Analysis
-
max time kernel
130s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 19:48
General
-
Target
bb642e4d8f8e9b0151d3e830dc453f0c2d321acd46baef7ca9476d2543ad85e8.exe
-
Size
5.4MB
-
MD5
c53a2570ddcfdbd96f1eca0efb65afb3
-
SHA1
84e52665eb4f458ee145fb1ebfa422cd5fedc611
-
SHA256
bb642e4d8f8e9b0151d3e830dc453f0c2d321acd46baef7ca9476d2543ad85e8
-
SHA512
f314289acbaa782eb4113928e6a07faca9c1bbb0ee72562f316a0656f89dce9ff39dcf1182fbc914e962968428676337c6077079443999f4d2ee0af8b7bd93e8
-
SSDEEP
98304:VfOY8AXs2F3LBZJHZKWrfpLp97maUL5uFu3zoo668uSP10mJP6WnytQlkHvbp9Ey:R3D82J9LHZKWjpF97ma3azop68FPTZ65
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 1 IoCs
-
Themida packer 5 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb642e4d8f8e9b0151d3e830dc453f0c2d321acd46baef7ca9476d2543ad85e8.exe"C:\Users\Admin\AppData\Local\Temp\bb642e4d8f8e9b0151d3e830dc453f0c2d321acd46baef7ca9476d2543ad85e8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 13282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2108 -ip 21081⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\CCStudio\HpSocket4C.dllFilesize
2.8MB
MD54bc970a97300b1a725d44bba23d8697a
SHA16f1eb181153692814e038e2f851d0734646f78f8
SHA256c9d8fb5311ae6018dc1ca72774cb7efeba5c115c827a5cfb795b3580499e323d
SHA51203968ca876b7e584de0a1418cca1dd2036fd0b4744f86d69aee5691a42061e284f8d9577293ef3f656be332f7da5ca276f85c6393bd6d8eb7de181baec0285f8
-
memory/2108-0-0x0000000000400000-0x000000000114B000-memory.dmpFilesize
13.3MB
-
memory/2108-1-0x0000000077564000-0x0000000077566000-memory.dmpFilesize
8KB
-
memory/2108-2-0x0000000000400000-0x000000000114B000-memory.dmpFilesize
13.3MB
-
memory/2108-4-0x0000000000400000-0x000000000114B000-memory.dmpFilesize
13.3MB
-
memory/2108-3-0x0000000000400000-0x000000000114B000-memory.dmpFilesize
13.3MB
-
memory/2108-5-0x0000000010000000-0x0000000010059000-memory.dmpFilesize
356KB
-
memory/2108-6-0x00000000033E0000-0x0000000003439000-memory.dmpFilesize
356KB
-
memory/2108-12-0x0000000000400000-0x000000000114B000-memory.dmpFilesize
13.3MB