Analysis
-
max time kernel
23s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 18:00
Behavioral task
behavioral1
Sample
toteslegit.exe
Resource
win7-20231215-en
windows7-x64
6 signatures
150 seconds
General
-
Target
toteslegit.exe
-
Size
3.9MB
-
MD5
0fe17c511fa812e99dbf307cf3763ce6
-
SHA1
4e8149a9c14fdf2492fd801d8d4f593d0547f9c2
-
SHA256
578628543bc775070cc17be084f85f0a0ac23a260b3af2c46e546e76a5f1527b
-
SHA512
9e9e0f509608245dc80ba60a1a4da6058a032994f9d5b076cb44c8942d1eda027bed964abe08cbf8cfd66fc5ff5d506c0d80c956b7989c464dea15dbd1dfbfe9
-
SSDEEP
98304:HDRtA0dje/D5x5Krjh3rO0e/iXA/8fjV+YDgdjwvOm/kPbbzJSb:bGD5cde/icMQugduOmMPbY
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
toteslegit.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ toteslegit.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
toteslegit.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion toteslegit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion toteslegit.exe -
Processes:
resource yara_rule behavioral1/memory/2252-0-0x0000000140000000-0x0000000140A4B000-memory.dmp themida behavioral1/memory/2252-2-0x0000000140000000-0x0000000140A4B000-memory.dmp themida behavioral1/memory/2252-3-0x0000000140000000-0x0000000140A4B000-memory.dmp themida behavioral1/memory/2252-4-0x0000000140000000-0x0000000140A4B000-memory.dmp themida behavioral1/memory/2252-5-0x0000000140000000-0x0000000140A4B000-memory.dmp themida behavioral1/memory/2252-7-0x0000000140000000-0x0000000140A4B000-memory.dmp themida -
Processes:
toteslegit.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA toteslegit.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
toteslegit.exepid process 2252 toteslegit.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
toteslegit.exedescription pid process target process PID 2252 wrote to memory of 2416 2252 toteslegit.exe WerFault.exe PID 2252 wrote to memory of 2416 2252 toteslegit.exe WerFault.exe PID 2252 wrote to memory of 2416 2252 toteslegit.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\toteslegit.exe"C:\Users\Admin\AppData\Local\Temp\toteslegit.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2252 -s 1002⤵PID:2416