Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 13:06
Behavioral task
behavioral1
Sample
207edd157e24f3734afd180e1694343c.exe
Resource
win7-20231215-en
8 signatures
150 seconds
General
-
Target
207edd157e24f3734afd180e1694343c.exe
-
Size
5.9MB
-
MD5
207edd157e24f3734afd180e1694343c
-
SHA1
283045edf6f12bf83f8223232b56e9a421208205
-
SHA256
4f1079dd720aa2726a64bd23f3c30c449078f2f1a26648fad9bada31ee335c74
-
SHA512
5b6259a1030cb72fc5b9fcfbd8cb421f0c978c352432acc28e4fc7d097fd3912391237edb8fa04505d95b47e6f4890614dd2e8a61b147f761a51a304d4c0cadc
-
SSDEEP
98304:H1sAL7rKX/+DNcLxU1UHU3uOQnWz99EWZnPqiki/QPcal3jhAZ4ZTv1mJlHdJNIZ:/7ruGRcLai0wnWzHZnPq0ccaNhAZ4ZRj
Malware Config
Signatures
-
SectopRAT payload 2 IoCs
resource yara_rule behavioral2/memory/2992-12-0x0000000000700000-0x000000000168E000-memory.dmp family_sectoprat behavioral2/memory/2992-13-0x0000000000700000-0x000000000168E000-memory.dmp family_sectoprat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 207edd157e24f3734afd180e1694343c.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 207edd157e24f3734afd180e1694343c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 207edd157e24f3734afd180e1694343c.exe -
resource yara_rule behavioral2/memory/2992-12-0x0000000000700000-0x000000000168E000-memory.dmp themida behavioral2/memory/2992-13-0x0000000000700000-0x000000000168E000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 207edd157e24f3734afd180e1694343c.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2992 207edd157e24f3734afd180e1694343c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2992 207edd157e24f3734afd180e1694343c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\207edd157e24f3734afd180e1694343c.exe"C:\Users\Admin\AppData\Local\Temp\207edd157e24f3734afd180e1694343c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2992