Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
25-04-2024 04:20
Behavioral task
behavioral1
Sample
e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exe
Resource
win10v2004-20240226-en
General
-
Target
e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exe
-
Size
2.6MB
-
MD5
061703b95c263d223f9f39f827e5a129
-
SHA1
3e1d68bc26b3ca9f03e7421c27ecd0bd5b5a8d62
-
SHA256
e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9
-
SHA512
d64b1a3ddc8ee34161221b3ee4aec46ae446e8cdfeae28401d66b70398658a2ab49be267f73a70275e207669c59ba571dd4dbaef85eac3dcdd510dddcb0816b0
-
SSDEEP
49152:kr+2uK5YdMOMRhPtlRmTIIpMKo+GervVPMrG801uHBPbwwvRsfl:kr/vDRd1BrGMHVql
Malware Config
Signatures
-
Detects executables packed with Themida 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2856-0-0x0000000000400000-0x0000000000AB4000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2856-1-0x0000000000400000-0x0000000000AB4000-memory.dmp INDICATOR_EXE_Packed_Themida C:\PROGRA~3\Mozilla\wrvdfyg.exe INDICATOR_EXE_Packed_Themida behavioral1/memory/2256-9-0x0000000000400000-0x0000000000AB4000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2256-10-0x0000000000400000-0x0000000000AB4000-memory.dmp INDICATOR_EXE_Packed_Themida -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
wrvdfyg.exee03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ wrvdfyg.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exe -
Modifies AppInit DLL entries 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exewrvdfyg.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wrvdfyg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion wrvdfyg.exe -
Executes dropped EXE 1 IoCs
Processes:
wrvdfyg.exepid process 2256 wrvdfyg.exe -
Processes:
resource yara_rule behavioral1/memory/2856-0-0x0000000000400000-0x0000000000AB4000-memory.dmp themida behavioral1/memory/2856-1-0x0000000000400000-0x0000000000AB4000-memory.dmp themida C:\PROGRA~3\Mozilla\wrvdfyg.exe themida behavioral1/memory/2256-9-0x0000000000400000-0x0000000000AB4000-memory.dmp themida behavioral1/memory/2256-10-0x0000000000400000-0x0000000000AB4000-memory.dmp themida -
Processes:
e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exewrvdfyg.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wrvdfyg.exe -
Drops file in Program Files directory 2 IoCs
Processes:
wrvdfyg.exee03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exedescription ioc process File created C:\PROGRA~3\Mozilla\klztrnd.dll wrvdfyg.exe File created C:\PROGRA~3\Mozilla\wrvdfyg.exe e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exewrvdfyg.exepid process 2856 e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exe 2256 wrvdfyg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1920 wrote to memory of 2256 1920 taskeng.exe wrvdfyg.exe PID 1920 wrote to memory of 2256 1920 taskeng.exe wrvdfyg.exe PID 1920 wrote to memory of 2256 1920 taskeng.exe wrvdfyg.exe PID 1920 wrote to memory of 2256 1920 taskeng.exe wrvdfyg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exe"C:\Users\Admin\AppData\Local\Temp\e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\taskeng.exetaskeng.exe {4568BF9B-C749-40DC-9A20-07F42BCA0A62} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~3\Mozilla\wrvdfyg.exeC:\PROGRA~3\Mozilla\wrvdfyg.exe -hzyjzia2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\Mozilla\wrvdfyg.exeFilesize
2.6MB
MD523c3d39d09d31f979db5ff8c18862c2e
SHA1c769068af6709e1a1f0aaa0efe8024148da91a64
SHA256750ebd59757984571efe94a040ba3e62099b3b682ab9fa5b845cd252e1d6ee7c
SHA512ecad6953ed37a79e2174a5276c5a646d31cac86afaac9a65df736779c5ecb90ea9e427e3aeef8706bb22fafd9d1297bfa0cc5a8fd59c64d939543aa9b172de54
-
memory/2256-9-0x0000000000400000-0x0000000000AB4000-memory.dmpFilesize
6.7MB
-
memory/2256-10-0x0000000000400000-0x0000000000AB4000-memory.dmpFilesize
6.7MB
-
memory/2256-12-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2256-11-0x0000000000AC0000-0x0000000000B1B000-memory.dmpFilesize
364KB
-
memory/2256-14-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2856-0-0x0000000000400000-0x0000000000AB4000-memory.dmpFilesize
6.7MB
-
memory/2856-1-0x0000000000400000-0x0000000000AB4000-memory.dmpFilesize
6.7MB
-
memory/2856-2-0x00000000002E0000-0x000000000033B000-memory.dmpFilesize
364KB
-
memory/2856-3-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2856-5-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2856-6-0x00000000002E0000-0x000000000033B000-memory.dmpFilesize
364KB