Analysis
-
max time kernel
7s -
max time network
18s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-06-2024 05:07
Behavioral task
behavioral1
Sample
MWIII_UPDATED_AIO.exe
Resource
win7-20240215-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
MWIII_UPDATED_AIO.exe
Resource
win10v2004-20240426-en
7 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
MWIII_UPDATED_AIO.exe
-
Size
5.6MB
-
MD5
54fe3129e56a5cb3fcda5cce59cd83f3
-
SHA1
522686e0d7cd6727d63c08b3806adccf48928e6d
-
SHA256
546ba562b2d4d7c4889b713472ad571a39d898b579a99ee778ce489300b6a6c6
-
SHA512
4999793e313c16a0b84aded1978ed895afbb129a3ea222b030973154a7f149b15eefda0c642f95a02df395d0152b408efce8eefd9c6313c9c59ace72919ae8b0
-
SSDEEP
98304:Hj3o0kr2I2PfH2xeMzgTkU4BnTfy8bPVDEsvEVwyzzDH0rCNkeFc8n:D3Tkrr2mxeqKXunm4PVDWwy3DH0gkeFl
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
MWIII_UPDATED_AIO.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MWIII_UPDATED_AIO.exe -
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MWIII_UPDATED_AIO.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MWIII_UPDATED_AIO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MWIII_UPDATED_AIO.exe -
Processes:
resource yara_rule behavioral2/memory/4888-0-0x00007FF76E2F0000-0x00007FF76F11B000-memory.dmp themida behavioral2/memory/4888-1-0x00007FF76E2F0000-0x00007FF76F11B000-memory.dmp themida behavioral2/memory/4888-3-0x00007FF76E2F0000-0x00007FF76F11B000-memory.dmp themida behavioral2/memory/4888-4-0x00007FF76E2F0000-0x00007FF76F11B000-memory.dmp themida behavioral2/memory/4888-5-0x00007FF76E2F0000-0x00007FF76F11B000-memory.dmp themida behavioral2/memory/4888-6-0x00007FF76E2F0000-0x00007FF76F11B000-memory.dmp themida behavioral2/memory/4888-8-0x00007FF76E2F0000-0x00007FF76F11B000-memory.dmp themida behavioral2/memory/4888-7-0x00007FF76E2F0000-0x00007FF76F11B000-memory.dmp themida behavioral2/memory/4888-10-0x00007FF76E2F0000-0x00007FF76F11B000-memory.dmp themida -
Processes:
MWIII_UPDATED_AIO.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MWIII_UPDATED_AIO.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
MWIII_UPDATED_AIO.exepid process 4888 MWIII_UPDATED_AIO.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
MWIII_UPDATED_AIO.execmd.exedescription pid process target process PID 4888 wrote to memory of 4412 4888 MWIII_UPDATED_AIO.exe cmd.exe PID 4888 wrote to memory of 4412 4888 MWIII_UPDATED_AIO.exe cmd.exe PID 4412 wrote to memory of 3436 4412 cmd.exe bcdedit.exe PID 4412 wrote to memory of 3436 4412 cmd.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MWIII_UPDATED_AIO.exe"C:\Users\Admin\AppData\Local\Temp\MWIII_UPDATED_AIO.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\system32\bcdedit.exebcdedit /set hypervisorlaunchtype off3⤵
- Modifies boot configuration data using bcdedit
PID:3436 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4544
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:512
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c shutdown /r /f /t 0 >nul 2>&12⤵PID:4424
-
C:\Windows\system32\shutdown.exeshutdown /r /f /t 03⤵PID:4060
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39bb055 /state1:0x41c64e6d1⤵PID:4872