Analysis
-
max time kernel
7s -
max time network
19s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-06-2024 05:26
Behavioral task
behavioral1
Sample
MWIII UPDATED AIO.exe
Resource
win11-20240426-en
7 signatures
30 seconds
Errors
Reason
Machine shutdown
General
-
Target
MWIII UPDATED AIO.exe
-
Size
5.6MB
-
MD5
54fe3129e56a5cb3fcda5cce59cd83f3
-
SHA1
522686e0d7cd6727d63c08b3806adccf48928e6d
-
SHA256
546ba562b2d4d7c4889b713472ad571a39d898b579a99ee778ce489300b6a6c6
-
SHA512
4999793e313c16a0b84aded1978ed895afbb129a3ea222b030973154a7f149b15eefda0c642f95a02df395d0152b408efce8eefd9c6313c9c59ace72919ae8b0
-
SSDEEP
98304:Hj3o0kr2I2PfH2xeMzgTkU4BnTfy8bPVDEsvEVwyzzDH0rCNkeFc8n:D3Tkrr2mxeqKXunm4PVDWwy3DH0gkeFl
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
MWIII UPDATED AIO.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MWIII UPDATED AIO.exe -
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MWIII UPDATED AIO.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MWIII UPDATED AIO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MWIII UPDATED AIO.exe -
Processes:
resource yara_rule behavioral1/memory/2820-0-0x00007FF78DD10000-0x00007FF78EB3B000-memory.dmp themida behavioral1/memory/2820-4-0x00007FF78DD10000-0x00007FF78EB3B000-memory.dmp themida behavioral1/memory/2820-2-0x00007FF78DD10000-0x00007FF78EB3B000-memory.dmp themida behavioral1/memory/2820-3-0x00007FF78DD10000-0x00007FF78EB3B000-memory.dmp themida behavioral1/memory/2820-6-0x00007FF78DD10000-0x00007FF78EB3B000-memory.dmp themida behavioral1/memory/2820-8-0x00007FF78DD10000-0x00007FF78EB3B000-memory.dmp themida behavioral1/memory/2820-5-0x00007FF78DD10000-0x00007FF78EB3B000-memory.dmp themida behavioral1/memory/2820-7-0x00007FF78DD10000-0x00007FF78EB3B000-memory.dmp themida behavioral1/memory/2820-10-0x00007FF78DD10000-0x00007FF78EB3B000-memory.dmp themida -
Processes:
MWIII UPDATED AIO.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MWIII UPDATED AIO.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
MWIII UPDATED AIO.exepid process 2820 MWIII UPDATED AIO.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
MWIII UPDATED AIO.execmd.exedescription pid process target process PID 2820 wrote to memory of 4840 2820 MWIII UPDATED AIO.exe cmd.exe PID 2820 wrote to memory of 4840 2820 MWIII UPDATED AIO.exe cmd.exe PID 4840 wrote to memory of 4652 4840 cmd.exe bcdedit.exe PID 4840 wrote to memory of 4652 4840 cmd.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe"C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\system32\bcdedit.exebcdedit /set hypervisorlaunchtype off3⤵
- Modifies boot configuration data using bcdedit
PID:4652 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2388
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4320
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c shutdown /r /f /t 0 >nul 2>&12⤵PID:4048
-
C:\Windows\system32\shutdown.exeshutdown /r /f /t 03⤵PID:3772
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a04055 /state1:0x41c64e6d1⤵PID:1760