3ed7846a7c6517e3cdd5f964d9092bf4cd12aa949e017557809b1c0919c2746b

General

Target

Electron/Electron.exe
Size

4.1MB
MD5

9dd5ee5f8f58e4205ebe25ca7a356219
SHA1

7365b4096294b791b173803ddfd768186521793f
SHA256

46797e761cfacad8b3b3fddf4990b0b55f87a0ab76b8d949818ff7904744e0eb
SHA512

b38724047946ec37605beeacb165de185e8e360682ccda28351033ab7ee13408165791f2030469b98347dad038b9ff776c6392ffd57526a8c120272012513a1c
SSDEEP

98304:YEc1bNmfyMj4guXdLdiXx+Rton9QTj53C8f93S8b+m9axAm:YhNmaMj4gCwxwton0jNeGmA

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Electron.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Electron.exe

Loads dropped DLL 2 IoCs

pid	Process
2012	Electron.exe
2012	Electron.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Electron.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2012	Electron.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
884	2012	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2012	Electron.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	812	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	812	AUDIODG.EXE
Token: 33	812	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	812	AUDIODG.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 884	2012	Electron.exe	32
PID 2012 wrote to memory of 884	2012	Electron.exe	32
PID 2012 wrote to memory of 884	2012	Electron.exe	32
PID 2012 wrote to memory of 884	2012	Electron.exe	32

C:\Users\Admin\AppData\Local\Temp\Electron\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron\Electron.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 2712
  2⤵
  - Program crash
  PID:884

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1972

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
\Users\Admin\AppData\Local\Temp\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
memory/2012-71-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download
memory/2012-67-0x0000000001050000-0x0000000001A8C000-memory.dmp

Filesize
10.2MB

Download
memory/2012-68-0x0000000005590000-0x00000000055D0000-memory.dmp

Filesize
256KB

Download
memory/2012-69-0x00000000051C0000-0x000000000530A000-memory.dmp

Filesize
1.3MB

Download
memory/2012-54-0x0000000001050000-0x0000000001A8C000-memory.dmp

Filesize
10.2MB

Download
memory/2012-72-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download
memory/2012-66-0x0000000001050000-0x0000000001A8C000-memory.dmp

Filesize
10.2MB

Download
memory/2012-76-0x00000000058B0000-0x000000000591C000-memory.dmp

Filesize
432KB

Download
memory/2012-65-0x0000000001050000-0x0000000001A8C000-memory.dmp

Filesize
10.2MB

Download
memory/2012-78-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/2012-79-0x0000000005590000-0x00000000055D0000-memory.dmp

Filesize
256KB

Download
memory/2012-82-0x0000000001050000-0x0000000001A8C000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads