Analysis
-
max time kernel
54s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/07/2024, 05:03
General
-
Target
CardingMachine.exe
-
Size
615.1MB
-
MD5
796c4e013accc1d47e263f2438248e5e
-
SHA1
dbca3bb74c9715a4b21259fa644a39a59bb438a7
-
SHA256
e934ef0b1bad86d0a8d2a08a90b64b309404b2983649f8e34d400704ce8c65c0
-
SHA512
5ae71ea3ac4f15c6143a424e1e2491294e5f2e5508ca4c05b6fa2676634140ec03e27b698ab0378726b421369e36988f56e016e145ba10b2d517577a00de926c
-
SSDEEP
49152:lNjqYcOatzfsFfG/oDx4tDhdLDG15f9pTo0trQyYxQw:lNjFcOaxYG/M43HA5fVt8Q
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CardingMachine.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ULEXPY.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5564 powershell.exe 4060 powershell.exe 5188 powershell.exe 5412 powershell.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CardingMachine.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ULEXPY.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ULEXPY.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CardingMachine.exe -
Executes dropped EXE 1 IoCs
pid Process 5136 ULEXPY.exe -
resource yara_rule behavioral1/memory/4308-0-0x00000000002B0000-0x0000000000933000-memory.dmp themida behavioral1/memory/4308-2-0x00000000002B0000-0x0000000000933000-memory.dmp themida behavioral1/memory/4308-3-0x00000000002B0000-0x0000000000933000-memory.dmp themida behavioral1/memory/4308-5-0x00000000002B0000-0x0000000000933000-memory.dmp themida behavioral1/memory/4308-4-0x00000000002B0000-0x0000000000933000-memory.dmp themida behavioral1/memory/4308-6-0x00000000002B0000-0x0000000000933000-memory.dmp themida behavioral1/memory/4308-75-0x00000000002B0000-0x0000000000933000-memory.dmp themida behavioral1/memory/5136-89-0x0000000000840000-0x0000000000EC3000-memory.dmp themida behavioral1/memory/5136-90-0x0000000000840000-0x0000000000EC3000-memory.dmp themida behavioral1/memory/5136-91-0x0000000000840000-0x0000000000EC3000-memory.dmp themida behavioral1/memory/5136-93-0x0000000000840000-0x0000000000EC3000-memory.dmp themida behavioral1/memory/5136-92-0x0000000000840000-0x0000000000EC3000-memory.dmp themida behavioral1/memory/5136-115-0x0000000000840000-0x0000000000EC3000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CardingMachine.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ULEXPY.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4308 CardingMachine.exe 5136 ULEXPY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2180 5136 WerFault.exe 90 -
Delays execution with timeout.exe 1 IoCs
pid Process 5728 timeout.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 5564 powershell.exe 4060 powershell.exe 5564 powershell.exe 4060 powershell.exe 5188 powershell.exe 5412 powershell.exe 5188 powershell.exe 5412 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4060 powershell.exe Token: SeDebugPrivilege 5564 powershell.exe Token: SeDebugPrivilege 5188 powershell.exe Token: SeDebugPrivilege 5412 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4308 wrote to memory of 5564 4308 CardingMachine.exe 83 PID 4308 wrote to memory of 5564 4308 CardingMachine.exe 83 PID 4308 wrote to memory of 5564 4308 CardingMachine.exe 83 PID 4308 wrote to memory of 4060 4308 CardingMachine.exe 85 PID 4308 wrote to memory of 4060 4308 CardingMachine.exe 85 PID 4308 wrote to memory of 4060 4308 CardingMachine.exe 85 PID 4308 wrote to memory of 5036 4308 CardingMachine.exe 87 PID 4308 wrote to memory of 5036 4308 CardingMachine.exe 87 PID 4308 wrote to memory of 5036 4308 CardingMachine.exe 87 PID 5036 wrote to memory of 5728 5036 cmd.exe 89 PID 5036 wrote to memory of 5728 5036 cmd.exe 89 PID 5036 wrote to memory of 5728 5036 cmd.exe 89 PID 5036 wrote to memory of 5136 5036 cmd.exe 90 PID 5036 wrote to memory of 5136 5036 cmd.exe 90 PID 5036 wrote to memory of 5136 5036 cmd.exe 90 PID 5136 wrote to memory of 5412 5136 ULEXPY.exe 91 PID 5136 wrote to memory of 5412 5136 ULEXPY.exe 91 PID 5136 wrote to memory of 5412 5136 ULEXPY.exe 91 PID 5136 wrote to memory of 5188 5136 ULEXPY.exe 93 PID 5136 wrote to memory of 5188 5136 ULEXPY.exe 93 PID 5136 wrote to memory of 5188 5136 ULEXPY.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\CardingMachine.exe"C:\Users\Admin\AppData\Local\Temp\CardingMachine.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5564
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s3bo.0.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:5728
-
-
C:\ProgramData\software\ULEXPY.exe"C:\ProgramData\software\ULEXPY.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:5136 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5412
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5188
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 8164⤵
- Program crash
PID:2180
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5136 -ip 51361⤵PID:2300
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
Filesize
136B
MD5edc83e4fa455386dccc77e50d5353701
SHA1dd5a0e4ae5a9e6a4e99fbc0de749f94970f9fe76
SHA256e8426dc90411b1a791bda899f02d2a4a3f473a9f4057616f34265cdd69723e97
SHA51216a54dca909a0d63098d569237f7d86b02436c162800421ec34b2069b08f779ffdd7e247a7a3f5f490ea1b9e2d0e69f3b385910d8f307c063aa41142e19a6281
-
Filesize
18KB
MD508406f6b49f1da526c6ceb10daadf759
SHA14d0d3fc40e8bd09326956f55af63433e9f255fa6
SHA256e0a79fd2883a171cdb8ed5515462ff8945d6d93d5a7f6f397d8d2cd57387b9a6
SHA512675108f649d60c667356207f66bfb40d8726554c68da32bc28d2079db8360f2bd93797d0c00bf96a0e9d9e41afa2ae7aa49573fc76e5a4802c1bd29e737ca94a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
174B
MD5b6227cff93c3f146bd77146b7dec7701
SHA17d652901d26bf978e203dd492ff81eed1222cdbe
SHA256f1d7500fc1a168e8229d568e33c87a1364462b1eeca4c63e5b2aa2838e0f86b3
SHA5129533bfb35c0848e846e94345aaa11df300cb4b6712a72ab05196183d1bb4312b27cb19a14ada20a16a6fc8d1290972094e0f9afd1f25b17d1b8933bde29f1d54