Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 09:41
Behavioral task
behavioral1
Sample
Bypass.exe
Resource
win7-20240221-en
10 signatures
150 seconds
General
-
Target
Bypass.exe
-
Size
3.3MB
-
MD5
cb683f37f0902ce6620eb94f0ccd8a87
-
SHA1
53a9dcd66067278d83a69dda13b11923df65494e
-
SHA256
893b07a3803d12a3f68b7ba487ec3c89b832604880b08374b543913c68e181d3
-
SHA512
bfbd8733ae4fc9e50e7a8447eeb9fe89b3e46cca4e3eb70a5bd111413171fd89fd89c997be3957bcbdf90bc41bc24e66c771617bc5c670b509e11a3cc2f70dff
-
SSDEEP
98304:nCNLxgjTecpczSWUQju2WehX/EiJWeRS/AZ:bR+AZ2Wava4Z
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Bypass.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Bypass.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Bypass.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Bypass.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Bypass.exe -
Processes:
resource yara_rule behavioral1/memory/2936-29-0x00000000009F0000-0x00000000012B2000-memory.dmp themida behavioral1/memory/2936-30-0x00000000009F0000-0x00000000012B2000-memory.dmp themida behavioral1/memory/2936-39-0x00000000009F0000-0x00000000012B2000-memory.dmp themida -
Processes:
Bypass.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Bypass.exe -
Drops file in System32 directory 1 IoCs
Processes:
Bypass.exedescription ioc process File created C:\Windows\SysWOW64\PsSuspend.exe Bypass.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Bypass.exepid process 2936 Bypass.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 2648 sc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2904 2936 WerFault.exe Bypass.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Bypass.exepid process 2936 Bypass.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Bypass.execmd.exedescription pid process target process PID 2936 wrote to memory of 2544 2936 Bypass.exe cmd.exe PID 2936 wrote to memory of 2544 2936 Bypass.exe cmd.exe PID 2936 wrote to memory of 2544 2936 Bypass.exe cmd.exe PID 2936 wrote to memory of 2544 2936 Bypass.exe cmd.exe PID 2544 wrote to memory of 2648 2544 cmd.exe sc.exe PID 2544 wrote to memory of 2648 2544 cmd.exe sc.exe PID 2544 wrote to memory of 2648 2544 cmd.exe sc.exe PID 2544 wrote to memory of 2648 2544 cmd.exe sc.exe PID 2544 wrote to memory of 2732 2544 cmd.exe findstr.exe PID 2544 wrote to memory of 2732 2544 cmd.exe findstr.exe PID 2544 wrote to memory of 2732 2544 cmd.exe findstr.exe PID 2544 wrote to memory of 2732 2544 cmd.exe findstr.exe PID 2936 wrote to memory of 2904 2936 Bypass.exe WerFault.exe PID 2936 wrote to memory of 2904 2936 Bypass.exe WerFault.exe PID 2936 wrote to memory of 2904 2936 Bypass.exe WerFault.exe PID 2936 wrote to memory of 2904 2936 Bypass.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bypass.exe"C:\Users\Admin\AppData\Local\Temp\Bypass.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c sc queryex BrokerInfrastructure | findstr PID2⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\sc.exesc queryex BrokerInfrastructure3⤵
- Launches sc.exe
PID:2648 -
C:\Windows\SysWOW64\findstr.exefindstr PID3⤵PID:2732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 5882⤵
- Program crash
PID:2904
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2440