bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc

Analysis

max time kernel
132s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe
Size

5.3MB
MD5

3c8ff3a5f2fe2ed835912880c2804387
SHA1

61d79555462661e74c278db5edb9bbd55ff1fe0d
SHA256

bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc
SHA512

3ae9950dff52330be11878debb6f5f87c1888a536144023029d9e433ab6c8d8914f2c4889df71e1b2de60840242687a47079edb7e44ff12deeec1e303d79b1c4
SSDEEP

98304:1iuobqH3OBxmpnHSW1cpp4oXgxWbLo/ivS/FexAl/T+ZYpIpoYrE:1ixyxNSu2yoXFpvSaY+pJ

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe

description ioc process

File opened for modification \??\PhysicalDrive0 bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe

pid process

4448 bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe

Modifies registry class 2 IoCs

Processes:

bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{2631847a-390c-8a49-a872-724cd80c}	bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{2631847a-390c-8a49-a872-724cd80c}\SortOrderIndex = 84cee27a3925bdb7c773fceb	bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe

pid	process
4448	bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe
4448	bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe

C:\Users\Admin\AppData\Local\Temp\bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe
"C:\Users\Admin\AppData\Local\Temp\bfc84cd03846b110793635210d9d98880311cd6090cc13331caee199d0c0d9cc.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1392,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4024 /prefetch:8
1⤵
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4448-0-0x0000000000150000-0x0000000000E51000-memory.dmp

Filesize
13.0MB

Download
memory/4448-1-0x00000000779A4000-0x00000000779A6000-memory.dmp

Filesize
8KB

Download
memory/4448-5-0x0000000000150000-0x0000000000E51000-memory.dmp

Filesize
13.0MB

Download