Analysis
-
max time kernel
146s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 09:41
Behavioral task
behavioral1
Sample
Bypass.exe
Resource
win7-20240221-en
General
-
Target
Bypass.exe
-
Size
3.3MB
-
MD5
cb683f37f0902ce6620eb94f0ccd8a87
-
SHA1
53a9dcd66067278d83a69dda13b11923df65494e
-
SHA256
893b07a3803d12a3f68b7ba487ec3c89b832604880b08374b543913c68e181d3
-
SHA512
bfbd8733ae4fc9e50e7a8447eeb9fe89b3e46cca4e3eb70a5bd111413171fd89fd89c997be3957bcbdf90bc41bc24e66c771617bc5c670b509e11a3cc2f70dff
-
SSDEEP
98304:nCNLxgjTecpczSWUQju2WehX/EiJWeRS/AZ:bR+AZ2Wava4Z
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Bypass.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Bypass.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Bypass.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Bypass.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Bypass.exe -
Executes dropped EXE 2 IoCs
Processes:
PsSuspend.exePsSuspend.exepid process 208 PsSuspend.exe 212 PsSuspend.exe -
Processes:
resource yara_rule behavioral2/memory/4212-11-0x00000000004E0000-0x0000000000DA2000-memory.dmp themida behavioral2/memory/4212-12-0x00000000004E0000-0x0000000000DA2000-memory.dmp themida -
Processes:
Bypass.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Bypass.exe -
Drops file in System32 directory 1 IoCs
Processes:
Bypass.exedescription ioc process File created C:\Windows\SysWOW64\PsSuspend.exe Bypass.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Bypass.exepid process 4212 Bypass.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 3632 sc.exe 1668 sc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Bypass.exepid process 4212 Bypass.exe 4212 Bypass.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Bypass.execmd.execmd.exedescription pid process target process PID 4212 wrote to memory of 1844 4212 Bypass.exe cmd.exe PID 4212 wrote to memory of 1844 4212 Bypass.exe cmd.exe PID 4212 wrote to memory of 1844 4212 Bypass.exe cmd.exe PID 1844 wrote to memory of 3632 1844 cmd.exe sc.exe PID 1844 wrote to memory of 3632 1844 cmd.exe sc.exe PID 1844 wrote to memory of 3632 1844 cmd.exe sc.exe PID 1844 wrote to memory of 2204 1844 cmd.exe findstr.exe PID 1844 wrote to memory of 2204 1844 cmd.exe findstr.exe PID 1844 wrote to memory of 2204 1844 cmd.exe findstr.exe PID 4212 wrote to memory of 3820 4212 Bypass.exe cmd.exe PID 4212 wrote to memory of 3820 4212 Bypass.exe cmd.exe PID 4212 wrote to memory of 3820 4212 Bypass.exe cmd.exe PID 3820 wrote to memory of 1668 3820 cmd.exe sc.exe PID 3820 wrote to memory of 1668 3820 cmd.exe sc.exe PID 3820 wrote to memory of 1668 3820 cmd.exe sc.exe PID 3820 wrote to memory of 3008 3820 cmd.exe findstr.exe PID 3820 wrote to memory of 3008 3820 cmd.exe findstr.exe PID 3820 wrote to memory of 3008 3820 cmd.exe findstr.exe PID 4212 wrote to memory of 208 4212 Bypass.exe PsSuspend.exe PID 4212 wrote to memory of 208 4212 Bypass.exe PsSuspend.exe PID 4212 wrote to memory of 208 4212 Bypass.exe PsSuspend.exe PID 4212 wrote to memory of 212 4212 Bypass.exe PsSuspend.exe PID 4212 wrote to memory of 212 4212 Bypass.exe PsSuspend.exe PID 4212 wrote to memory of 212 4212 Bypass.exe PsSuspend.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bypass.exe"C:\Users\Admin\AppData\Local\Temp\Bypass.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c sc queryex BrokerInfrastructure | findstr PID2⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\sc.exesc queryex BrokerInfrastructure3⤵
- Launches sc.exe
PID:3632 -
C:\Windows\SysWOW64\findstr.exefindstr PID3⤵PID:2204
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c sc queryex LSM | findstr PID2⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\sc.exesc queryex LSM3⤵
- Launches sc.exe
PID:1668 -
C:\Windows\SysWOW64\findstr.exefindstr PID3⤵PID:3008
-
C:\Windows\SysWOW64\PsSuspend.exe"PsSuspend.exe" 8082⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\PsSuspend.exe"PsSuspend.exe" 9562⤵
- Executes dropped EXE
PID:212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
383KB
MD51b9f1a75593dfc670fa7c54659ab5796
SHA1c9f0c40e012f8cfe20b1e5cd6a9a7b078e89a00b
SHA25695a922e178075fb771066db4ab1bd70c7016f794709d514ab1c7f11500f016cd
SHA512ab7b26ce5487af2a337cabfa16908ddf72bf1f6942675760e7decee874dd0f72fd47aa42bc442fe11f71fab03106c75db0234199974c7de84d1ed3f12a9b4788