Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-03-2024 14:26
Behavioral task
behavioral1
Sample
b4eca0c093be55ecd3e7ad17b5130e46.exe
Resource
win7-20240221-en
General
-
Target
b4eca0c093be55ecd3e7ad17b5130e46.exe
-
Size
2.9MB
-
MD5
b4eca0c093be55ecd3e7ad17b5130e46
-
SHA1
27601722e5dfc4523842b6f3998f0d82a584b7dc
-
SHA256
eeb187cdea92ed939a396ee999acfd756a09663dd8a7f444cdbf72d06b660815
-
SHA512
2c1db64502b86c547541024390357dd526d09b37d90e4adbf00ddf547516549fb10eda64165f3f1c3aa849bca48a6afad1081ce4654e5ab064124751e0289146
-
SSDEEP
49152:h9jl72TC3sg0nn5Mvx+noHXYUgbWyhmEvOKpwVQW3NgLQ29p2t3u20FlvSou0izh:h1l7b3sg0nn5Mp+noHlyhJGKKUMM20js
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
b4eca0c093be55ecd3e7ad17b5130e46.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b4eca0c093be55ecd3e7ad17b5130e46.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b4eca0c093be55ecd3e7ad17b5130e46.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b4eca0c093be55ecd3e7ad17b5130e46.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b4eca0c093be55ecd3e7ad17b5130e46.exe -
Loads dropped DLL 1 IoCs
Processes:
b4eca0c093be55ecd3e7ad17b5130e46.exepid Process 2812 b4eca0c093be55ecd3e7ad17b5130e46.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2812-20-0x0000000000CC0000-0x0000000001452000-memory.dmp agile_net behavioral1/memory/2812-21-0x0000000000CC0000-0x0000000001452000-memory.dmp agile_net -
Processes:
resource yara_rule behavioral1/memory/2812-20-0x0000000000CC0000-0x0000000001452000-memory.dmp themida behavioral1/memory/2812-21-0x0000000000CC0000-0x0000000001452000-memory.dmp themida -
Processes:
b4eca0c093be55ecd3e7ad17b5130e46.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b4eca0c093be55ecd3e7ad17b5130e46.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
b4eca0c093be55ecd3e7ad17b5130e46.exepid Process 2812 b4eca0c093be55ecd3e7ad17b5130e46.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3064 2812 WerFault.exe 27 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b4eca0c093be55ecd3e7ad17b5130e46.exedescription pid Process Token: SeDebugPrivilege 2812 b4eca0c093be55ecd3e7ad17b5130e46.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b4eca0c093be55ecd3e7ad17b5130e46.exedescription pid Process procid_target PID 2812 wrote to memory of 3064 2812 b4eca0c093be55ecd3e7ad17b5130e46.exe 28 PID 2812 wrote to memory of 3064 2812 b4eca0c093be55ecd3e7ad17b5130e46.exe 28 PID 2812 wrote to memory of 3064 2812 b4eca0c093be55ecd3e7ad17b5130e46.exe 28 PID 2812 wrote to memory of 3064 2812 b4eca0c093be55ecd3e7ad17b5130e46.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe"C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 6602⤵
- Program crash
PID:3064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD5edd74be9723cdc6a5692954f0e51c9f3
SHA1e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686
SHA25655ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7
SHA51280abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3