Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-03-2024 14:26
Behavioral task
behavioral1
Sample
b4eca0c093be55ecd3e7ad17b5130e46.exe
Resource
win7-20240221-en
General
-
Target
b4eca0c093be55ecd3e7ad17b5130e46.exe
-
Size
2.9MB
-
MD5
b4eca0c093be55ecd3e7ad17b5130e46
-
SHA1
27601722e5dfc4523842b6f3998f0d82a584b7dc
-
SHA256
eeb187cdea92ed939a396ee999acfd756a09663dd8a7f444cdbf72d06b660815
-
SHA512
2c1db64502b86c547541024390357dd526d09b37d90e4adbf00ddf547516549fb10eda64165f3f1c3aa849bca48a6afad1081ce4654e5ab064124751e0289146
-
SSDEEP
49152:h9jl72TC3sg0nn5Mvx+noHXYUgbWyhmEvOKpwVQW3NgLQ29p2t3u20FlvSou0izh:h1l7b3sg0nn5Mp+noHlyhJGKKUMM20js
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
b4eca0c093be55ecd3e7ad17b5130e46.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b4eca0c093be55ecd3e7ad17b5130e46.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b4eca0c093be55ecd3e7ad17b5130e46.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b4eca0c093be55ecd3e7ad17b5130e46.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b4eca0c093be55ecd3e7ad17b5130e46.exe -
Loads dropped DLL 1 IoCs
Processes:
b4eca0c093be55ecd3e7ad17b5130e46.exepid Process 3512 b4eca0c093be55ecd3e7ad17b5130e46.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3512-11-0x00000000003B0000-0x0000000000B42000-memory.dmp agile_net behavioral2/memory/3512-12-0x00000000003B0000-0x0000000000B42000-memory.dmp agile_net behavioral2/memory/3512-31-0x00000000003B0000-0x0000000000B42000-memory.dmp agile_net -
Processes:
resource yara_rule behavioral2/memory/3512-11-0x00000000003B0000-0x0000000000B42000-memory.dmp themida behavioral2/memory/3512-12-0x00000000003B0000-0x0000000000B42000-memory.dmp themida behavioral2/memory/3512-31-0x00000000003B0000-0x0000000000B42000-memory.dmp themida -
Processes:
b4eca0c093be55ecd3e7ad17b5130e46.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b4eca0c093be55ecd3e7ad17b5130e46.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
b4eca0c093be55ecd3e7ad17b5130e46.exepid Process 3512 b4eca0c093be55ecd3e7ad17b5130e46.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3900 3512 WerFault.exe 93 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b4eca0c093be55ecd3e7ad17b5130e46.exedescription pid Process Token: SeDebugPrivilege 3512 b4eca0c093be55ecd3e7ad17b5130e46.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe"C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 9922⤵
- Program crash
PID:3900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3512 -ip 35121⤵PID:708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD5edd74be9723cdc6a5692954f0e51c9f3
SHA1e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686
SHA25655ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7
SHA51280abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3