Analysis Overview
SHA256
8eeda0849b8bffc5d26ee56f02162f2e75e4271c4257c309197f3645fac47c03
Threat Level: Likely malicious
The file Build.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Creates new service(s)
Drops file in Drivers directory
Stops running service(s)
Checks BIOS information in registry
Themida packer
Executes dropped EXE
Checks whether UAC is enabled
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 16:43
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 16:43
Reported
2024-03-02 16:50
Platform
win11-20240221-en
Max time kernel
23s
Max time network
17s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Updater.exe | N/A |
| N/A | N/A | C:\ProgramData\hmtufamemhvn\kvkinxkledtt.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4224 set thread context of 3968 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\system32\dialer.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Build.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Updater.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Users\Admin\AppData\Local\Temp\Build.exe
"C:\Users\Admin\AppData\Local\Temp\Build.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Updater.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WindowsComplite"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WindowsComplite" binpath= "C:\ProgramData\hmtufamemhvn\kvkinxkledtt.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WindowsComplite"
C:\ProgramData\hmtufamemhvn\kvkinxkledtt.exe
C:\ProgramData\hmtufamemhvn\kvkinxkledtt.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/4916-0-0x0000000000400000-0x000000000141D000-memory.dmp
memory/4916-1-0x0000000076F36000-0x0000000076F38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Setup.exe
| MD5 | c97018b83acc1099cdd171647a50ec1f |
| SHA1 | 1acdb17298ee25d9042c79346cc53f72767e6607 |
| SHA256 | e49aec48358a65ac8d93539528d239cf5b9346e83efe7e67a8fa434283fa2d25 |
| SHA512 | 02c64c328a2fff1292c82ce270fcd173af85edf6db699b0d6a757c0ac233966d521f37d819c2a0a5f4ceeb44b9035914012548c28066fcfcdfd2a3942449f07b |
C:\Users\Admin\AppData\Local\Temp\Setup.exe
| MD5 | 5c3b30d8ade126aa1cd2d4f95bb5e659 |
| SHA1 | ba84942c79082c9a5b2515c0d68fa36c863f85e7 |
| SHA256 | 592b8a235160a8d998f488130bc2a7aeaf347932bac7ef5e11fd737dd9848f14 |
| SHA512 | e682a38d5d5a3251b62c9feedec442e78a2f23a1b6c7b8de40a33615eabdd90a1da8f1cfbc080b0b2c6cc71d090c48f11ff4e87934357fc6164544d0e5d3c2e3 |
C:\Users\Admin\AppData\Local\Temp\Setup.exe
| MD5 | a477518f3287d7e8aa1f977593474522 |
| SHA1 | 228448f0d6ba5898c89db2f52950459dd9cff996 |
| SHA256 | e7f7bdcbd8ea7cf8c4ff603967c92b8aa3959bede14f2e9dde0238fdca1222bc |
| SHA512 | cc8f7cab346fcc2d3a5d15e266a373edf99b31364824fbb1d857ca3aa70be1febb13e72a28e8cce3a6896b72764705d558621454e90c667fb0780397172b07ed |
C:\Users\Admin\AppData\Local\Temp\Updater.exe
| MD5 | 119381127de6ea7afbf03ee691fb77a0 |
| SHA1 | ad93c9fe7bb1552ea7b67d9449adceebd8b3e243 |
| SHA256 | c5bbcc2198bb876454a436f5e3a574e2b1ed5fac90e0afa34b23fccb4fe319a0 |
| SHA512 | 70a1ae0c09d31126516d08d0c0d62e0419a6c318728d995300f11a7090fbd1e5b17b3fbf9690e0d1d60af47395ceaf91402f4297953cd7e8b4606fe03fbf1465 |
C:\Users\Admin\AppData\Local\Temp\Updater.exe
| MD5 | d5ea67d392c23f20921d26cba0fdf284 |
| SHA1 | 572013524756c6323a198810cf63c32d90044f46 |
| SHA256 | 2e5a498e9299a5a6d7ca9d36def6d2f546812a34db0fe91528ab586dd9d07a18 |
| SHA512 | d5159344dd389c18f2d6ec9911a4a5a9b1240cefb88ab8bf8099f9ce3918915ccd39466ef750f3b3cafab2096e550e7fd07a8680780b7383f45c601603b49b7d |
memory/4916-82-0x0000000000400000-0x000000000141D000-memory.dmp
memory/4224-83-0x00007FF6EDF50000-0x00007FF6EF487000-memory.dmp
memory/4224-84-0x00007FF454680000-0x00007FF454A51000-memory.dmp
memory/2336-86-0x0000000000220000-0x000000000031C000-memory.dmp
memory/2336-88-0x0000000074330000-0x0000000074AE1000-memory.dmp
memory/4224-91-0x00007FF6EDF50000-0x00007FF6EF487000-memory.dmp
memory/2336-90-0x0000000004D30000-0x0000000004D40000-memory.dmp
memory/2336-92-0x0000000004DE0000-0x0000000004DFC000-memory.dmp
memory/2336-89-0x0000000004DC0000-0x0000000004DDA000-memory.dmp
memory/2336-87-0x0000000004D40000-0x0000000004DA4000-memory.dmp
memory/2336-93-0x0000000004EA0000-0x0000000004F32000-memory.dmp
memory/2336-94-0x0000000006090000-0x00000000060AE000-memory.dmp
memory/2336-95-0x0000000006210000-0x0000000006292000-memory.dmp
memory/2336-96-0x0000000006290000-0x00000000062B6000-memory.dmp
memory/2336-97-0x00000000062C0000-0x00000000062C8000-memory.dmp
memory/2336-98-0x00000000062F0000-0x00000000062F8000-memory.dmp
memory/2336-99-0x0000000006300000-0x000000000630A000-memory.dmp
memory/2336-100-0x0000000006340000-0x0000000006356000-memory.dmp
memory/2336-101-0x0000000006360000-0x000000000636A000-memory.dmp
memory/2336-102-0x0000000006390000-0x00000000063AE000-memory.dmp
memory/2336-103-0x0000000006480000-0x00000000064E6000-memory.dmp
memory/2336-104-0x0000000006D60000-0x0000000007306000-memory.dmp
memory/2336-106-0x00000000067B0000-0x00000000067BA000-memory.dmp
memory/2336-107-0x0000000006970000-0x0000000006A20000-memory.dmp
memory/2336-108-0x0000000006A50000-0x0000000006A72000-memory.dmp
memory/2336-109-0x0000000007310000-0x0000000007667000-memory.dmp
memory/2336-112-0x0000000074330000-0x0000000074AE1000-memory.dmp
memory/4224-113-0x00007FF6EDF50000-0x00007FF6EF487000-memory.dmp
memory/3360-119-0x00000243C77C0000-0x00000243C77E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lpax4tbk.qqt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3360-123-0x00007FF934570000-0x00007FF935032000-memory.dmp
memory/3360-124-0x00000243DFD10000-0x00000243DFD20000-memory.dmp
memory/3360-125-0x00000243DFD10000-0x00000243DFD20000-memory.dmp
memory/3360-126-0x00000243DFD10000-0x00000243DFD20000-memory.dmp
memory/4224-127-0x00007FF6EDF50000-0x00007FF6EF487000-memory.dmp
memory/3968-131-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3968-132-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3968-133-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3968-134-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3968-136-0x0000000140000000-0x000000014002B000-memory.dmp
memory/4224-138-0x00007FF454680000-0x00007FF454A51000-memory.dmp
memory/3968-137-0x00007FF955720000-0x00007FF955929000-memory.dmp
memory/3968-140-0x00007FF953C10000-0x00007FF953CCD000-memory.dmp
memory/3968-141-0x0000000140000000-0x000000014002B000-memory.dmp
memory/608-144-0x000001AF6DCF0000-0x000001AF6DD14000-memory.dmp
memory/692-147-0x000002AABEDD0000-0x000002AABEDFB000-memory.dmp
memory/608-146-0x000001AF6DD20000-0x000001AF6DD4B000-memory.dmp
memory/692-151-0x000002AABEDD0000-0x000002AABEDFB000-memory.dmp
memory/608-154-0x00007FF9557C4000-0x00007FF9557C5000-memory.dmp
memory/692-150-0x00007FF9157B0000-0x00007FF9157C0000-memory.dmp
memory/4224-153-0x00007FF6EDF50000-0x00007FF6EF487000-memory.dmp
memory/424-157-0x00000140812F0000-0x000001408131B000-memory.dmp
memory/992-160-0x00007FF9157B0000-0x00007FF9157C0000-memory.dmp
memory/992-156-0x0000027C20500000-0x0000027C2052B000-memory.dmp
memory/692-159-0x00007FF9557C3000-0x00007FF9557C4000-memory.dmp
memory/692-161-0x00007FF9557C4000-0x00007FF9557C5000-memory.dmp
memory/692-164-0x00007FF9557C6000-0x00007FF9557C7000-memory.dmp
memory/548-165-0x00007FF9157B0000-0x00007FF9157C0000-memory.dmp
memory/548-163-0x000002EAD0150000-0x000002EAD017B000-memory.dmp
memory/992-166-0x0000027C20500000-0x0000027C2052B000-memory.dmp
memory/424-168-0x00000140812F0000-0x000001408131B000-memory.dmp
memory/424-169-0x00007FF9557C3000-0x00007FF9557C4000-memory.dmp