Analysis
-
max time kernel
312s -
max time network
316s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 08:55
Behavioral task
behavioral1
Sample
Injector.exe
Resource
win7-20240221-en
11 signatures
300 seconds
General
-
Target
Injector.exe
-
Size
3.4MB
-
MD5
c6b39ee166d5b0a2c8a9021ccd1593ae
-
SHA1
e480e7c282f64e8b0179c82afe154dd59d14217d
-
SHA256
443b665c5f545a2bdd7855f86bf70a5ee7f35eda1b6b08615161f5809cbda02b
-
SHA512
3864aea36c522ca5658412128e6a4c862a647cf3b1054b9adbe418488590a37600d7639c3eba94ca9de76f087b244b95644c667213b1122889cf2d9b7a4652d2
-
SSDEEP
49152:Kl0nJ28J4VZohYWVGGjW8NhSU7zwo8oXJ2R3KPHsI7coj2J+eNgRpqNc1a:KmnJrJ4DohYWVTJNkIZZ2R6vsmA+FDqN
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Injector.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Injector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Injector.exe -
resource yara_rule behavioral1/memory/2244-0-0x000000013FAF0000-0x0000000140450000-memory.dmp themida behavioral1/memory/2244-2-0x000000013FAF0000-0x0000000140450000-memory.dmp themida behavioral1/memory/2244-3-0x000000013FAF0000-0x0000000140450000-memory.dmp themida behavioral1/memory/2244-4-0x000000013FAF0000-0x0000000140450000-memory.dmp themida behavioral1/memory/2244-5-0x000000013FAF0000-0x0000000140450000-memory.dmp themida behavioral1/memory/2244-6-0x000000013FAF0000-0x0000000140450000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Injector.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2244 Injector.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2780 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2780 vlc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: 33 1740 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1740 AUDIODG.EXE Token: 33 1740 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1740 AUDIODG.EXE Token: 33 2780 vlc.exe Token: SeIncBasePriorityPrivilege 2780 vlc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe -
Suspicious use of SendNotifyMessage 9 IoCs
pid Process 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe 2780 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2780 vlc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2244
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2892
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x19c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Public\Videos\Sample Videos\Wildlife.wmv"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2780