Analysis
-
max time kernel
142s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/04/2024, 00:14
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240221-en
11 signatures
150 seconds
General
-
Target
file.exe
-
Size
4.8MB
-
MD5
d15459e9b9d12244a57809bc383b2757
-
SHA1
4b41e6b5aa4f88fdf455030db94197d465de993a
-
SHA256
37aef611ec814af2cdcfa198e200cb21ecb46caa30f84d0221a47db1265b889d
-
SHA512
40558644ca9918b84a9438a3a2c4d85a97ddec378aed23756e14c57351d4b4c82d6316add1e62243826328e42c766784cee5d6cae41c6fa6c43864f5097a239c
-
SSDEEP
98304:AZ5VfUpCCTIDsAi8LXS2vwJ1EbfdOq5elO:Axf8ivmOfdOq5elO
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" file.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe -
resource yara_rule behavioral2/memory/4952-0-0x0000000000550000-0x0000000000B1B000-memory.dmp themida behavioral2/memory/4952-6-0x0000000000550000-0x0000000000B1B000-memory.dmp themida behavioral2/memory/4952-7-0x0000000000550000-0x0000000000B1B000-memory.dmp themida behavioral2/memory/4952-8-0x0000000000550000-0x0000000000B1B000-memory.dmp themida behavioral2/memory/4952-9-0x0000000000550000-0x0000000000B1B000-memory.dmp themida behavioral2/memory/4952-10-0x0000000000550000-0x0000000000B1B000-memory.dmp themida behavioral2/memory/4952-11-0x0000000000550000-0x0000000000B1B000-memory.dmp themida behavioral2/memory/4952-12-0x0000000000550000-0x0000000000B1B000-memory.dmp themida behavioral2/memory/4952-19-0x0000000000550000-0x0000000000B1B000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ipinfo.io 8 api.myip.com 11 api.myip.com 16 ipinfo.io -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy file.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini file.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol file.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4952 file.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4952 file.exe 4952 file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4576
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:1656