Analysis
-
max time kernel
132s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 13:20
Static task
static1
Behavioral task
behavioral1
Sample
bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe
Resource
win10v2004-20240508-en
General
-
Target
bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe
-
Size
5.3MB
-
MD5
3c8ff3a5f2fe2ed835912880c2804387
-
SHA1
61d79555462661e74c278db5edb9bbd55ff1fe0d
-
SHA256
bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc
-
SHA512
3ae9950dff52330be11878debb6f5f87c1888a536144023029d9e433ab6c8d8914f2c4889df71e1b2de60840242687a47079edb7e44ff12deeec1e303d79b1c4
-
SSDEEP
98304:1iuobqH3OBxmpnHSW1cpp4oXgxWbLo/ivS/FexAl/T+ZYpIpoYrE:1ixyxNSu2yoXFpvSaY+pJ
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe -
Processes:
bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exedescription ioc process File opened for modification \??\PhysicalDrive0 bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exepid process 4448 bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe -
Modifies registry class 2 IoCs
Processes:
bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{2631847a-390c-8a49-a872-724cd80c} bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{2631847a-390c-8a49-a872-724cd80c}\SortOrderIndex = 84cee27a3925bdb7c773fceb bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exepid process 4448 bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe 4448 bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe"C:\Users\Admin\AppData\Local\Temp\bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1392,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4024 /prefetch:81⤵