 95 PID 4652 wrote to memory of 2244 4652 cmd.exe 96 PID 4652 wrote to memory of 2244 4652 cmd.exe 96 PID 4696 wrote to memory of 3840 4696 cmd.exe 106 PID 4696 wrote to memory of 3840 4696 cmd.exe 106 PID 4696 wrote to memory of 4072 4696 cmd.exe 107 PID 4696 wrote to memory of 4072 4696 cmd.exe 107 PID 4696 wrote to memory of 5000 4696 cmd.exe 108 PID 4696 wrote to memory of 5000 4696 cmd.exe 108 PID 4696 wrote to memory of 4996 4696 cmd.exe 109 PID 4696 wrote to memory of 4996 4696 cmd.exe 109 PID 1432 wrote to memory of 3504 1432 updater.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\49037.exe"C:\Users\Admin\AppData\Local\Temp\49037.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4084
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wwviaeydz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:1676
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:3840
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:4072
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:5000
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:4996
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wwviaeydz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4504
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3504
-
-
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exeC:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5fee026663fcb662152188784794028ee
SHA13c02a26a9cb16648fad85c6477b68ced3cb0cb45
SHA256dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b
SHA5127b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6
-
Filesize
1KB
MD52ac3c9ba89b8c2ef19c601ecebb82157
SHA1a239a4b11438c00e5ff89ebd4a804ede6a01935b
SHA2563c2714ce07f8c04b3f8222dfe50d8ae08f548b0e6e79fe33d08bf6f4c2e5143e
SHA512b1221d29e747b37071761b2509e9109b522cce6411f73f27c9428ac332d26b9f413ae6b8c0aeac1afb7fab2d0b3b1c4af189da12fe506287596df2ef8f083432
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6.7MB
MD5b1f6556ce2648139c4faea68dd226520
SHA16bd326258e1536aa4a3a7a8bae18e8de5af69f9f
SHA256397fbdb4b1a71350d390873d70ff32ff992ed73ce699b49794518fa93dfd5f20
SHA51253428e7145472c4171d8fead376721cdf3b207ef27093b095fa3054863436b79a4d497e2a498c7e4e9af6f55edf24341e9d572c9f96ace20c2ee90c5c6db097f