Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 22:25
Behavioral task
behavioral1
Sample
1590729c0c494bec67b052487014a86c.exe
Resource
win7-20231129-en
8 signatures
150 seconds
General
-
Target
1590729c0c494bec67b052487014a86c.exe
-
Size
3.1MB
-
MD5
1590729c0c494bec67b052487014a86c
-
SHA1
2d5136099868b71fbe2f5d09a869d3925ec6a72d
-
SHA256
077a1cd138704282434ff2f6dd2084592f23da9ee1f0408a98f30c3cec87b910
-
SHA512
78e0fc06afc512b76b74b59d893725a3eca65462585a19d063c831f22002bedade824ab59655bc3c31d6c8cd3e7d7b8d8a1cc6cde05a2962caadf5b44a1fc9bc
-
SSDEEP
98304:j8UqoYQv9A6mjUCn9Phrc1SGnh5mcSaxzL1:j/DYcDmjUC9DOcyv1
Malware Config
Signatures
-
SectopRAT payload 2 IoCs
resource yara_rule behavioral2/memory/5612-11-0x0000000000A40000-0x000000000134A000-memory.dmp family_sectoprat behavioral2/memory/5612-10-0x0000000000A40000-0x000000000134A000-memory.dmp family_sectoprat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1590729c0c494bec67b052487014a86c.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1590729c0c494bec67b052487014a86c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1590729c0c494bec67b052487014a86c.exe -
resource yara_rule behavioral2/memory/5612-11-0x0000000000A40000-0x000000000134A000-memory.dmp themida behavioral2/memory/5612-10-0x0000000000A40000-0x000000000134A000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1590729c0c494bec67b052487014a86c.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 5612 1590729c0c494bec67b052487014a86c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5612 1590729c0c494bec67b052487014a86c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1590729c0c494bec67b052487014a86c.exe"C:\Users\Admin\AppData\Local\Temp\1590729c0c494bec67b052487014a86c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:5612