0890f0b89e5c5745ad4bfaf1ca6459c5b765adae9cc2d0988e9456894350b434

Analysis

max time kernel
78s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 22:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Privacy Protector.exe
Size

8.6MB
MD5

fbf038e5ef2e30da99e88371531dfebc
SHA1

b0507491cf241aa4da8b73ef513528b2a937aa2c
SHA256

0890f0b89e5c5745ad4bfaf1ca6459c5b765adae9cc2d0988e9456894350b434
SHA512

2526c6e621b64c861aa5baddd9e80d2bdd5cd7d628be115584e3f0471536ab95ef85be48ae06b5207bc70f9e6eeeb75ceebc2594ebda6b1878cbc22f8321ea84
SSDEEP

196608:gAHP6FQVWZ0C1+eqy/rRXEChq+ZExY37lJo9aM2yf/2dI:KPqWRUChqCtLlW5X2dI

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Privacy Protector.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Privacy Protector.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Privacy Protector.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Privacy Protector.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Privacy Protector.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Privacy Protector.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Privacy Protector.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Privacy Protector.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
624	Privacy Protector.exe
624	Privacy Protector.exe
624	Privacy Protector.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe
4876	Privacy Protector.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
624	Privacy Protector.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 724	4876	Privacy Protector.exe	97
PID 4876 wrote to memory of 724	4876	Privacy Protector.exe	97
PID 724 wrote to memory of 3096	724	cmd.exe	98
PID 724 wrote to memory of 3096	724	cmd.exe	98
PID 724 wrote to memory of 2628	724	cmd.exe	99
PID 724 wrote to memory of 2628	724	cmd.exe	99
PID 724 wrote to memory of 1224	724	cmd.exe	100
PID 724 wrote to memory of 1224	724	cmd.exe	100
PID 4876 wrote to memory of 4812	4876	Privacy Protector.exe	103
PID 4876 wrote to memory of 4812	4876	Privacy Protector.exe	103
PID 624 wrote to memory of 3628	624	Privacy Protector.exe	120
PID 624 wrote to memory of 3628	624	Privacy Protector.exe	120
PID 3628 wrote to memory of 1660	3628	cmd.exe	121
PID 3628 wrote to memory of 1660	3628	cmd.exe	121
PID 3628 wrote to memory of 4620	3628	cmd.exe	122
PID 3628 wrote to memory of 4620	3628	cmd.exe	122
PID 3628 wrote to memory of 4740	3628	cmd.exe	123
PID 3628 wrote to memory of 4740	3628	cmd.exe	123
PID 624 wrote to memory of 1628	624	Privacy Protector.exe	124
PID 624 wrote to memory of 1628	624	Privacy Protector.exe	124

C:\Users\Admin\AppData\Local\Temp\Privacy Protector.exe
"C:\Users\Admin\AppData\Local\Temp\Privacy Protector.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Privacy Protector.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Privacy Protector.exe" MD5
    3⤵
    PID:3096
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2628
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:1224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Color 05
  2⤵
  PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4160,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:8
1⤵
PID:5032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3940

C:\Users\Admin\Desktop\Privacy Protector.exe
"C:\Users\Admin\Desktop\Privacy Protector.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Desktop\Privacy Protector.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Desktop\Privacy Protector.exe" MD5
    3⤵
    PID:1660
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:4620
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:4740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Color 05
  2⤵
  PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/624-32-0x0000000180000000-0x000000018001A000-memory.dmp

Filesize
104KB

Download
memory/624-41-0x0000000002070000-0x00000000020F1000-memory.dmp

Filesize
516KB

Download
memory/624-42-0x0000000002070000-0x00000000020F1000-memory.dmp

Filesize
516KB

Download
memory/4876-0-0x00007FFA80000000-0x00007FFA80002000-memory.dmp

Filesize
8KB

Download
memory/4876-2-0x0000000180000000-0x000000018001A000-memory.dmp

Filesize
104KB

Download
memory/4876-11-0x0000000002090000-0x0000000002111000-memory.dmp

Filesize
516KB

Download
memory/4876-8-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/4876-12-0x0000000002090000-0x0000000002111000-memory.dmp

Filesize
516KB

Download
memory/4876-18-0x00007FFAE61D0000-0x00007FFAE61D2000-memory.dmp

Filesize
8KB

Download
memory/4876-19-0x00007FFAE6130000-0x00007FFAE6325000-memory.dmp

Filesize
2.0MB

Download
memory/4876-22-0x00007FFAE6130000-0x00007FFAE6325000-memory.dmp

Filesize
2.0MB

Download
memory/4876-30-0x00007FFAE6130000-0x00007FFAE6325000-memory.dmp

Filesize
2.0MB

Download