Analysis Overview
SHA256
f774e2487887015f3ecd0065b03a7862aca9080143976652548972d9cc3e5a74
Threat Level: Likely malicious
The file mc.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Themida packer
Loads dropped DLL
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-15 11:46
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 11:46
Reported
2024-06-15 11:51
Platform
win10-20240404-en
Max time kernel
112s
Max time network
113s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\mc.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\mc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\mc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mc.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\mc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\mc.exe
"C:\Users\Admin\AppData\Local\Temp\mc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | machocheats.com | udp |
| US | 172.67.186.5:443 | machocheats.com | tcp |
| N/A | 127.0.0.1:49800 | tcp | |
| US | 8.8.8.8:53 | 5.186.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:49819 | tcp | |
| US | 172.67.186.5:443 | machocheats.com | tcp |
Files
memory/1448-0-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmp
memory/1448-2-0x00007FFEB7530000-0x00007FFEB75DE000-memory.dmp
memory/1448-1-0x00007FFEB754B000-0x00007FFEB754C000-memory.dmp
memory/1448-4-0x00000213072A0000-0x00000213074E0000-memory.dmp
memory/1448-5-0x00000213072A0000-0x00000213074E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\2f7d87ee.dll
| MD5 | e9220227f57e64dfc6e5491437461943 |
| SHA1 | ade5ca8c79862ff7cc3069be96d7b08701db7bb8 |
| SHA256 | 4b2763e236905ef34b0aeca3a41de959ba2157a7cd8749dc09a06658a52bb0fe |
| SHA512 | 1847b2c4f39e061bca854a05c3e9523728157e6447531f7f14fe66dc4f294f374b3159e123fbf91fd2aee918ed68816c4fa3ead437844731d9e7a68012f6551b |
memory/1448-3-0x0000000180000000-0x0000000180073000-memory.dmp
memory/1448-16-0x000002130A520000-0x000002130D5CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2f7d87ef.dll
| MD5 | 11a0cd45d40d3cc6cfa3eaec36b23d76 |
| SHA1 | 7d7370be4472323fa0c34ae2ff1a351967af62e3 |
| SHA256 | 16619955f4bde1166112272dd23c27a9b9857fa442c51d77f952172f5e6a5d73 |
| SHA512 | 780c6025449201083e173949a2fe13766c2a63d535556f475a9e522f9f5abc684caf95b449995d7aa192d6ae964fc8546941e7b33c5b87edb4475d9ecccfc087 |
memory/1448-26-0x0000000180000000-0x0000000180073000-memory.dmp
memory/1448-36-0x0000021306B80000-0x0000021306BBE000-memory.dmp
\Users\Admin\AppData\Local\Temp\2f7d87f0.dll
| MD5 | f8e73b07c6e73f964850a2efbf340cb8 |
| SHA1 | 010fb949de293c47c567e09c54bfec57e5d92393 |
| SHA256 | 279e97c51f082de39b2d83dfe6451e9bdda364d93ad74725fb56519f351c5352 |
| SHA512 | 0b2a084aecd69c93cc3c7787ca74233de7fde047aafdb61ca37e0b847d1c1d737f706ce609df4376a348db19ce75bcd1d66366c3745443d5665ff6c00215765f |
memory/1448-37-0x0000021306B80000-0x0000021306BBE000-memory.dmp
memory/1448-43-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmp
memory/1448-44-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmp
memory/1448-46-0x00007FFEB7530000-0x00007FFEB75DE000-memory.dmp
memory/1448-55-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmp