Resubmissions

09-06-2024 05:28

240609-f6esjafa54 9

09-06-2024 05:26

240609-f48b3aeb7s 9

Analysis

  • max time kernel
    16s
  • max time network
    19s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-06-2024 05:28

Errors

Reason
Machine shutdown

General

  • Target

    MWIII UPDATED AIO.exe

  • Size

    5.6MB

  • MD5

    54fe3129e56a5cb3fcda5cce59cd83f3

  • SHA1

    522686e0d7cd6727d63c08b3806adccf48928e6d

  • SHA256

    546ba562b2d4d7c4889b713472ad571a39d898b579a99ee778ce489300b6a6c6

  • SHA512

    4999793e313c16a0b84aded1978ed895afbb129a3ea222b030973154a7f149b15eefda0c642f95a02df395d0152b408efce8eefd9c6313c9c59ace72919ae8b0

  • SSDEEP

    98304:Hj3o0kr2I2PfH2xeMzgTkU4BnTfy8bPVDEsvEVwyzzDH0rCNkeFc8n:D3Tkrr2mxeqKXunm4PVDWwy3DH0gkeFl

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 9 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe
    "C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:4552
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:484
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set hypervisorlaunchtype off
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2096
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:424
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        2⤵
          PID:5076
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls
          2⤵
            PID:2428
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            2⤵
              PID:1376
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              2⤵
                PID:2892
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c shutdown /r /f /t 0 >nul 2>&1
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4812
                • C:\Windows\system32\shutdown.exe
                  shutdown /r /f /t 0
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4356
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x4 /state0:0xa3a03855 /state1:0x41c64e6d
              1⤵
              • Modifies data under HKEY_USERS
              • Suspicious use of SetWindowsHookEx
              PID:4788

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/4552-0-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp

              Filesize

              14.2MB

            • memory/4552-1-0x00007FF96A7E7000-0x00007FF96A7E9000-memory.dmp

              Filesize

              8KB

            • memory/4552-2-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp

              Filesize

              14.2MB

            • memory/4552-3-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp

              Filesize

              14.2MB

            • memory/4552-4-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp

              Filesize

              14.2MB

            • memory/4552-7-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp

              Filesize

              14.2MB

            • memory/4552-6-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp

              Filesize

              14.2MB

            • memory/4552-8-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp

              Filesize

              14.2MB

            • memory/4552-5-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp

              Filesize

              14.2MB

            • memory/4552-10-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp

              Filesize

              14.2MB