70d729c98212356bda5b956024d31190c04c54de0166264db7a783f805ddbfc6

General

Target

68c1087dc475b65907ffdf8e4353260c.exe
Size

6.3MB
MD5

68c1087dc475b65907ffdf8e4353260c
SHA1

64ff3fea47709e563a65da87f4f6528f6e82c838
SHA256

70d729c98212356bda5b956024d31190c04c54de0166264db7a783f805ddbfc6
SHA512

af06f39580315d222f076accacbfee1b5d5e4866a248b8f19c24ef0e3dd95cc1a68ecc8538b0750b182f1caab3348e45c6be9457b37a74d5058e99f2057ae726
SSDEEP

196608:eS3YdGvLDKwjQlbqQKC3aJ7ufuDmeyvv2RAxDe0zMvh:eh4z2wjQlbqQKC3M7ufWkvkh

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	68c1087dc475b65907ffdf8e4353260c.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	68c1087dc475b65907ffdf8e4353260c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	68c1087dc475b65907ffdf8e4353260c.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	68c1087dc475b65907ffdf8e4353260c.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2644	68c1087dc475b65907ffdf8e4353260c.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\66\ComDlg	68c1087dc475b65907ffdf8e4353260c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\66	68c1087dc475b65907ffdf8e4353260c.exe

Runs net.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2644	68c1087dc475b65907ffdf8e4353260c.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2704	2644	68c1087dc475b65907ffdf8e4353260c.exe	34
PID 2644 wrote to memory of 2704	2644	68c1087dc475b65907ffdf8e4353260c.exe	34
PID 2644 wrote to memory of 2704	2644	68c1087dc475b65907ffdf8e4353260c.exe	34
PID 2704 wrote to memory of 2760	2704	cmd.exe	28
PID 2704 wrote to memory of 2760	2704	cmd.exe	28
PID 2704 wrote to memory of 2760	2704	cmd.exe	28
PID 2760 wrote to memory of 2764	2760	net.exe	33
PID 2760 wrote to memory of 2764	2760	net.exe	33
PID 2760 wrote to memory of 2764	2760	net.exe	33
PID 2644 wrote to memory of 2776	2644	68c1087dc475b65907ffdf8e4353260c.exe	32
PID 2644 wrote to memory of 2776	2644	68c1087dc475b65907ffdf8e4353260c.exe	32
PID 2644 wrote to memory of 2776	2644	68c1087dc475b65907ffdf8e4353260c.exe	32
PID 2644 wrote to memory of 2056	2644	68c1087dc475b65907ffdf8e4353260c.exe	31
PID 2644 wrote to memory of 2056	2644	68c1087dc475b65907ffdf8e4353260c.exe	31
PID 2644 wrote to memory of 2056	2644	68c1087dc475b65907ffdf8e4353260c.exe	31
PID 2056 wrote to memory of 2820	2056	cmd.exe	29
PID 2056 wrote to memory of 2820	2056	cmd.exe	29
PID 2056 wrote to memory of 2820	2056	cmd.exe	29
PID 2644 wrote to memory of 2708	2644	68c1087dc475b65907ffdf8e4353260c.exe	30
PID 2644 wrote to memory of 2708	2644	68c1087dc475b65907ffdf8e4353260c.exe	30
PID 2644 wrote to memory of 2708	2644	68c1087dc475b65907ffdf8e4353260c.exe	30

C:\Users\Admin\AppData\Local\Temp\68c1087dc475b65907ffdf8e4353260c.exe
"C:\Users\Admin\AppData\Local\Temp\68c1087dc475b65907ffdf8e4353260c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c w32tm /resync
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net start w32time
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704

C:\Windows\system32\net.exe
net start w32time
1⤵
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 start w32time
  2⤵
  PID:2764

C:\Windows\system32\w32tm.exe
w32tm /resync
1⤵
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2644-0-0x000000013FFD0000-0x000000014101E000-memory.dmp

Filesize
16.3MB

Download
memory/2644-1-0x0000000077810000-0x00000000779B9000-memory.dmp

Filesize
1.7MB

Download
memory/2644-2-0x000000013FFD0000-0x000000014101E000-memory.dmp

Filesize
16.3MB

Download
memory/2644-3-0x000000013FFD0000-0x000000014101E000-memory.dmp

Filesize
16.3MB

Download
memory/2644-4-0x000000013FFD0000-0x000000014101E000-memory.dmp

Filesize
16.3MB

Download
memory/2644-5-0x000000013FFD0000-0x000000014101E000-memory.dmp

Filesize
16.3MB

Download
memory/2644-6-0x000000013FFD0000-0x000000014101E000-memory.dmp

Filesize
16.3MB

Download
memory/2644-7-0x000000013FFD0000-0x000000014101E000-memory.dmp

Filesize
16.3MB

Download
memory/2644-9-0x0000000077810000-0x00000000779B9000-memory.dmp

Filesize
1.7MB

Download
memory/2644-10-0x000000013FFD0000-0x000000014101E000-memory.dmp

Filesize
16.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads