Overview
overview
10Static
static
10Bird.exe
windows7-x64
10Bird.exe
windows10-2004-x64
10Crystal.exe
windows7-x64
10Crystal.exe
windows10-2004-x64
10Install.exe
windows7-x64
10Install.exe
windows10-2004-x64
10Minecraft_v4.4.exe
windows7-x64
10Minecraft_v4.4.exe
windows10-2004-x64
10NewHacks.exe
windows7-x64
10NewHacks.exe
windows10-2004-x64
10Setup.exe
windows7-x64
10Setup.exe
windows10-2004-x64
10Software p....5.exe
windows7-x64
9Software p....5.exe
windows10-2004-x64
9file3.exe
windows7-x64
8file3.exe
windows10-2004-x64
8forcenitro2.4.1.exe
windows7-x64
7forcenitro2.4.1.exe
windows10-2004-x64
7nitro_gen.exe
windows7-x64
10nitro_gen.exe
windows10-2004-x64
10Analysis
-
max time kernel
93s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 04:18
Behavioral task
behavioral1
Sample
Bird.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Bird.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Crystal.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Crystal.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Install.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Install.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Minecraft_v4.4.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Minecraft_v4.4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
NewHacks.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
NewHacks.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Setup.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
Setup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Software patch v2.0.5.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Software patch v2.0.5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
file3.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
file3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
forcenitro2.4.1.exe
Resource
win7-20241023-en
Behavioral task
behavioral18
Sample
forcenitro2.4.1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
nitro_gen.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
nitro_gen.exe
Resource
win10v2004-20241007-en
General
-
Target
Software patch v2.0.5.exe
-
Size
3.1MB
-
MD5
d03337f5bb060e48c67e625084d48a84
-
SHA1
89d89fe1aeb5b69b2e5e9fdea533c4e32e5ae887
-
SHA256
010e5cf08f24b0b769747b20d38324e7ea5b3633cc72832a07cb8769b126dd0f
-
SHA512
4106c6922d175bbaa947a0a03783d39fe44936fa7ec5079dafece596f8378f326b0f094c0433f3f363aaad9ed6f81c7da5273347abc18031c88be79fe3c4ea56
-
SSDEEP
98304:VgQR+uxJXmATDLZIg9Bvk3/+49UlMuyTok:Os33Jsm4ARE
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Software patch v2.0.5.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Software patch v2.0.5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Software patch v2.0.5.exe -
resource yara_rule behavioral14/memory/4144-10-0x0000000000ED0000-0x000000000170A000-memory.dmp themida behavioral14/memory/4144-11-0x0000000000ED0000-0x000000000170A000-memory.dmp themida behavioral14/memory/4144-21-0x0000000000ED0000-0x000000000170A000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Software patch v2.0.5.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 14 iplogger.org 13 iplogger.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4144 Software patch v2.0.5.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Software patch v2.0.5.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4144 Software patch v2.0.5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe"C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4144