Analysis
-
max time kernel
7s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
09-06-2024 05:07
Behavioral task
behavioral1
Sample
MWIII_UPDATED_AIO.exe
Resource
win7-20240215-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
MWIII_UPDATED_AIO.exe
Resource
win10v2004-20240426-en
7 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
MWIII_UPDATED_AIO.exe
-
Size
5.6MB
-
MD5
54fe3129e56a5cb3fcda5cce59cd83f3
-
SHA1
522686e0d7cd6727d63c08b3806adccf48928e6d
-
SHA256
546ba562b2d4d7c4889b713472ad571a39d898b579a99ee778ce489300b6a6c6
-
SHA512
4999793e313c16a0b84aded1978ed895afbb129a3ea222b030973154a7f149b15eefda0c642f95a02df395d0152b408efce8eefd9c6313c9c59ace72919ae8b0
-
SSDEEP
98304:Hj3o0kr2I2PfH2xeMzgTkU4BnTfy8bPVDEsvEVwyzzDH0rCNkeFc8n:D3Tkrr2mxeqKXunm4PVDWwy3DH0gkeFl
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
MWIII_UPDATED_AIO.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MWIII_UPDATED_AIO.exe -
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MWIII_UPDATED_AIO.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MWIII_UPDATED_AIO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MWIII_UPDATED_AIO.exe -
Processes:
resource yara_rule behavioral1/memory/1516-0-0x000000013F550000-0x000000014037B000-memory.dmp themida behavioral1/memory/1516-8-0x000000013F550000-0x000000014037B000-memory.dmp themida behavioral1/memory/1516-4-0x000000013F550000-0x000000014037B000-memory.dmp themida behavioral1/memory/1516-7-0x000000013F550000-0x000000014037B000-memory.dmp themida behavioral1/memory/1516-6-0x000000013F550000-0x000000014037B000-memory.dmp themida behavioral1/memory/1516-5-0x000000013F550000-0x000000014037B000-memory.dmp themida behavioral1/memory/1516-3-0x000000013F550000-0x000000014037B000-memory.dmp themida behavioral1/memory/1516-2-0x000000013F550000-0x000000014037B000-memory.dmp themida behavioral1/memory/1516-10-0x000000013F550000-0x000000014037B000-memory.dmp themida -
Processes:
MWIII_UPDATED_AIO.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MWIII_UPDATED_AIO.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
MWIII_UPDATED_AIO.exepid process 1516 MWIII_UPDATED_AIO.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
MWIII_UPDATED_AIO.execmd.exedescription pid process target process PID 1516 wrote to memory of 2548 1516 MWIII_UPDATED_AIO.exe cmd.exe PID 1516 wrote to memory of 2548 1516 MWIII_UPDATED_AIO.exe cmd.exe PID 1516 wrote to memory of 2548 1516 MWIII_UPDATED_AIO.exe cmd.exe PID 2548 wrote to memory of 2588 2548 cmd.exe bcdedit.exe PID 2548 wrote to memory of 2588 2548 cmd.exe bcdedit.exe PID 2548 wrote to memory of 2588 2548 cmd.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MWIII_UPDATED_AIO.exe"C:\Users\Admin\AppData\Local\Temp\MWIII_UPDATED_AIO.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\system32\bcdedit.exebcdedit /set hypervisorlaunchtype off3⤵
- Modifies boot configuration data using bcdedit
PID:2588 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2600
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c shutdown /r /f /t 0 >nul 2>&12⤵PID:2208
-
C:\Windows\system32\shutdown.exeshutdown /r /f /t 03⤵PID:2684
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2832
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2952