Analysis
-
max time kernel
23s -
max time network
17s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/03/2024, 16:43
Behavioral task
behavioral1
Sample
Build.exe
Resource
win11-20240221-en
General
-
Target
Build.exe
-
Size
11.9MB
-
MD5
2fbf75fbac01d42161fdeb6adbd0d979
-
SHA1
3ef5530a433923276191eec8d98aa462194aa829
-
SHA256
8eeda0849b8bffc5d26ee56f02162f2e75e4271c4257c309197f3645fac47c03
-
SHA512
1c208f3a5202c578e6f70474566f0929954b5678215ad962f84a7febee1b9c7a0a1cc3040763192a3ed9ebdf395bd9aa113ee313bf6f951973a717fec423472d
-
SSDEEP
196608:AFH/xtSYJodEawY/7HPjloM1LiUIX099RYU9ptAzvZaZoM2S5HQoFKArPWug0Vg:AFfxtjJ/an7HPZ12TE99R3zmhbShKArI
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Build.exe -
Creates new service(s) 1 TTPs
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts Setup.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Build.exe -
Executes dropped EXE 3 IoCs
pid Process 4224 Setup.exe 2336 Updater.exe 4884 kvkinxkledtt.exe -
resource yara_rule behavioral1/memory/4916-0-0x0000000000400000-0x000000000141D000-memory.dmp themida behavioral1/memory/4916-82-0x0000000000400000-0x000000000141D000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Build.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 icanhazip.com 3 ipinfo.io 4 ipinfo.io -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe Setup.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4916 Build.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4224 set thread context of 3968 4224 Setup.exe 105 -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1236 sc.exe 4492 sc.exe 3512 sc.exe 1188 sc.exe 4248 sc.exe 3548 sc.exe 4808 sc.exe 5100 sc.exe 4028 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Build.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4916 Build.exe 4916 Build.exe 4224 Setup.exe 3360 powershell.exe 3360 powershell.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 3968 dialer.exe 3968 dialer.exe 4224 Setup.exe 3968 dialer.exe 3968 dialer.exe 4224 Setup.exe 4224 Setup.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2336 Updater.exe Token: SeDebugPrivilege 3360 powershell.exe Token: SeShutdownPrivilege 2388 powercfg.exe Token: SeCreatePagefilePrivilege 2388 powercfg.exe Token: SeShutdownPrivilege 3600 powercfg.exe Token: SeCreatePagefilePrivilege 3600 powercfg.exe Token: SeShutdownPrivilege 4508 powercfg.exe Token: SeCreatePagefilePrivilege 4508 powercfg.exe Token: SeShutdownPrivilege 2044 powercfg.exe Token: SeCreatePagefilePrivilege 2044 powercfg.exe Token: SeDebugPrivilege 4224 Setup.exe Token: SeDebugPrivilege 3968 dialer.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4916 wrote to memory of 4224 4916 Build.exe 81 PID 4916 wrote to memory of 4224 4916 Build.exe 81 PID 4916 wrote to memory of 2336 4916 Build.exe 82 PID 4916 wrote to memory of 2336 4916 Build.exe 82 PID 4916 wrote to memory of 2336 4916 Build.exe 82 PID 2656 wrote to memory of 4124 2656 cmd.exe 91 PID 2656 wrote to memory of 4124 2656 cmd.exe 91 PID 4224 wrote to memory of 3968 4224 Setup.exe 105 PID 4224 wrote to memory of 3968 4224 Setup.exe 105 PID 4224 wrote to memory of 3968 4224 Setup.exe 105 PID 4224 wrote to memory of 3968 4224 Setup.exe 105 PID 4224 wrote to memory of 3968 4224 Setup.exe 105 PID 4224 wrote to memory of 3968 4224 Setup.exe 105 PID 4224 wrote to memory of 3968 4224 Setup.exe 105 PID 3968 wrote to memory of 608 3968 dialer.exe 5 PID 3968 wrote to memory of 692 3968 dialer.exe 7 PID 3968 wrote to memory of 992 3968 dialer.exe 12 PID 692 wrote to memory of 2692 692 lsass.exe 44 PID 692 wrote to memory of 2692 692 lsass.exe 44 PID 692 wrote to memory of 2692 692 lsass.exe 44 PID 3968 wrote to memory of 424 3968 dialer.exe 13 PID 692 wrote to memory of 2692 692 lsass.exe 44 PID 692 wrote to memory of 2692 692 lsass.exe 44 PID 3968 wrote to memory of 548 3968 dialer.exe 14 PID 692 wrote to memory of 2692 692 lsass.exe 44 PID 692 wrote to memory of 2692 692 lsass.exe 44 PID 692 wrote to memory of 2692 692 lsass.exe 44 PID 3968 wrote to memory of 420 3968 dialer.exe 15 PID 692 wrote to memory of 2692 692 lsass.exe 44 PID 692 wrote to memory of 2692 692 lsass.exe 44 PID 692 wrote to memory of 2692 692 lsass.exe 44 PID 3968 wrote to memory of 1040 3968 dialer.exe 16
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:608
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:424
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:992
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:548
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1040
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\Build.exe"C:\Users\Admin\AppData\Local\Temp\Build.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:4124
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:5100
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1236
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:4492
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:4028
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:3512
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WindowsComplite"3⤵
- Launches sc.exe
PID:1188
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WindowsComplite" binpath= "C:\ProgramData\hmtufamemhvn\kvkinxkledtt.exe" start= "auto"3⤵
- Launches sc.exe
PID:4248
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:4808
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WindowsComplite"3⤵
- Launches sc.exe
PID:3548
-
-
-
C:\Users\Admin\AppData\Local\Temp\Updater.exe"C:\Users\Admin\AppData\Local\Temp\Updater.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\ProgramData\hmtufamemhvn\kvkinxkledtt.exeC:\ProgramData\hmtufamemhvn\kvkinxkledtt.exe1⤵
- Executes dropped EXE
PID:4884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
640KB
MD55c3b30d8ade126aa1cd2d4f95bb5e659
SHA1ba84942c79082c9a5b2515c0d68fa36c863f85e7
SHA256592b8a235160a8d998f488130bc2a7aeaf347932bac7ef5e11fd737dd9848f14
SHA512e682a38d5d5a3251b62c9feedec442e78a2f23a1b6c7b8de40a33615eabdd90a1da8f1cfbc080b0b2c6cc71d090c48f11ff4e87934357fc6164544d0e5d3c2e3
-
Filesize
64KB
MD5a477518f3287d7e8aa1f977593474522
SHA1228448f0d6ba5898c89db2f52950459dd9cff996
SHA256e7f7bdcbd8ea7cf8c4ff603967c92b8aa3959bede14f2e9dde0238fdca1222bc
SHA512cc8f7cab346fcc2d3a5d15e266a373edf99b31364824fbb1d857ca3aa70be1febb13e72a28e8cce3a6896b72764705d558621454e90c667fb0780397172b07ed
-
Filesize
8.5MB
MD5c97018b83acc1099cdd171647a50ec1f
SHA11acdb17298ee25d9042c79346cc53f72767e6607
SHA256e49aec48358a65ac8d93539528d239cf5b9346e83efe7e67a8fa434283fa2d25
SHA51202c64c328a2fff1292c82ce270fcd173af85edf6db699b0d6a757c0ac233966d521f37d819c2a0a5f4ceeb44b9035914012548c28066fcfcdfd2a3942449f07b
-
Filesize
64KB
MD5119381127de6ea7afbf03ee691fb77a0
SHA1ad93c9fe7bb1552ea7b67d9449adceebd8b3e243
SHA256c5bbcc2198bb876454a436f5e3a574e2b1ed5fac90e0afa34b23fccb4fe319a0
SHA51270a1ae0c09d31126516d08d0c0d62e0419a6c318728d995300f11a7090fbd1e5b17b3fbf9690e0d1d60af47395ceaf91402f4297953cd7e8b4606fe03fbf1465
-
Filesize
984KB
MD5d5ea67d392c23f20921d26cba0fdf284
SHA1572013524756c6323a198810cf63c32d90044f46
SHA2562e5a498e9299a5a6d7ca9d36def6d2f546812a34db0fe91528ab586dd9d07a18
SHA512d5159344dd389c18f2d6ec9911a4a5a9b1240cefb88ab8bf8099f9ce3918915ccd39466ef750f3b3cafab2096e550e7fd07a8680780b7383f45c601603b49b7d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82