Analysis
-
max time kernel
30s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-06-2024 17:53
General
-
Target
Injector.exe
-
Size
3.4MB
-
MD5
c6b39ee166d5b0a2c8a9021ccd1593ae
-
SHA1
e480e7c282f64e8b0179c82afe154dd59d14217d
-
SHA256
443b665c5f545a2bdd7855f86bf70a5ee7f35eda1b6b08615161f5809cbda02b
-
SHA512
3864aea36c522ca5658412128e6a4c862a647cf3b1054b9adbe418488590a37600d7639c3eba94ca9de76f087b244b95644c667213b1122889cf2d9b7a4652d2
-
SSDEEP
49152:Kl0nJ28J4VZohYWVGGjW8NhSU7zwo8oXJ2R3KPHsI7coj2J+eNgRpqNc1a:KmnJrJ4DohYWVTJNkIZZ2R6vsmA+FDqN
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Injector.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Injector.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Injector.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Injector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Injector.exe -
Processes:
resource yara_rule behavioral1/memory/1524-0-0x00007FF7C62F0000-0x00007FF7C6C50000-memory.dmp themida behavioral1/memory/1524-1-0x00007FF7C62F0000-0x00007FF7C6C50000-memory.dmp themida behavioral1/memory/1524-2-0x00007FF7C62F0000-0x00007FF7C6C50000-memory.dmp themida behavioral1/memory/1524-5-0x00007FF7C62F0000-0x00007FF7C6C50000-memory.dmp themida behavioral1/memory/1524-4-0x00007FF7C62F0000-0x00007FF7C6C50000-memory.dmp themida behavioral1/memory/1524-7-0x00007FF7C62F0000-0x00007FF7C6C50000-memory.dmp themida -
Processes:
Injector.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Injector.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Injector.exepid process 1524 Injector.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Taskmgr.exepid process 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Taskmgr.exepid process 2588 Taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Taskmgr.exedescription pid process Token: SeDebugPrivilege 2588 Taskmgr.exe Token: SeSystemProfilePrivilege 2588 Taskmgr.exe Token: SeCreateGlobalPrivilege 2588 Taskmgr.exe Token: 33 2588 Taskmgr.exe Token: SeIncBasePriorityPrivilege 2588 Taskmgr.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
Processes:
Taskmgr.exepid process 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe -
Suspicious use of SendNotifyMessage 40 IoCs
Processes:
Taskmgr.exepid process 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe 2588 Taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1524
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4920
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2588