Analysis
-
max time kernel
16s -
max time network
19s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-06-2024 05:28
Behavioral task
behavioral1
Sample
MWIII UPDATED AIO.exe
Resource
win11-20240508-en
10 signatures
30 seconds
Errors
Reason
Machine shutdown
General
-
Target
MWIII UPDATED AIO.exe
-
Size
5.6MB
-
MD5
54fe3129e56a5cb3fcda5cce59cd83f3
-
SHA1
522686e0d7cd6727d63c08b3806adccf48928e6d
-
SHA256
546ba562b2d4d7c4889b713472ad571a39d898b579a99ee778ce489300b6a6c6
-
SHA512
4999793e313c16a0b84aded1978ed895afbb129a3ea222b030973154a7f149b15eefda0c642f95a02df395d0152b408efce8eefd9c6313c9c59ace72919ae8b0
-
SSDEEP
98304:Hj3o0kr2I2PfH2xeMzgTkU4BnTfy8bPVDEsvEVwyzzDH0rCNkeFc8n:D3Tkrr2mxeqKXunm4PVDWwy3DH0gkeFl
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
MWIII UPDATED AIO.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MWIII UPDATED AIO.exe -
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MWIII UPDATED AIO.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MWIII UPDATED AIO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MWIII UPDATED AIO.exe -
Processes:
resource yara_rule behavioral1/memory/4552-0-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp themida behavioral1/memory/4552-2-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp themida behavioral1/memory/4552-3-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp themida behavioral1/memory/4552-4-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp themida behavioral1/memory/4552-7-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp themida behavioral1/memory/4552-6-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp themida behavioral1/memory/4552-8-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp themida behavioral1/memory/4552-5-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp themida behavioral1/memory/4552-10-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp themida -
Processes:
MWIII UPDATED AIO.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MWIII UPDATED AIO.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
MWIII UPDATED AIO.exepid process 4552 MWIII UPDATED AIO.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "191" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid process Token: SeShutdownPrivilege 4356 shutdown.exe Token: SeRemoteShutdownPrivilege 4356 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 4788 LogonUI.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
MWIII UPDATED AIO.execmd.execmd.exedescription pid process target process PID 4552 wrote to memory of 484 4552 MWIII UPDATED AIO.exe cmd.exe PID 4552 wrote to memory of 484 4552 MWIII UPDATED AIO.exe cmd.exe PID 484 wrote to memory of 2096 484 cmd.exe bcdedit.exe PID 484 wrote to memory of 2096 484 cmd.exe bcdedit.exe PID 4552 wrote to memory of 424 4552 MWIII UPDATED AIO.exe cmd.exe PID 4552 wrote to memory of 424 4552 MWIII UPDATED AIO.exe cmd.exe PID 4552 wrote to memory of 5076 4552 MWIII UPDATED AIO.exe cmd.exe PID 4552 wrote to memory of 5076 4552 MWIII UPDATED AIO.exe cmd.exe PID 4552 wrote to memory of 2428 4552 MWIII UPDATED AIO.exe cmd.exe PID 4552 wrote to memory of 2428 4552 MWIII UPDATED AIO.exe cmd.exe PID 4552 wrote to memory of 1376 4552 MWIII UPDATED AIO.exe cmd.exe PID 4552 wrote to memory of 1376 4552 MWIII UPDATED AIO.exe cmd.exe PID 4552 wrote to memory of 2892 4552 MWIII UPDATED AIO.exe cmd.exe PID 4552 wrote to memory of 2892 4552 MWIII UPDATED AIO.exe cmd.exe PID 4552 wrote to memory of 4812 4552 MWIII UPDATED AIO.exe cmd.exe PID 4552 wrote to memory of 4812 4552 MWIII UPDATED AIO.exe cmd.exe PID 4812 wrote to memory of 4356 4812 cmd.exe shutdown.exe PID 4812 wrote to memory of 4356 4812 cmd.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe"C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\system32\bcdedit.exebcdedit /set hypervisorlaunchtype off3⤵
- Modifies boot configuration data using bcdedit
PID:2096 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c shutdown /r /f /t 0 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\system32\shutdown.exeshutdown /r /f /t 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4356
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a03855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4788