Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2025, 17:30 UTC

General

  • Target

    BIGBOSS.exe

  • Size

    36.6MB

  • MD5

    19773de3aada9bebac1c8a284059e0a5

  • SHA1

    482dcb8326ab158a0b054516cede9d80119dca7b

  • SHA256

    4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217

  • SHA512

    829ee42d011ca1064a272fc626540b5ddf115d1e59e8e107b185def9ced215b96ce3018c7ff4a8a6c30893e313c64e1df58e7771e1d2f868fcfa61c7ecd56346

  • SSDEEP

    786432:w5iyxGxoo4kxSjEN0CgFjaj2G8NkzJD4pSbN+WYbO7fqffK:w01xoLvCgxayG8NkzJDaSbN+WY8qffK

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BIGBOSS.exe
    "C:\Users\Admin\AppData\Local\Temp\BIGBOSS.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-startup-window --start-in-incognito
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7319758,0x7fef7319768,0x7fef7319778
        3⤵
          PID:2696

    Network

    • flag-us
      DNS
      s3.amazonaws.com
      BIGBOSS.exe
      Remote address:
      8.8.8.8:53
      Request
      s3.amazonaws.com
      IN A
      Response
      s3.amazonaws.com
      IN A
      54.231.167.24
      s3.amazonaws.com
      IN A
      54.231.168.160
      s3.amazonaws.com
      IN A
      52.217.116.32
      s3.amazonaws.com
      IN A
      52.217.68.222
      s3.amazonaws.com
      IN A
      52.216.217.112
      s3.amazonaws.com
      IN A
      16.182.108.72
      s3.amazonaws.com
      IN A
      52.216.43.232
      s3.amazonaws.com
      IN A
      16.182.35.32
    • flag-us
      DNS
      s3.amazonaws.com
      BIGBOSS.exe
      Remote address:
      8.8.8.8:53
      Request
      s3.amazonaws.com
      IN A
    • flag-us
      DNS
      s3.amazonaws.com
      BIGBOSS.exe
      Remote address:
      8.8.8.8:53
      Request
      s3.amazonaws.com
      IN A
    • flag-us
      DNS
      s3.amazonaws.com
      BIGBOSS.exe
      Remote address:
      8.8.8.8:53
      Request
      s3.amazonaws.com
      IN A
    • 54.231.167.24:443
      s3.amazonaws.com
      tls
      BIGBOSS.exe
      418 B
      179 B
      4
      4
    • 54.231.167.24:443
      s3.amazonaws.com
      tls
      BIGBOSS.exe
      258 B
      179 B
      3
      4
    • 8.8.8.8:53
      s3.amazonaws.com
      dns
      BIGBOSS.exe
      248 B
      190 B
      4
      1

      DNS Request

      s3.amazonaws.com

      DNS Request

      s3.amazonaws.com

      DNS Request

      s3.amazonaws.com

      DNS Request

      s3.amazonaws.com

      DNS Response

      54.231.167.24
      54.231.168.160
      52.217.116.32
      52.217.68.222
      52.216.217.112
      16.182.108.72
      52.216.43.232
      16.182.35.32

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2512-1-0x0000000076681000-0x0000000076682000-memory.dmp

      Filesize

      4KB

    • memory/2512-0-0x0000000000C70000-0x0000000004172000-memory.dmp

      Filesize

      53.0MB

    • memory/2512-3-0x0000000076670000-0x0000000076780000-memory.dmp

      Filesize

      1.1MB

    • memory/2512-2-0x0000000076670000-0x0000000076780000-memory.dmp

      Filesize

      1.1MB

    • memory/2512-16-0x0000000076670000-0x0000000076780000-memory.dmp

      Filesize

      1.1MB

    • memory/2512-15-0x0000000076670000-0x0000000076780000-memory.dmp

      Filesize

      1.1MB

    • memory/2512-14-0x0000000076670000-0x0000000076780000-memory.dmp

      Filesize

      1.1MB

    • memory/2512-13-0x0000000076670000-0x0000000076780000-memory.dmp

      Filesize

      1.1MB

    • memory/2512-12-0x0000000076670000-0x0000000076780000-memory.dmp

      Filesize

      1.1MB

    • memory/2512-11-0x0000000076670000-0x0000000076780000-memory.dmp

      Filesize

      1.1MB

    • memory/2512-10-0x0000000076670000-0x0000000076780000-memory.dmp

      Filesize

      1.1MB

    • memory/2512-9-0x0000000076670000-0x0000000076780000-memory.dmp

      Filesize

      1.1MB

    • memory/2512-8-0x0000000076670000-0x0000000076780000-memory.dmp

      Filesize

      1.1MB

    • memory/2512-7-0x0000000076670000-0x0000000076780000-memory.dmp

      Filesize

      1.1MB

    • memory/2512-6-0x0000000076670000-0x0000000076780000-memory.dmp

      Filesize

      1.1MB

    • memory/2512-5-0x0000000076670000-0x0000000076780000-memory.dmp

      Filesize

      1.1MB

    • memory/2512-4-0x0000000076670000-0x0000000076780000-memory.dmp

      Filesize

      1.1MB

    • memory/2512-20-0x0000000000C70000-0x0000000004172000-memory.dmp

      Filesize

      53.0MB

    • memory/2512-21-0x0000000000C70000-0x0000000004172000-memory.dmp

      Filesize

      53.0MB

    • memory/2512-26-0x0000000000C70000-0x0000000004172000-memory.dmp

      Filesize

      53.0MB

    • memory/2512-27-0x0000000076681000-0x0000000076682000-memory.dmp

      Filesize

      4KB

    • memory/2512-28-0x0000000076670000-0x0000000076780000-memory.dmp

      Filesize

      1.1MB

    • memory/2512-30-0x0000000076670000-0x0000000076780000-memory.dmp

      Filesize

      1.1MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.