Overview

overview

9

Static

static

3

BYPASS_protected.exe

windows10-2004-x64

9

BYPASS_protected.exe

windows11-21h2-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2024 09:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BYPASS_protected.exe

  • Size

    4.6MB

  • MD5

    437994f469877f8542f20c60265095fb

  • SHA1

    3131ac636069282b18d8583594956fa30d75b269

  • SHA256

    c0c2ac68d92c52ffe60699a50cb9e9f8f782bba04d53cffa2d2e0f559bd09fa7

  • SHA512

    e12cfe87bcefb71ce95075d3d65283aea4126c9fdd174c4a4919a5008f798a8141d45d85af53d4983dc11a65ab0e928736c3bd6182261cc4083497b33da8165d

  • SSDEEP

    98304:TVmlzf/7Dwysx2pz/GBtN3SgIlJjqIavKI2N:TEl3JxzcI3

Score
9/10
evasiontrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BYPASS_protected.exe
    "C:\Users\Admin\AppData\Local\Temp\BYPASS_protected.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:4648
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c color 6
        2⤵
          PID:1388
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://noohapou.com/4/7798358
          2⤵
            PID:2320
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/bYnvz3MYm7
            2⤵
              PID:208
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              2⤵
                PID:4896
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c cls
                2⤵
                  PID:4480
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4104,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:8
                1⤵
                  PID:3628
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4948,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5044 /prefetch:1
                  1⤵
                    PID:2248
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4916,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5036 /prefetch:1
                    1⤵
                      PID:1036
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5564,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5592 /prefetch:8
                      1⤵
                        PID:4640
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --field-trial-handle=5640,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5576 /prefetch:1
                        1⤵
                          PID:4880
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6036,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6052 /prefetch:1
                          1⤵
                            PID:2816
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=6300,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6312 /prefetch:8
                            1⤵
                              PID:3988
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=6316,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:8
                              1⤵
                              • Modifies registry class
                              PID:2596
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=5932,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6644 /prefetch:1
                              1⤵
                                PID:3232
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6652,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5276 /prefetch:8
                                1⤵
                                  PID:788
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6916,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6984 /prefetch:1
                                  1⤵
                                    PID:2552
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6020,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5596 /prefetch:8
                                    1⤵
                                      PID:4928

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\d.txt
                                      Filesize

                                      61B

                                      MD5

                                      6cdf812ab9052ea856a19a42be733bd1

                                      SHA1

                                      0f2ce25cc9433a00f0611825c61139608eec0f8a

                                      SHA256

                                      e3190625fca84bb8f8f395b36dedeb9c9237d7a95ec0511f8cd932faac5f892e

                                      SHA512

                                      90a9810278d02e73bf4c6bb331a7bc9ff137b8fef5251e3c1cc6cb1ba12b6f4d5e026fe775d3a22589b500441f6826a66b4175cfdfb1febf6365543bcbfb058e

                                      Download Submit

                                    • memory/3508-0-0x00007FF8B08F0000-0x00007FF8B08F2000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    • memory/3508-4-0x0000000000400000-0x0000000000E14000-memory.dmp

                                      Filesize

                                      10.1MB

                                      Download

                                    • memory/3508-3-0x0000000000400000-0x0000000000E14000-memory.dmp

                                      Filesize

                                      10.1MB

                                      Download

                                    • memory/3508-7-0x0000000000400000-0x0000000000E14000-memory.dmp

                                      Filesize

                                      10.1MB

                                      Download

                                    • memory/3508-8-0x0000000000400000-0x0000000000E14000-memory.dmp

                                      Filesize

                                      10.1MB

                                      Download

                                    • memory/3508-6-0x0000000000400000-0x0000000000E14000-memory.dmp

                                      Filesize

                                      10.1MB

                                      Download

                                    • memory/3508-5-0x0000000000400000-0x0000000000E14000-memory.dmp

                                      Filesize

                                      10.1MB

                                      Download

                                    • memory/3508-1-0x0000000000400000-0x0000000000E14000-memory.dmp

                                      Filesize

                                      10.1MB

                                      Download

                                    • memory/3508-2-0x0000000000400000-0x0000000000E14000-memory.dmp

                                      Filesize

                                      10.1MB

                                      Download

                                    • memory/3508-29-0x0000000000400000-0x0000000000E14000-memory.dmp

                                      Filesize

                                      10.1MB

                                      Download

                                    • memory/3508-34-0x0000000000400000-0x0000000000E14000-memory.dmp

                                      Filesize

                                      10.1MB

                                      Download