Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 16:25
Behavioral task
behavioral1
Sample
fix-injector.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
fix-injector.exe
Resource
win10v2004-20240508-en
General
-
Target
fix-injector.exe
-
Size
3.6MB
-
MD5
c01178fa2626c8d717fde33e03a3876e
-
SHA1
afee86588501928ae39eec90d6c1d6028f243689
-
SHA256
18c0bba23af8256a5f9e3de3038555a6a706dddd0c24123c011c1a8aa4d78156
-
SHA512
233744740883ab71ea7bb8c493db24c062e480f547cf13cd3210a3fa165368f7eb3cf908a6da3f6a5f81fbfe415cdfb03fb1ad38d6ff27ac9e8df417fe7ec7c0
-
SSDEEP
98304:sdvPB9yZdnrBYwSsHrOfmjSctW70xGtat:uvpMZdnrBhl67m3t
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
fix-injector.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fix-injector.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
1fYxY.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cPomyDaDVbRMgSwptXVZEa\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\cPomyDaDVbRMgSwptXVZEa" 1fYxY.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
fix-injector.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fix-injector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fix-injector.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fix-injector.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation fix-injector.exe -
Executes dropped EXE 1 IoCs
Processes:
1fYxY.exepid process 5020 1fYxY.exe -
Processes:
resource yara_rule behavioral2/memory/4636-0-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp themida behavioral2/memory/4636-2-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp themida behavioral2/memory/4636-3-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp themida behavioral2/memory/4636-5-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp themida behavioral2/memory/4636-6-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp themida behavioral2/memory/4636-7-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp themida behavioral2/memory/4636-4-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp themida behavioral2/memory/4636-18-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp themida behavioral2/memory/4636-19-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp themida behavioral2/memory/4636-20-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp themida behavioral2/memory/4636-22-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp themida behavioral2/memory/4636-23-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp themida -
Processes:
fix-injector.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fix-injector.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
fix-injector.exepid process 4636 fix-injector.exe -
Drops file in Windows directory 1 IoCs
Processes:
fix-injector.exedescription ioc process File created C:\Windows\SoftwareDistribution\Download\1fYxY.exe fix-injector.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Modifies registry class 1 IoCs
Processes:
taskmgr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
taskmgr.exepid process 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
1fYxY.exepid process 5020 1fYxY.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
1fYxY.exetaskmgr.exedescription pid process Token: SeLoadDriverPrivilege 5020 1fYxY.exe Token: SeDebugPrivilege 4216 taskmgr.exe Token: SeSystemProfilePrivilege 4216 taskmgr.exe Token: SeCreateGlobalPrivilege 4216 taskmgr.exe Token: 33 4216 taskmgr.exe Token: SeIncBasePriorityPrivilege 4216 taskmgr.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
Processes:
taskmgr.exepid process 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe -
Suspicious use of SendNotifyMessage 47 IoCs
Processes:
taskmgr.exepid process 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fix-injector.exedescription pid process target process PID 4636 wrote to memory of 844 4636 fix-injector.exe cmd.exe PID 4636 wrote to memory of 844 4636 fix-injector.exe cmd.exe PID 4636 wrote to memory of 3968 4636 fix-injector.exe cmd.exe PID 4636 wrote to memory of 3968 4636 fix-injector.exe cmd.exe PID 4636 wrote to memory of 5020 4636 fix-injector.exe 1fYxY.exe PID 4636 wrote to memory of 5020 4636 fix-injector.exe 1fYxY.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fix-injector.exe"C:\Users\Admin\AppData\Local\Temp\fix-injector.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 92⤵PID:3968
-
C:\Windows\SoftwareDistribution\Download\1fYxY.exe"C:\Windows\SoftwareDistribution\Download\1fYxY.exe"2⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2860,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=3940 /prefetch:81⤵PID:608
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4216
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SoftwareDistribution\Download\1fYxY.exeFilesize
100KB
MD503997b52220aa284bd6da2f39a82b002
SHA17aa87879a471cbda376914927a3b6b8274a6d642
SHA2567873158c42440a31a986c1472c0982404f54325ccd0c8b3a6e63a707277945a2
SHA512e7ccf9300166cb8c3d81153e9675240778a4910b2f503f8c2293c273f42eee6fe0841d66fe0baa91d9355392b06b85008921a75c90969d2b823d2092935efef9
-
memory/4216-26-0x000001847FC20000-0x000001847FC21000-memory.dmpFilesize
4KB
-
memory/4216-32-0x000001847FC20000-0x000001847FC21000-memory.dmpFilesize
4KB
-
memory/4216-33-0x000001847FC20000-0x000001847FC21000-memory.dmpFilesize
4KB
-
memory/4216-34-0x000001847FC20000-0x000001847FC21000-memory.dmpFilesize
4KB
-
memory/4216-35-0x000001847FC20000-0x000001847FC21000-memory.dmpFilesize
4KB
-
memory/4216-36-0x000001847FC20000-0x000001847FC21000-memory.dmpFilesize
4KB
-
memory/4216-31-0x000001847FC20000-0x000001847FC21000-memory.dmpFilesize
4KB
-
memory/4216-30-0x000001847FC20000-0x000001847FC21000-memory.dmpFilesize
4KB
-
memory/4216-24-0x000001847FC20000-0x000001847FC21000-memory.dmpFilesize
4KB
-
memory/4216-25-0x000001847FC20000-0x000001847FC21000-memory.dmpFilesize
4KB
-
memory/4636-7-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmpFilesize
9.5MB
-
memory/4636-22-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmpFilesize
9.5MB
-
memory/4636-23-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmpFilesize
9.5MB
-
memory/4636-20-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmpFilesize
9.5MB
-
memory/4636-19-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmpFilesize
9.5MB
-
memory/4636-18-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmpFilesize
9.5MB
-
memory/4636-4-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmpFilesize
9.5MB
-
memory/4636-0-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmpFilesize
9.5MB
-
memory/4636-6-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmpFilesize
9.5MB
-
memory/4636-5-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmpFilesize
9.5MB
-
memory/4636-3-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmpFilesize
9.5MB
-
memory/4636-2-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmpFilesize
9.5MB
-
memory/4636-1-0x00007FFF1EED0000-0x00007FFF1EED2000-memory.dmpFilesize
8KB