Analysis
-
max time kernel
74s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17/11/2024, 14:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
UA.exe
Resource
win7-20241010-en
8 signatures
150 seconds
General
-
Target
UA.exe
-
Size
18.1MB
-
MD5
ff4afb8476c59caace8d0d6b69d7ccc0
-
SHA1
a3f4bf385958242c899e7b8ea4ba30a739da3400
-
SHA256
bcd658522045492bd070705cfc6cd0cc089cf420956fa8cdd3a196be29e25574
-
SHA512
b9e97026feb85e959339ae609ffb3f7d84ecf7503733232c5d920b666853353adc8e22d71ce28fc2ebf5dd7c512da88fcd68fde976ac885215314199135d8732
-
SSDEEP
393216:WGqq0SfJ5cRKsiRX3e5Od5wewLQrL+cwrshu85awDkqfHr:eLFKX3kOd5jwEH+6hugawnr
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ UA.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion UA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion UA.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UA.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} UA.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1740 UA.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE} UA.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1740 UA.exe 1740 UA.exe 1740 UA.exe 1740 UA.exe 1740 UA.exe 1740 UA.exe 1740 UA.exe 1740 UA.exe 1740 UA.exe 1740 UA.exe 1740 UA.exe 1740 UA.exe 1740 UA.exe 1740 UA.exe 1740 UA.exe 1740 UA.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1740 UA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\UA.exe"C:\Users\Admin\AppData\Local\Temp\UA.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1740