Analysis

  • max time kernel
    112s
  • max time network
    113s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15-06-2024 11:46

General

  • Target

    mc.exe

  • Size

    36.0MB

  • MD5

    024f86e18a417a96b93516124a245a0a

  • SHA1

    43631675b70942aa3751111d9f278f4e6c68ab3f

  • SHA256

    f774e2487887015f3ecd0065b03a7862aca9080143976652548972d9cc3e5a74

  • SHA512

    d6fd0d6325666e5bdad099068588ea951e30a54fcc1965a589406283682e0cbad7274594c5fcc5aadd1b516725f432843b4b6832a89489830bfdbb424f9de15a

  • SSDEEP

    786432:Vu7kfIrExwhdQmJ+1QA4r0JKHD6TB959tGgZo:VuFrE1dQ3eBbfGgy

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 3 IoCs
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mc.exe
    "C:\Users\Admin\AppData\Local\Temp\mc.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2f7d87ef.dll
    Filesize

    10KB

    MD5

    11a0cd45d40d3cc6cfa3eaec36b23d76

    SHA1

    7d7370be4472323fa0c34ae2ff1a351967af62e3

    SHA256

    16619955f4bde1166112272dd23c27a9b9857fa442c51d77f952172f5e6a5d73

    SHA512

    780c6025449201083e173949a2fe13766c2a63d535556f475a9e522f9f5abc684caf95b449995d7aa192d6ae964fc8546941e7b33c5b87edb4475d9ecccfc087

  • \Users\Admin\AppData\Local\Temp\2f7d87ee.dll
    Filesize

    10KB

    MD5

    e9220227f57e64dfc6e5491437461943

    SHA1

    ade5ca8c79862ff7cc3069be96d7b08701db7bb8

    SHA256

    4b2763e236905ef34b0aeca3a41de959ba2157a7cd8749dc09a06658a52bb0fe

    SHA512

    1847b2c4f39e061bca854a05c3e9523728157e6447531f7f14fe66dc4f294f374b3159e123fbf91fd2aee918ed68816c4fa3ead437844731d9e7a68012f6551b

  • \Users\Admin\AppData\Local\Temp\2f7d87f0.dll
    Filesize

    10KB

    MD5

    f8e73b07c6e73f964850a2efbf340cb8

    SHA1

    010fb949de293c47c567e09c54bfec57e5d92393

    SHA256

    279e97c51f082de39b2d83dfe6451e9bdda364d93ad74725fb56519f351c5352

    SHA512

    0b2a084aecd69c93cc3c7787ca74233de7fde047aafdb61ca37e0b847d1c1d737f706ce609df4376a348db19ce75bcd1d66366c3745443d5665ff6c00215765f

  • memory/1448-5-0x00000213072A0000-0x00000213074E0000-memory.dmp
    Filesize

    2.2MB

  • memory/1448-36-0x0000021306B80000-0x0000021306BBE000-memory.dmp
    Filesize

    248KB

  • memory/1448-4-0x00000213072A0000-0x00000213074E0000-memory.dmp
    Filesize

    2.2MB

  • memory/1448-3-0x0000000180000000-0x0000000180073000-memory.dmp
    Filesize

    460KB

  • memory/1448-16-0x000002130A520000-0x000002130D5CD000-memory.dmp
    Filesize

    48.7MB

  • memory/1448-1-0x00007FFEB754B000-0x00007FFEB754C000-memory.dmp
    Filesize

    4KB

  • memory/1448-26-0x0000000180000000-0x0000000180073000-memory.dmp
    Filesize

    460KB

  • memory/1448-0-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmp
    Filesize

    94.7MB

  • memory/1448-2-0x00007FFEB7530000-0x00007FFEB75DE000-memory.dmp
    Filesize

    696KB

  • memory/1448-37-0x0000021306B80000-0x0000021306BBE000-memory.dmp
    Filesize

    248KB

  • memory/1448-43-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmp
    Filesize

    94.7MB

  • memory/1448-44-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmp
    Filesize

    94.7MB

  • memory/1448-46-0x00007FFEB7530000-0x00007FFEB75DE000-memory.dmp
    Filesize

    696KB

  • memory/1448-55-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmp
    Filesize

    94.7MB