Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 13:22
Behavioral task
behavioral1
Sample
4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exe
Resource
win7-20240221-en
General
-
Target
4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exe
-
Size
8.6MB
-
MD5
bcb0efeb03ab1b4d32d6043f7a223719
-
SHA1
c5933dcb5d2b4510dc2b61650fd544073da19f88
-
SHA256
4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae
-
SHA512
e6aa13e4ea95f21b477b802cc97d4bbfb2f6a908482cdfe08095df2cf83799827335f7fa920ab56016c08c9e849739ac2ce81b4285f4cc68929fff2e33023b4d
-
SSDEEP
196608:VCO0Bg8tEXBAw4ov3Vhqx3nChywSH9QBOltYDKzwHTK7lHXxv:Vn0BlwBj4ov3VoyhywsaKE+7lH
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exe -
Loads dropped DLL 2 IoCs
Processes:
4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exepid process 2220 4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exe 2220 4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exe -
Processes:
resource yara_rule behavioral1/memory/2220-0-0x0000000000400000-0x00000000013C1000-memory.dmp themida behavioral1/memory/2220-2-0x0000000000400000-0x00000000013C1000-memory.dmp themida behavioral1/memory/2220-3-0x0000000000400000-0x00000000013C1000-memory.dmp themida behavioral1/memory/2220-4-0x0000000000400000-0x00000000013C1000-memory.dmp themida behavioral1/memory/2220-24-0x0000000000400000-0x00000000013C1000-memory.dmp themida behavioral1/memory/2220-29-0x0000000000400000-0x00000000013C1000-memory.dmp themida -
Processes:
4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exepid process 2220 4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exepid process 2220 4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exe 2220 4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exepid process 2220 4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exe 2220 4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exe"C:\Users\Admin\AppData\Local\Temp\4f8f280ae5dbb931d0b79cba30b912698831dd17b7cf146348642ecbcf90eeae.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Config.iniFilesize
86B
MD5e8986e10fd9e154cf5af7eca9e1817e3
SHA10514d45b8b4a9e6729f21d9904bea08c99f3bea6
SHA256d7dc797eb1d2d12bd37b73c13f0740475f57f39868348fff28409312c9d630be
SHA5120ba250f0b88242b1915643d12be42dd9dee0f0041da5233cc7c69148a4cca7a0151b7d11108cd2b7a627616e0a754e973fc14c1160399480f3799989bf83d5ac
-
\Users\Admin\AppData\Local\Temp\E2EECore.2.7.2.dllFilesize
8.4MB
MD58b6c94bbdbfb213e94a5dcb4fac28ce3
SHA1b56102ca4f03556f387f8b30e2b404efabe0cb65
SHA256982a177924762f270b36fe34c7d6847392b48ae53151dc2011078dceef487a53
SHA5129d6d63b5d8cf7a978d7e91126d7a343c2f7acd00022da9d692f63e50835fdd84a59a93328564f10622f2b1f6adfd7febdd98b8ddb294d0754ed45cc9c165d25a
-
\Users\Admin\AppData\Roaming\bass.dllFilesize
97KB
MD5df054025c9e845b33b27a99af750f9b9
SHA1cb2a9dc07dada8e2d96d10baee878131aeff0d14
SHA256dfa29cf9a2cbcd8b1dcf7fb7a72764ff2b05e47b056e2a80190338492e0ad0a4
SHA512f1de2207a6ea3bb455ff763bb86404e57a78d0e1d229a0158e41c53507b7b63be926142ee39fae62b6408acb8e5a350ce0f5beaf1823c7d09a4bde88622e4f36
-
memory/2220-9-0x0000000010000000-0x0000000010059000-memory.dmpFilesize
356KB
-
memory/2220-4-0x0000000000400000-0x00000000013C1000-memory.dmpFilesize
15.8MB
-
memory/2220-3-0x0000000000400000-0x00000000013C1000-memory.dmpFilesize
15.8MB
-
memory/2220-0-0x0000000000400000-0x00000000013C1000-memory.dmpFilesize
15.8MB
-
memory/2220-2-0x0000000000400000-0x00000000013C1000-memory.dmpFilesize
15.8MB
-
memory/2220-13-0x0000000011000000-0x0000000011063000-memory.dmpFilesize
396KB
-
memory/2220-15-0x0000000004180000-0x0000000004296000-memory.dmpFilesize
1.1MB
-
memory/2220-1-0x0000000077DB0000-0x0000000077DB2000-memory.dmpFilesize
8KB
-
memory/2220-25-0x0000000011000000-0x0000000011063000-memory.dmpFilesize
396KB
-
memory/2220-24-0x0000000000400000-0x00000000013C1000-memory.dmpFilesize
15.8MB
-
memory/2220-28-0x0000000010000000-0x0000000010059000-memory.dmpFilesize
356KB
-
memory/2220-29-0x0000000000400000-0x00000000013C1000-memory.dmpFilesize
15.8MB