Analysis
-
max time kernel
26s -
max time network
17s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
22-05-2024 04:58
General
-
Target
DELTA`S SUPPORT TOOL.exe
-
Size
3.0MB
-
MD5
551c01bff1bdf4bdbe89a0ee348f54e4
-
SHA1
a0e033049541b5cd73f1212efe6273229409408b
-
SHA256
894d3fcd2439db97e252dbfe5fb555843e7f21ccd90b7cd1e48c3f3f9bf231cd
-
SHA512
40d5fceccd7241ae858bd287a9168c535cf49b25eb482f5361dee67f7a5447762a849a468427996bcaf7c85ae8bbb05c84324a6cc180e5431e6b7eeb07e5a435
-
SSDEEP
49152:8xmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxuihz4sX:8xx9NUFkQx753uWuCyyxuiH
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
Themida packer 16 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DELTA`S SUPPORT TOOL.exe"C:\Users\Admin\AppData\Local\Temp\DELTA`S SUPPORT TOOL.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\delta`s support tool.exe"c:\users\admin\appdata\local\temp\delta`s support tool.exe "2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\delta`s support tool.exeFilesize
505KB
MD5521a361fe8fb6d8c560a00a2c15452e7
SHA17d04366a6e6544664937bd7702fec0996d0c2973
SHA25639dd835e5e53956a03122cf97f763e0faeb25817d2fd3c3d386eb3e3894e7115
SHA51274f3fbc8d6100dd4d7a96aae98547d5ee1ffbe37aaaaa275976a66566f4db00a38690b9184d65ff38d37a2c93536021ee632ed74ef2f2cc9863dbf997f17f1af
-
C:\Windows\Resources\Themes\icsys.icn.exeFilesize
2.5MB
MD54e4155d335db93b23e7ba179eba04c24
SHA1cf735e9276b453894c4f3f7fed06e29d7c950992
SHA2565020c6bc994a406c47f198c3407aa053304b3df5470be16c98c18da565ab6c78
SHA512c5c150b2d21fddf31b74d8da29d566b49c0b8ad731c7eb0c7c5a954254630397f235913062d2e0daa0dcb688223f6e69f59508eaecac26e1a7134f7e7db88199
-
C:\Windows\Resources\spoolsv.exeFilesize
2.5MB
MD52d8701c1f6c75e2fbf8c9776dd88e733
SHA13631ffa4682cf9c6587b5d7132cbe7185c4337a5
SHA256a4973e0be14da854b0b96af4dc9e88140b9af5ac0a099056030fdf51a1f11e0c
SHA512b19ab0193d8350dfc245dd0521f334c96cff1cec330e478b2cf2fbb65018606a8c81712bdd66b408dffefcfbc77598880d613585c75c1344766238d133dd26d6
-
C:\Windows\Resources\svchost.exeFilesize
2.5MB
MD5580de3b91a58bde507c6c6d0df2871ae
SHA1d5beb192b535f3c033500270aed97c88ac9f3124
SHA25686bd8f0be067e116e57dd7f494071d799b682759c6ce623a9d3b154b5f68d7e0
SHA5127c95e55d7b8138eade53cbfa4b690c61873b83698ef08a80756f3cf4ee528b5524ecff4afe047553a9025b3fdd04c004ba7ee737482e7e55556b200298dfaaef
-
\??\c:\windows\resources\themes\explorer.exeFilesize
2.5MB
MD57785d96212b3459e9e07cfe59b2c0c61
SHA114432c9d3eaaa790fc1ddd8712fcdd44dbbf771b
SHA256d792523f22c89475dd49457d371bcb76e54638b3cfc4b1a0f768f467cc44be51
SHA512dbcd06b99f9b278ea8cae2064a6a79d045ab14524ae539a6c4d2ef13214306729de2ae90237489a4b453b72141455c1e70060f6bcb8380380e510dae7cdcfae1
-
memory/236-61-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/236-43-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1200-54-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1200-48-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2864-11-0x00007FFB141D3000-0x00007FFB141D4000-memory.dmpFilesize
4KB
-
memory/2864-16-0x00000227EED60000-0x00000227EED61000-memory.dmpFilesize
4KB
-
memory/2864-62-0x00007FFB141D3000-0x00007FFB141D4000-memory.dmpFilesize
4KB
-
memory/2864-13-0x00000227ED150000-0x00000227ED224000-memory.dmpFilesize
848KB
-
memory/3368-59-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/3368-1-0x0000000077D14000-0x0000000077D15000-memory.dmpFilesize
4KB
-
memory/3368-0-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4516-55-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4516-34-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/5072-58-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/5072-15-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/5088-60-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/5088-25-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB