Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
06-06-2024 04:55
General
-
Target
injector_3.exe
-
Size
2.9MB
-
MD5
46cae523a713b42a2725e391c380ff15
-
SHA1
fb92db28887b5cdbfdcf5e2200e2a0c61052e03f
-
SHA256
ddb0cb4678fd74a89202b5a6957b2a175c7b84332014dc524ff3f5e87a0185ae
-
SHA512
54863687fe0c451f46cf97f095c71022da20abe4ddd8afef2c1b60d632099e8c9fc4d6e7b535844864c02a0a7b1c68a6a5639e376ee68cebc3a1693ca7df02fc
-
SSDEEP
49152:axmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxWn+O93+xN:axx9NUFkQx753uWuCyyxWnruL
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Themida packer 21 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Drops file in Windows directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\injector_3.exe"C:\Users\Admin\AppData\Local\Temp\injector_3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\injector_3.exec:\users\admin\appdata\local\temp\injector_3.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SoftwareDistribution\Download\gP9oN.exe"C:\Windows\SoftwareDistribution\Download\gP9oN.exe" -map C:\Windows\SoftwareDistribution\Download\gP9oN.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309KB
MD514de2eca1cb8ec2454d48a37784c3df1
SHA143877e3c6cf8faf6095e984bc825972d378f1140
SHA256bc026101c9a6975a8adb9aebd374a57a3f7cafc0e6f21e6bd4b52e60fb0fdd14
SHA512b4ee51aa0b89bd461e45ff5fce47dadaa13b81aa8d01514800920b065fa9e7dc08801feae5bfe69b0e2663817a0cda97e087bb49861403e8d4aeee0997530fe7
-
Filesize
2.5MB
MD55685ed42d05d9ff1021eb30e050e932c
SHA12ab75b8adf05d52fac34ce0aeabfad1f5ba878dc
SHA256670d920feb221e0d623e834b8de2f024884066f321dbe51496bd747d3ca39264
SHA51251b4f5dc0f61e74760b82fff01079d6dbde598ec30bd57705aaf8123f2c0780387ae7951723220f8d8c114442446593afd0fa7de2de8530f4da1512495cb35e3
-
Filesize
2.5MB
MD5465b101e5cdf684339c6ce39d3b7bc2b
SHA1a9dc2bfc94fd17341dba45db43baeb38e8d2a88b
SHA256677c809e907ede23acb13f4bc88cce1d21e044a95d8c4d17ecbe5b030d0137d7
SHA512d6462963eaa92dbddf24183556c7c99962a3dddadb33978e9d7ad3e4d6cb0308f2f076f62ce08d44b70de9604886e94aa0976b7466b78b6fa87c045a78b9c1de
-
Filesize
2.5MB
MD55df1f3f926c02a4c2a5124da4ae523ed
SHA1ac368a2ce7a1d3ba9b57ab92f8a81acec2b8d601
SHA2561284d06613cdeeff7eb9d12d187c546fa3e9436aeead8a8b77c6bfd97a7acd9e
SHA512698c730399a9cad758d339f2c044161be8ef242abdebc4548ca6ca977d40e4a8d9c2145e4d1a5ee04aca0fd6f9c125380a5dd894285054cfd38659dabbb651d0
-
Filesize
260KB
MD5083c6c05ac5875d0b6e997e894ca07bc
SHA169d0116998e8a70db5852fccb86d45975ce88a9a
SHA25603aefd40698cafbd48138784f362fb9a36f726fb50f262ca40695729f7b553ca
SHA512fb0b9994f9ddadd825476ed19a8299ef90536dae58b4f3087145ca4033a63d4ae0da944ac8bf4e71324e1b63af755ab1d82019e55de6377b00c9812ed57f3fdf
-
Filesize
2.5MB
MD56368c51eeb8abb2860c0e2e086263a89
SHA1b41d0f1ad796a58898d89aaadab181f66d6fa092
SHA256aec69423bd9de70964b5199fef95b282e610eff47a0f92d53caf927de4e51518
SHA5124ee101c30e016c5601923b309871379b33362fb6a39fc9fa27fe86daf7c0469d272f8bee05352a0440b77f4822a969caae22743e1167b3ad7bcd2b8c8809e75b
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
8KB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB