Analysis
-
max time kernel
1s -
max time network
94s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
09-06-2024 12:04
General
-
Target
loader_bluepill.exe
-
Size
8.9MB
-
MD5
c7ba90393c994de84ebae1d035f9be9d
-
SHA1
ca58cc1acc630f879057bd01c7c12eb674aaa7ed
-
SHA256
25a4c8dc7c5db71d1a449ccf57e9d22467bd562446cb65a1b715670e87dfe6a7
-
SHA512
ab6cdfd5b5f84e4667443c6b668c5b8be4621bc6ab04081776162ca59e14f617f2363d3c2cdf7bc4ca5d68ffebeef34c190666b61fade15f76613a7c43544677
-
SSDEEP
196608:r0rNFmkF/jUGFgWteROdMQ0UMpBXj/A9eQR4vLYCDG2Ki8:IRF91oGFvlbEpy9JR4vLk2M
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
loader_bluepill.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ loader_bluepill.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
loader_bluepill.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion loader_bluepill.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion loader_bluepill.exe -
Processes:
resource yara_rule behavioral1/memory/4404-0-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp themida behavioral1/memory/4404-2-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp themida behavioral1/memory/4404-5-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp themida behavioral1/memory/4404-4-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp themida behavioral1/memory/4404-3-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp themida behavioral1/memory/4404-6-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp themida behavioral1/memory/4404-7-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp themida behavioral1/memory/4404-9-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp themida behavioral1/memory/4404-8-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\Sx91w2O3.exe themida C:\Users\Admin\AppData\Local\Temp\Sx91w2O3.exe themida behavioral1/memory/216-201-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp themida behavioral1/memory/216-202-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp themida behavioral1/memory/216-204-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp themida behavioral1/memory/216-203-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp themida behavioral1/memory/216-205-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp themida behavioral1/memory/216-206-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp themida behavioral1/memory/216-208-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp themida behavioral1/memory/216-207-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp themida behavioral1/memory/216-209-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp themida behavioral1/memory/4404-210-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp themida behavioral1/memory/216-211-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp themida -
Processes:
loader_bluepill.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA loader_bluepill.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
loader_bluepill.exepid process 4404 loader_bluepill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe"C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\Sx91w2O3.exe"C:\Users\Admin\AppData\Local\Temp\Sx91w2O3.exe" --delete=C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe2⤵PID:216
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵PID:2184
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:4472
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:1740
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:2308
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:4888
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:4664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD51bfe591a4fe3d91b03cdf26eaacd8f89
SHA1719c37c320f518ac168c86723724891950911cea
SHA2569cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA51202f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db
-
Filesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\USYYQCUR\favicon[1].ico
Filesize23KB
MD5ec2c34cadd4b5f4594415127380a85e6
SHA1e7e129270da0153510ef04a148d08702b980b679
SHA256128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7
SHA512c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFEA8D67BC41E3CF91.TMP
Filesize16KB
MD5a9396f9c9c855dc00ed90a2f6d9810ea
SHA10ba4acd26a41669609bf3d373e3847b8e48a586a
SHA25633ba1c7f1e9250db6461e88272591727de8673aef2f1bf05177e6375fb8a7811
SHA5120c7557bce00dca7127b420336f86a1cf03d0041c139085add9126088b1e780e791081d79da59fbb0c303fe7e585f7904959adfabac6b83eec4dfbaaeaccfc97b
-
Filesize
7.1MB
MD58802a6bd60a06811999b0bfe85c47e26
SHA136703f61c9c7fd78e377beccac7458914908926e
SHA256f8d4b2256d5d396631b020adc8438eb18744211a9327cb128e2170bc736fb0c1
SHA51233aba065fc26638d940eea2434ad796a358af09264ebd8a66ad7f64b646526055eaa4c79ef4ea06641337ff6d50ca74807970ffb3345d9a3c66aa8389c8a408d
-
Filesize
8.1MB
MD5bb117b286c6a51a609736da848517f31
SHA1a2395a808e491f83ffbbde92d3d5def4c9265490
SHA256b2140c52260ada22da577685814e345353f7a9246204d999d3d8b286b07be267
SHA512645f5c02d030ff9d2bad077663da875ab736af4b4c80086e024a38859d61fbe36fc7d3f5cd383d87689cb84e482e6f9947edaa45052dae13aad131cf8fbc9db5