Analysis
-
max time kernel
43s -
max time network
45s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 16:40
General
-
Target
BakosFree2.exe
-
Size
3.9MB
-
MD5
19276837bca67381f2d4f6620114c5df
-
SHA1
06920810b84cd7cadcf963f8823917a2e77d5a49
-
SHA256
8970a16295267765ab6b690e7f0d4d1e9bd5cc0b7a51d2d048bf069fcc8adc02
-
SHA512
e4ea35848ba3877990e0379e599a8dd4ceff6ddaeaf8210194ac56ea305f2146da94e85af880984f5e8f1b5cc956243e17342ec6d22b341b90a940ac95c8be1d
-
SSDEEP
98304:JU1gK9p2E9TV1IqWQ6mPVmzBA7xSU1j1drhljm+RJ:AL9p2UV1ovwmu1drhc0
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
BakosFree2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BakosFree2.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
BakosFree2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BakosFree2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BakosFree2.exe -
Processes:
resource yara_rule behavioral1/memory/3668-0-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp themida behavioral1/memory/3668-3-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp themida behavioral1/memory/3668-4-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp themida behavioral1/memory/3668-2-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp themida behavioral1/memory/3668-5-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp themida behavioral1/memory/3668-6-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp themida behavioral1/memory/3668-7-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp themida behavioral1/memory/3668-9-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp themida -
Processes:
BakosFree2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BakosFree2.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
BakosFree2.exepid process 3668 BakosFree2.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2148 timeout.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
BakosFree2.execmd.execmd.execmd.exedescription pid process target process PID 3668 wrote to memory of 1620 3668 BakosFree2.exe cmd.exe PID 3668 wrote to memory of 1620 3668 BakosFree2.exe cmd.exe PID 3668 wrote to memory of 3568 3668 BakosFree2.exe cmd.exe PID 3668 wrote to memory of 3568 3668 BakosFree2.exe cmd.exe PID 3668 wrote to memory of 216 3668 BakosFree2.exe cmd.exe PID 3668 wrote to memory of 216 3668 BakosFree2.exe cmd.exe PID 216 wrote to memory of 1544 216 cmd.exe certutil.exe PID 216 wrote to memory of 1544 216 cmd.exe certutil.exe PID 216 wrote to memory of 1820 216 cmd.exe find.exe PID 216 wrote to memory of 1820 216 cmd.exe find.exe PID 216 wrote to memory of 4980 216 cmd.exe find.exe PID 216 wrote to memory of 4980 216 cmd.exe find.exe PID 3668 wrote to memory of 4968 3668 BakosFree2.exe cmd.exe PID 3668 wrote to memory of 4968 3668 BakosFree2.exe cmd.exe PID 4968 wrote to memory of 4924 4968 cmd.exe cmd.exe PID 4968 wrote to memory of 4924 4968 cmd.exe cmd.exe PID 4924 wrote to memory of 2148 4924 cmd.exe timeout.exe PID 4924 wrote to memory of 2148 4924 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BakosFree2.exe"C:\Users\Admin\AppData\Local\Temp\BakosFree2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 62⤵PID:1620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3568
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\BakosFree2.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\BakosFree2.exe" MD53⤵PID:1544
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:1820
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:4980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"2⤵
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\system32\cmd.execmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"3⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\system32\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
PID:2148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3668-0-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmpFilesize
10.3MB
-
memory/3668-1-0x00007FF921990000-0x00007FF921992000-memory.dmpFilesize
8KB
-
memory/3668-3-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmpFilesize
10.3MB
-
memory/3668-4-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmpFilesize
10.3MB
-
memory/3668-2-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmpFilesize
10.3MB
-
memory/3668-5-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmpFilesize
10.3MB
-
memory/3668-6-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmpFilesize
10.3MB
-
memory/3668-7-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmpFilesize
10.3MB
-
memory/3668-9-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmpFilesize
10.3MB