Malware Analysis Report

2024-09-11 13:42

Sample ID 240613-1wg55awajq
Target Electron.exe
SHA256 e9f944ab296bcaa235eb584d6b7fa2811fc1a0f3bc2596a99675cdd114cdfcf5
Tags
evasion trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

e9f944ab296bcaa235eb584d6b7fa2811fc1a0f3bc2596a99675cdd114cdfcf5

Threat Level: Likely malicious

The file Electron.exe was found to be: Likely malicious.

Malicious Activity Summary

evasion trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 21:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 21:59

Reported

2024-06-13 22:00

Platform

win7-20240611-en

Max time kernel

9s

Max time network

1s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Windows\SysWOW64\WerFault.exe
PID 2764 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Windows\SysWOW64\WerFault.exe
PID 2764 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Windows\SysWOW64\WerFault.exe
PID 2764 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 2720

Network

N/A

Files

memory/2764-0-0x0000000000860000-0x000000000126C000-memory.dmp

memory/2764-1-0x0000000077254000-0x0000000077255000-memory.dmp

memory/2764-2-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-22-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-21-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-20-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-19-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-18-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-17-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-16-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-15-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-14-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-13-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-12-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-11-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-10-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-9-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-8-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-7-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-6-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-5-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-4-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-3-0x0000000077240000-0x0000000077350000-memory.dmp

memory/2764-32-0x0000000000860000-0x000000000126C000-memory.dmp

memory/2764-33-0x0000000000860000-0x000000000126C000-memory.dmp

memory/2764-34-0x00000000056B0000-0x00000000057FA000-memory.dmp

memory/2764-35-0x0000000000320000-0x000000000032A000-memory.dmp

memory/2764-36-0x0000000000320000-0x000000000032A000-memory.dmp

\Users\Admin\AppData\Local\Temp\Microsoft.Web.WebView2.Core.dll

MD5 f342d254fdd33e76b2fd6a3f8b517de3
SHA1 79c91621ea96a6635e3934e9b46dcf23d1fc762e
SHA256 8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a
SHA512 618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

memory/2764-40-0x0000000005260000-0x00000000052CC000-memory.dmp

memory/2764-42-0x0000000002D60000-0x0000000002D70000-memory.dmp

memory/2764-43-0x0000000000860000-0x000000000126C000-memory.dmp

memory/2764-44-0x0000000077254000-0x0000000077255000-memory.dmp

memory/2764-45-0x0000000077240000-0x0000000077350000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 21:59

Reported

2024-06-13 22:02

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4360,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 98.251.17.2.in-addr.arpa udp

Files

memory/4944-0-0x0000000000E50000-0x000000000185C000-memory.dmp

memory/4944-2-0x0000000075500000-0x00000000755F0000-memory.dmp

memory/4944-1-0x0000000075520000-0x0000000075521000-memory.dmp

memory/4944-4-0x0000000075500000-0x00000000755F0000-memory.dmp

memory/4944-3-0x0000000075500000-0x00000000755F0000-memory.dmp

memory/4944-5-0x0000000075500000-0x00000000755F0000-memory.dmp

memory/4944-6-0x0000000075500000-0x00000000755F0000-memory.dmp

memory/4944-16-0x0000000000E50000-0x000000000185C000-memory.dmp

memory/4944-17-0x0000000000E50000-0x000000000185C000-memory.dmp

memory/4944-18-0x0000000005ED0000-0x000000000601A000-memory.dmp

memory/4944-19-0x00000000066C0000-0x0000000006C64000-memory.dmp

memory/4944-20-0x00000000061B0000-0x0000000006242000-memory.dmp

memory/4944-26-0x00000000070A0000-0x00000000070A8000-memory.dmp

memory/4944-27-0x0000000075500000-0x00000000755F0000-memory.dmp

memory/4944-28-0x000000000A9C0000-0x000000000A9F8000-memory.dmp

memory/4944-29-0x000000000A990000-0x000000000A99E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Microsoft.Web.WebView2.Core.dll

MD5 f342d254fdd33e76b2fd6a3f8b517de3
SHA1 79c91621ea96a6635e3934e9b46dcf23d1fc762e
SHA256 8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a
SHA512 618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

memory/4944-33-0x000000000B9B0000-0x000000000BA1C000-memory.dmp

memory/4944-34-0x000000000B950000-0x000000000B95A000-memory.dmp

memory/4944-36-0x0000000000400000-0x0000000000410000-memory.dmp

memory/4944-37-0x000000000B9A0000-0x000000000B9AA000-memory.dmp

memory/4944-38-0x0000000000E50000-0x000000000185C000-memory.dmp

memory/4944-41-0x0000000075500000-0x00000000755F0000-memory.dmp

memory/4944-40-0x0000000075520000-0x0000000075521000-memory.dmp

memory/4944-42-0x0000000075500000-0x00000000755F0000-memory.dmp

memory/4944-43-0x0000000075500000-0x00000000755F0000-memory.dmp

memory/4944-45-0x0000000075500000-0x00000000755F0000-memory.dmp

memory/4944-46-0x0000000075500000-0x00000000755F0000-memory.dmp

memory/4944-47-0x0000000075500000-0x00000000755F0000-memory.dmp