e6a084a656921b8c78e2bc76540e86d914355628db8035a0c3b34df444f7d78b

Analysis

max time kernel
3s
max time network
8s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
27/04/2024, 06:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

vacuum.exe
Size

7.0MB
MD5

777355080ce4b38e03e3bae0ce8703ad
SHA1

f8c457e2cca750a3ddfeeb504952475deb5bab2c
SHA256

e6a084a656921b8c78e2bc76540e86d914355628db8035a0c3b34df444f7d78b
SHA512

55e8b94a07ca463184d189f3a280d3a0e3acc34c6f7b76c14d156e0fcb7524c034f69185f7bea37da11a24386e4c899f99eeed2597970efba979b6d1b39f1d94
SSDEEP

196608:CmIKnxUeWniz4u7OoZdt8DCJpPT8Lny+G:CDKxS+Vhdt8Dwcy+G

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	vacuum.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vacuum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vacuum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vacuum.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vacuum.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	vacuum.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3552	vacuum.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2540	WMIC.exe
Token: SeSecurityPrivilege	2540	WMIC.exe
Token: SeTakeOwnershipPrivilege	2540	WMIC.exe
Token: SeLoadDriverPrivilege	2540	WMIC.exe
Token: SeSystemProfilePrivilege	2540	WMIC.exe
Token: SeSystemtimePrivilege	2540	WMIC.exe
Token: SeProfSingleProcessPrivilege	2540	WMIC.exe
Token: SeIncBasePriorityPrivilege	2540	WMIC.exe
Token: SeCreatePagefilePrivilege	2540	WMIC.exe
Token: SeBackupPrivilege	2540	WMIC.exe
Token: SeRestorePrivilege	2540	WMIC.exe
Token: SeShutdownPrivilege	2540	WMIC.exe
Token: SeDebugPrivilege	2540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2540	WMIC.exe
Token: SeRemoteShutdownPrivilege	2540	WMIC.exe
Token: SeUndockPrivilege	2540	WMIC.exe
Token: SeManageVolumePrivilege	2540	WMIC.exe
Token: 33	2540	WMIC.exe
Token: 34	2540	WMIC.exe
Token: 35	2540	WMIC.exe
Token: 36	2540	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2540	WMIC.exe
Token: SeSecurityPrivilege	2540	WMIC.exe
Token: SeTakeOwnershipPrivilege	2540	WMIC.exe
Token: SeLoadDriverPrivilege	2540	WMIC.exe
Token: SeSystemProfilePrivilege	2540	WMIC.exe
Token: SeSystemtimePrivilege	2540	WMIC.exe
Token: SeProfSingleProcessPrivilege	2540	WMIC.exe
Token: SeIncBasePriorityPrivilege	2540	WMIC.exe
Token: SeCreatePagefilePrivilege	2540	WMIC.exe
Token: SeBackupPrivilege	2540	WMIC.exe
Token: SeRestorePrivilege	2540	WMIC.exe
Token: SeShutdownPrivilege	2540	WMIC.exe
Token: SeDebugPrivilege	2540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2540	WMIC.exe
Token: SeRemoteShutdownPrivilege	2540	WMIC.exe
Token: SeUndockPrivilege	2540	WMIC.exe
Token: SeManageVolumePrivilege	2540	WMIC.exe
Token: 33	2540	WMIC.exe
Token: 34	2540	WMIC.exe
Token: 35	2540	WMIC.exe
Token: 36	2540	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3160	WMIC.exe
Token: SeSecurityPrivilege	3160	WMIC.exe
Token: SeTakeOwnershipPrivilege	3160	WMIC.exe
Token: SeLoadDriverPrivilege	3160	WMIC.exe
Token: SeSystemProfilePrivilege	3160	WMIC.exe
Token: SeSystemtimePrivilege	3160	WMIC.exe
Token: SeProfSingleProcessPrivilege	3160	WMIC.exe
Token: SeIncBasePriorityPrivilege	3160	WMIC.exe
Token: SeCreatePagefilePrivilege	3160	WMIC.exe
Token: SeBackupPrivilege	3160	WMIC.exe
Token: SeRestorePrivilege	3160	WMIC.exe
Token: SeShutdownPrivilege	3160	WMIC.exe
Token: SeDebugPrivilege	3160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3160	WMIC.exe
Token: SeRemoteShutdownPrivilege	3160	WMIC.exe
Token: SeUndockPrivilege	3160	WMIC.exe
Token: SeManageVolumePrivilege	3160	WMIC.exe
Token: 33	3160	WMIC.exe
Token: 34	3160	WMIC.exe
Token: 35	3160	WMIC.exe
Token: 36	3160	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3160	WMIC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 3916	3552	vacuum.exe	81
PID 3552 wrote to memory of 3916	3552	vacuum.exe	81
PID 3916 wrote to memory of 2540	3916	cmd.exe	82
PID 3916 wrote to memory of 2540	3916	cmd.exe	82
PID 3552 wrote to memory of 2984	3552	vacuum.exe	84
PID 3552 wrote to memory of 2984	3552	vacuum.exe	84
PID 2984 wrote to memory of 3160	2984	cmd.exe	85
PID 2984 wrote to memory of 3160	2984	cmd.exe	85
PID 3552 wrote to memory of 868	3552	vacuum.exe	86
PID 3552 wrote to memory of 868	3552	vacuum.exe	86
PID 868 wrote to memory of 1752	868	cmd.exe	87
PID 868 wrote to memory of 1752	868	cmd.exe	87
PID 3552 wrote to memory of 3388	3552	vacuum.exe	88
PID 3552 wrote to memory of 3388	3552	vacuum.exe	88
PID 3388 wrote to memory of 4620	3388	cmd.exe	89
PID 3388 wrote to memory of 4620	3388	cmd.exe	89
PID 3552 wrote to memory of 4500	3552	vacuum.exe	90
PID 3552 wrote to memory of 4500	3552	vacuum.exe	90
PID 4500 wrote to memory of 4380	4500	cmd.exe	91
PID 4500 wrote to memory of 4380	4500	cmd.exe	91
PID 3552 wrote to memory of 892	3552	vacuum.exe	92
PID 3552 wrote to memory of 892	3552	vacuum.exe	92
PID 892 wrote to memory of 1644	892	cmd.exe	93
PID 892 wrote to memory of 1644	892	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\vacuum.exe
"C:\Users\Admin\AppData\Local\Temp\vacuum.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_videocontroller get PNPDeviceID
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_videocontroller get PNPDeviceID
    3⤵
    PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic CPU get Architecture
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic CPU get Architecture
    3⤵
    PID:4620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic bios get name, version
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get name, version
    3⤵
    PID:4380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid,name
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid,name
    3⤵
    PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3552-0-0x00007FF7DDF30000-0x00007FF7DF06D000-memory.dmp

Filesize
17.2MB

Download
memory/3552-1-0x00007FFBCE4E0000-0x00007FFBCE6E9000-memory.dmp

Filesize
2.0MB

Download
memory/3552-4-0x00007FF7DDF30000-0x00007FF7DF06D000-memory.dmp

Filesize
17.2MB

Download
memory/3552-3-0x00007FF7DDF30000-0x00007FF7DF06D000-memory.dmp

Filesize
17.2MB

Download
memory/3552-5-0x00007FF7DDF30000-0x00007FF7DF06D000-memory.dmp

Filesize
17.2MB

Download
memory/3552-6-0x00007FF7DDF30000-0x00007FF7DF06D000-memory.dmp

Filesize
17.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads