Analysis
-
max time kernel
112s -
max time network
113s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
15-06-2024 11:46
General
-
Target
mc.exe
-
Size
36.0MB
-
MD5
024f86e18a417a96b93516124a245a0a
-
SHA1
43631675b70942aa3751111d9f278f4e6c68ab3f
-
SHA256
f774e2487887015f3ecd0065b03a7862aca9080143976652548972d9cc3e5a74
-
SHA512
d6fd0d6325666e5bdad099068588ea951e30a54fcc1965a589406283682e0cbad7274594c5fcc5aadd1b516725f432843b4b6832a89489830bfdbb424f9de15a
-
SSDEEP
786432:Vu7kfIrExwhdQmJ+1QA4r0JKHD6TB959tGgZo:VuFrE1dQ3eBbfGgy
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
mc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ mc.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
mc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mc.exe -
Loads dropped DLL 3 IoCs
Processes:
mc.exepid process 1448 mc.exe 1448 mc.exe 1448 mc.exe -
Processes:
resource yara_rule behavioral1/memory/1448-0-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmp themida behavioral1/memory/1448-43-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmp themida behavioral1/memory/1448-44-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmp themida behavioral1/memory/1448-55-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmp themida -
Processes:
mc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
mc.exepid process 1448 mc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mc.exepid process 1448 mc.exe 1448 mc.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
mc.exedescription pid process Token: SeCreateTokenPrivilege 1448 mc.exe Token: SeAssignPrimaryTokenPrivilege 1448 mc.exe Token: SeLockMemoryPrivilege 1448 mc.exe Token: SeIncreaseQuotaPrivilege 1448 mc.exe Token: SeMachineAccountPrivilege 1448 mc.exe Token: SeTcbPrivilege 1448 mc.exe Token: SeSecurityPrivilege 1448 mc.exe Token: SeTakeOwnershipPrivilege 1448 mc.exe Token: SeLoadDriverPrivilege 1448 mc.exe Token: SeSystemProfilePrivilege 1448 mc.exe Token: SeSystemtimePrivilege 1448 mc.exe Token: SeProfSingleProcessPrivilege 1448 mc.exe Token: SeIncBasePriorityPrivilege 1448 mc.exe Token: SeCreatePagefilePrivilege 1448 mc.exe Token: SeCreatePermanentPrivilege 1448 mc.exe Token: SeBackupPrivilege 1448 mc.exe Token: SeRestorePrivilege 1448 mc.exe Token: SeShutdownPrivilege 1448 mc.exe Token: SeDebugPrivilege 1448 mc.exe Token: SeAuditPrivilege 1448 mc.exe Token: SeSystemEnvironmentPrivilege 1448 mc.exe Token: SeChangeNotifyPrivilege 1448 mc.exe Token: SeRemoteShutdownPrivilege 1448 mc.exe Token: SeUndockPrivilege 1448 mc.exe Token: SeSyncAgentPrivilege 1448 mc.exe Token: SeEnableDelegationPrivilege 1448 mc.exe Token: SeManageVolumePrivilege 1448 mc.exe Token: SeImpersonatePrivilege 1448 mc.exe Token: SeCreateGlobalPrivilege 1448 mc.exe Token: 31 1448 mc.exe Token: 32 1448 mc.exe Token: 33 1448 mc.exe Token: 34 1448 mc.exe Token: 35 1448 mc.exe Token: 36 1448 mc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
mc.exepid process 1448 mc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mc.exe"C:\Users\Admin\AppData\Local\Temp\mc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2f7d87ef.dllFilesize
10KB
MD511a0cd45d40d3cc6cfa3eaec36b23d76
SHA17d7370be4472323fa0c34ae2ff1a351967af62e3
SHA25616619955f4bde1166112272dd23c27a9b9857fa442c51d77f952172f5e6a5d73
SHA512780c6025449201083e173949a2fe13766c2a63d535556f475a9e522f9f5abc684caf95b449995d7aa192d6ae964fc8546941e7b33c5b87edb4475d9ecccfc087
-
\Users\Admin\AppData\Local\Temp\2f7d87ee.dllFilesize
10KB
MD5e9220227f57e64dfc6e5491437461943
SHA1ade5ca8c79862ff7cc3069be96d7b08701db7bb8
SHA2564b2763e236905ef34b0aeca3a41de959ba2157a7cd8749dc09a06658a52bb0fe
SHA5121847b2c4f39e061bca854a05c3e9523728157e6447531f7f14fe66dc4f294f374b3159e123fbf91fd2aee918ed68816c4fa3ead437844731d9e7a68012f6551b
-
\Users\Admin\AppData\Local\Temp\2f7d87f0.dllFilesize
10KB
MD5f8e73b07c6e73f964850a2efbf340cb8
SHA1010fb949de293c47c567e09c54bfec57e5d92393
SHA256279e97c51f082de39b2d83dfe6451e9bdda364d93ad74725fb56519f351c5352
SHA5120b2a084aecd69c93cc3c7787ca74233de7fde047aafdb61ca37e0b847d1c1d737f706ce609df4376a348db19ce75bcd1d66366c3745443d5665ff6c00215765f
-
memory/1448-5-0x00000213072A0000-0x00000213074E0000-memory.dmpFilesize
2.2MB
-
memory/1448-36-0x0000021306B80000-0x0000021306BBE000-memory.dmpFilesize
248KB
-
memory/1448-4-0x00000213072A0000-0x00000213074E0000-memory.dmpFilesize
2.2MB
-
memory/1448-3-0x0000000180000000-0x0000000180073000-memory.dmpFilesize
460KB
-
memory/1448-16-0x000002130A520000-0x000002130D5CD000-memory.dmpFilesize
48.7MB
-
memory/1448-1-0x00007FFEB754B000-0x00007FFEB754C000-memory.dmpFilesize
4KB
-
memory/1448-26-0x0000000180000000-0x0000000180073000-memory.dmpFilesize
460KB
-
memory/1448-0-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmpFilesize
94.7MB
-
memory/1448-2-0x00007FFEB7530000-0x00007FFEB75DE000-memory.dmpFilesize
696KB
-
memory/1448-37-0x0000021306B80000-0x0000021306BBE000-memory.dmpFilesize
248KB
-
memory/1448-43-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmpFilesize
94.7MB
-
memory/1448-44-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmpFilesize
94.7MB
-
memory/1448-46-0x00007FFEB7530000-0x00007FFEB75DE000-memory.dmpFilesize
696KB
-
memory/1448-55-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmpFilesize
94.7MB