Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/01/2025, 17:30 UTC
Behavioral task
behavioral1
Sample
BIGBOSS.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
BIGBOSS.exe
Resource
win10v2004-20241007-en
General
-
Target
BIGBOSS.exe
-
Size
36.6MB
-
MD5
19773de3aada9bebac1c8a284059e0a5
-
SHA1
482dcb8326ab158a0b054516cede9d80119dca7b
-
SHA256
4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217
-
SHA512
829ee42d011ca1064a272fc626540b5ddf115d1e59e8e107b185def9ced215b96ce3018c7ff4a8a6c30893e313c64e1df58e7771e1d2f868fcfa61c7ecd56346
-
SSDEEP
786432:w5iyxGxoo4kxSjEN0CgFjaj2G8NkzJD4pSbN+WYbO7fqffK:w01xoLvCgxayG8NkzJDaSbN+WY8qffK
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BIGBOSS.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BIGBOSS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BIGBOSS.exe -
resource yara_rule behavioral1/memory/2512-20-0x0000000000C70000-0x0000000004172000-memory.dmp themida behavioral1/memory/2512-21-0x0000000000C70000-0x0000000004172000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BIGBOSS.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2512 BIGBOSS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BIGBOSS.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2512 BIGBOSS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2512 BIGBOSS.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2252 2512 BIGBOSS.exe 31 PID 2512 wrote to memory of 2252 2512 BIGBOSS.exe 31 PID 2512 wrote to memory of 2252 2512 BIGBOSS.exe 31 PID 2512 wrote to memory of 2252 2512 BIGBOSS.exe 31 PID 2252 wrote to memory of 2696 2252 chrome.exe 32 PID 2252 wrote to memory of 2696 2252 chrome.exe 32 PID 2252 wrote to memory of 2696 2252 chrome.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\BIGBOSS.exe"C:\Users\Admin\AppData\Local\Temp\BIGBOSS.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-startup-window --start-in-incognito2⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7319758,0x7fef7319768,0x7fef73197783⤵PID:2696
-
-
Network
-
Remote address:8.8.8.8:53Requests3.amazonaws.comIN AResponses3.amazonaws.comIN A54.231.167.24s3.amazonaws.comIN A54.231.168.160s3.amazonaws.comIN A52.217.116.32s3.amazonaws.comIN A52.217.68.222s3.amazonaws.comIN A52.216.217.112s3.amazonaws.comIN A16.182.108.72s3.amazonaws.comIN A52.216.43.232s3.amazonaws.comIN A16.182.35.32
-
Remote address:8.8.8.8:53Requests3.amazonaws.comIN A
-
Remote address:8.8.8.8:53Requests3.amazonaws.comIN A
-
Remote address:8.8.8.8:53Requests3.amazonaws.comIN A
-
418 B 179 B 4 4
-
258 B 179 B 3 4
-
248 B 190 B 4 1
DNS Request
s3.amazonaws.com
DNS Request
s3.amazonaws.com
DNS Request
s3.amazonaws.com
DNS Request
s3.amazonaws.com
DNS Response
54.231.167.2454.231.168.16052.217.116.3252.217.68.22252.216.217.11216.182.108.7252.216.43.23216.182.35.32