Analysis
-
max time kernel
7s -
max time network
11s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2023, 05:36
General
-
Target
svchost.exe
-
Size
7.1MB
-
MD5
716c1920c48cf67eb21212edea8ba36d
-
SHA1
9427c93730422107832f42c1c7f34a1dd21dadb8
-
SHA256
1a5ef68208365f3575fb08d6fba84b3a8a6564cec61db97279a8574522defe7c
-
SHA512
5374086c6cb5171e42399077fbb37160be3f879c1d706f5fd9882272555d83aacf788d3b5e354f8c2c4b5209b42b7cedf1cc8bfa93182e257e915cd82b230746
-
SSDEEP
196608:hDcUG4raKu24YY7HVT4hV0AD6QgqKRgX:HmKr4YYH+EUWpgX
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 4724 svchost.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/4724-133-0x0000000000970000-0x000000000108E000-memory.dmp agile_net -
resource yara_rule behavioral1/files/0x0008000000023225-139.dat themida behavioral1/files/0x0008000000023225-137.dat themida behavioral1/memory/4724-140-0x00007FFC93260000-0x00007FFC93DE4000-memory.dmp themida behavioral1/memory/4724-142-0x00007FFC93260000-0x00007FFC93DE4000-memory.dmp themida behavioral1/memory/4724-144-0x00007FFC93260000-0x00007FFC93DE4000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4724 svchost.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4168 4724 WerFault.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4724 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4724 -s 14842⤵
- Program crash
PID:4168
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 436 -p 4724 -ip 47241⤵PID:2380
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD505b012457488a95a05d0541e0470d392
SHA174f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA2561f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA5126d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6
-
Filesize
4.2MB
MD505b012457488a95a05d0541e0470d392
SHA174f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA2561f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA5126d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6