Analysis
-
max time kernel
16s -
max time network
20s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-es -
resource tags
arch:x64arch:x86image:win10v2004-20240508-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
15-06-2024 18:27
General
-
Target
f2dc4711-p4QNZK.exe
-
Size
9.1MB
-
MD5
94201232c8ca8b86ac08ba6099591ac1
-
SHA1
64ca80dfed0fb357d03009f4ae2b9cb7006c2f01
-
SHA256
bac62dc3209c471dbafe09c48e0274a4ecc7652fd19d93abd7a8bf08bea32756
-
SHA512
2f6564e2f0ed626efa06835f76d2f7d7c5eb9b643c9f90fd7d41b62914ed6431cb970edb625edb43205eeff01f07e33acc6e8ce87a35240caab0fca80a64e255
-
SSDEEP
196608:3fpIriKid0KnI4KzLE3gEpxpizzkkPkY/g5N0Wls:3fpImKL0KLEQUpiHMY/CNa
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
f2dc4711-p4QNZK.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f2dc4711-p4QNZK.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
f2dc4711-p4QNZK.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f2dc4711-p4QNZK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f2dc4711-p4QNZK.exe -
Processes:
resource yara_rule behavioral1/memory/1596-0-0x00007FF725E30000-0x00007FF72756B000-memory.dmp themida behavioral1/memory/1596-2-0x00007FF725E30000-0x00007FF72756B000-memory.dmp themida behavioral1/memory/1596-3-0x00007FF725E30000-0x00007FF72756B000-memory.dmp themida behavioral1/memory/1596-4-0x00007FF725E30000-0x00007FF72756B000-memory.dmp themida behavioral1/memory/1596-6-0x00007FF725E30000-0x00007FF72756B000-memory.dmp themida behavioral1/memory/1596-5-0x00007FF725E30000-0x00007FF72756B000-memory.dmp themida behavioral1/memory/1596-7-0x00007FF725E30000-0x00007FF72756B000-memory.dmp themida behavioral1/memory/1596-8-0x00007FF725E30000-0x00007FF72756B000-memory.dmp themida behavioral1/memory/1596-9-0x00007FF725E30000-0x00007FF72756B000-memory.dmp themida behavioral1/memory/1596-14-0x00007FF725E30000-0x00007FF72756B000-memory.dmp themida -
Processes:
f2dc4711-p4QNZK.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f2dc4711-p4QNZK.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
f2dc4711-p4QNZK.exepid process 1596 f2dc4711-p4QNZK.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
f2dc4711-p4QNZK.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS f2dc4711-p4QNZK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer f2dc4711-p4QNZK.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f2dc4711-p4QNZK.exepid process 1596 f2dc4711-p4QNZK.exe 1596 f2dc4711-p4QNZK.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
f2dc4711-p4QNZK.exepid process 1596 f2dc4711-p4QNZK.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2dc4711-p4QNZK.exe"C:\Users\Admin\AppData\Local\Temp\f2dc4711-p4QNZK.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1596-0-0x00007FF725E30000-0x00007FF72756B000-memory.dmpFilesize
23.2MB
-
memory/1596-1-0x00007FFB81110000-0x00007FFB81112000-memory.dmpFilesize
8KB
-
memory/1596-2-0x00007FF725E30000-0x00007FF72756B000-memory.dmpFilesize
23.2MB
-
memory/1596-3-0x00007FF725E30000-0x00007FF72756B000-memory.dmpFilesize
23.2MB
-
memory/1596-4-0x00007FF725E30000-0x00007FF72756B000-memory.dmpFilesize
23.2MB
-
memory/1596-6-0x00007FF725E30000-0x00007FF72756B000-memory.dmpFilesize
23.2MB
-
memory/1596-5-0x00007FF725E30000-0x00007FF72756B000-memory.dmpFilesize
23.2MB
-
memory/1596-7-0x00007FF725E30000-0x00007FF72756B000-memory.dmpFilesize
23.2MB
-
memory/1596-8-0x00007FF725E30000-0x00007FF72756B000-memory.dmpFilesize
23.2MB
-
memory/1596-9-0x00007FF725E30000-0x00007FF72756B000-memory.dmpFilesize
23.2MB
-
memory/1596-10-0x00007FFB81070000-0x00007FFB81265000-memory.dmpFilesize
2.0MB
-
memory/1596-11-0x00007FFB81070000-0x00007FFB81265000-memory.dmpFilesize
2.0MB
-
memory/1596-12-0x00007FFB81070000-0x00007FFB81265000-memory.dmpFilesize
2.0MB
-
memory/1596-15-0x00007FFB81070000-0x00007FFB81265000-memory.dmpFilesize
2.0MB
-
memory/1596-14-0x00007FF725E30000-0x00007FF72756B000-memory.dmpFilesize
23.2MB