Overview

overview

9

Static

static

1

Updater.exe

windows10-1703-x64

9

Updater.exe

windows10-2004-x64

9

Updater.exe

windows11-21h2-x64

9

Analysis

  • max time kernel
    1199s
  • max time network
    1159s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28/02/2024, 18:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Updater.exe

  • Size

    1023KB

  • MD5

    67e741557eaa3124261105bff38bc62a

  • SHA1

    a2a0543d6b61ac0a9380cb6d64f78b16951912e0

  • SHA256

    b2e6a04435ab8d41a5a259072b6c29dec30caa05ed1ec2a8bae2b2670573981e

  • SHA512

    ce95336095b5a6f3faef4944794fd8cc7fda5b5f9db31c3211532a7c03b3c94106978bcbb5de4a5fdbd06024ec90215b1b7fd6fa816309907073e7da6a55522f

  • SSDEEP

    12288:oVDH4arSas0SRUXA5S9ZgvlZW9AxBK8ctBGOKLDcEHDqYocAXrexgPlBo8Ker5+m:24arTs0S2Q5SgitBj+RacAXUUBLeJ4/

Score
9/10
evasionpersistencetrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Blocklisted process makes network request 3 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 2 IoCs
  • Registers COM server for autorun 1 TTPs 7 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Updater.exe
    "C:\Users\Admin\AppData\Local\Temp\Updater.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3184
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Registers COM server for autorun
        • Adds Run key to start application
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4960
        • C:\Windows\SysWOW64\cleanmgr.exe
          "C:\Windows\SysWOW64\cleanmgr.exe" /verylowdisk
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Loads dropped DLL
          • Registers COM server for autorun
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1648
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\CleanUp.dll,DiskCleaner
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Blocklisted process makes network request
            • Checks BIOS information in registry
            • Loads dropped DLL
            • Registers COM server for autorun
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            PID:2092
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\explorer.exe > nul
          4⤵
            PID:1708

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\45eae718
      Filesize

      4.8MB

      MD5

      985811bb4bd004d01527b1359036a8b8

      SHA1

      675a8135a37b3fd4838b719a98ac8aee9820672f

      SHA256

      06c49d820a32ea3e1d02e7b77100178a9c1d897b68e6d6c03703d129bdf0aa8d

      SHA512

      5b9f906facf31a12710f9ba74392d8ed745890d4ddeb71c9448204cdd5cf15e05c06fef0a14962c263625b48e5a09c2a32a195314def4cef089f25e7632401c6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CleanUp.dll
      Filesize

      3.8MB

      MD5

      0e94ab4c25860bc49f096464ec3afbf4

      SHA1

      0270b4f33984f2a70e8667bcb98b0cf3b74fdd79

      SHA256

      00248e85582157b9af1f5a3b05fc90134d3f433347b0dc31aa3d185d6595cb7b

      SHA512

      aa28d97839f9953c2649ef552ba549cc94abb86cf39a62af81be755494e87eda65244a9ce220d04ef555360637b24592162f9c9f2e718b1daf1fd5a53c7f4a95

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CleanUp.dll
      Filesize

      3.9MB

      MD5

      e2715eea093952fe0f86212acc67c54a

      SHA1

      f859f8db122bfb7ac742639d4cf44167f70e44ce

      SHA256

      26f213e18d20aba53ef25ef1064434474c1bf563a1671217698177177603950f

      SHA512

      34a5dfb4c726e208159983040c0ae91e859a215080624bac1e0f9357cfe3cc6d5f5203b774fe3e881622e80c890e8ef54880109ccd348245a535e30fe870cca2

      Download Submit

    • memory/1208-11-0x0000000073DF0000-0x0000000075107000-memory.dmp

      Filesize

      19.1MB

      Download

    • memory/1208-6-0x00007FFE0ACA0000-0x00007FFE0AEA9000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1208-8-0x0000000073DF0000-0x0000000075107000-memory.dmp

      Filesize

      19.1MB

      Download

    • memory/1208-9-0x0000000073DF0000-0x0000000075107000-memory.dmp

      Filesize

      19.1MB

      Download

    • memory/1648-32-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1648-33-0x0000000003110000-0x0000000003111000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1648-34-0x0000000010000000-0x000000001007D000-memory.dmp

      Filesize

      500KB

      Download

    • memory/1648-29-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1648-31-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1648-30-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1648-39-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1648-40-0x00000000032F0000-0x0000000003303000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1648-24-0x0000000077426000-0x0000000077428000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1648-25-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1648-26-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1648-27-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1648-28-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2092-46-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2092-48-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2092-59-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2092-58-0x00000000028F0000-0x0000000002903000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2092-57-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2092-52-0x0000000010000000-0x000000001007D000-memory.dmp

      Filesize

      500KB

      Download

    • memory/2092-51-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2092-50-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2092-44-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2092-45-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2092-49-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2092-47-0x0000000066840000-0x0000000067079000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/3184-1-0x00007FFDE8EE0000-0x00007FFDEA580000-memory.dmp

      Filesize

      22.6MB

      Download

    • memory/3184-2-0x00007FFDE8EE0000-0x00007FFDEA580000-memory.dmp

      Filesize

      22.6MB

      Download

    • memory/3184-3-0x00007FFDE8EE0000-0x00007FFDEA580000-memory.dmp

      Filesize

      22.6MB

      Download

    • memory/4960-21-0x0000000001200000-0x0000000001643000-memory.dmp

      Filesize

      4.3MB

      Download

    • memory/4960-12-0x00007FFE0ACA0000-0x00007FFE0AEA9000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4960-13-0x0000000001200000-0x0000000001643000-memory.dmp

      Filesize

      4.3MB

      Download

    • memory/4960-17-0x0000000000550000-0x000000000097C000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/4960-18-0x0000000001200000-0x0000000001643000-memory.dmp

      Filesize

      4.3MB

      Download