Analysis
-
max time kernel
140s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/08/2024, 17:01
Static task
static1
Behavioral task
behavioral1
Sample
client.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
client.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
client.exe
-
Size
78.2MB
-
MD5
a47dead51de19e6368f7d35aa4bd1de4
-
SHA1
7fe2a02761a637c85b7161f40723307dcb299204
-
SHA256
dbc08d36f338dfbbf18479a16372301ff2d62758254ad0815692f3a89a95d327
-
SHA512
b085419c50e34aeccbeaf57c1bb65c75452202f7056322c8a9eb7127e9afc5a36bd38825a7a392747c4327e7dbec5ce4c47a43abb8c2cda0a52628f1680ce1ad
-
SSDEEP
1572864:CvIY7GVtHamrpICfG39etrPnKUvL84ntBECY4TgcubYJ:7Y7ut6mY9ekELDtBEf4TgdbK
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion client.exe -
Loads dropped DLL 1 IoCs
pid Process 4376 client.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN client.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName client.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe 4376 client.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4376 client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\client.exe"C:\Users\Admin\AppData\Local\Temp\client.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks for VirtualBox DLLs, possible anti-VM trick
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376