Analysis
-
max time kernel
87s -
max time network
91s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
27/01/2025, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
utility-1.0.6.3.exe
Resource
win11-20241023-en
General
-
Target
utility-1.0.6.3.exe
-
Size
83.1MB
-
MD5
f1b839e3e730d65be42c55ae50fc9108
-
SHA1
5abd2f6f1a8e194021c8f9032753eeafb0af54e7
-
SHA256
1b57734ff8cb74b218aa7c0920933e21142006a868f16e1ff51fab4f1d93d965
-
SHA512
c52bd2db3e6bf255f6719552a4575928b4b0a69b15300ee48d46418f6de10d4e1871b575a58454c877e6a3b5beb75597110d4aef137725966105bc9344742a95
-
SSDEEP
1572864:XH5NKTg39geYPkantXvZx9IuBoFQWeLlL+G3ELmKWu5IK4lsOHJ10TER94Jc:nKc39bYPk6BvxBoFVeLFLEyNu5j2HJO2
Malware Config
Signatures
-
Detected Nirsoft tools 1 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/4860-44-0x0000019C39630000-0x0000019C3D54C000-memory.dmp Nirsoft -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ utility.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion utility.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion utility.exe -
Executes dropped EXE 1 IoCs
pid Process 4860 utility.exe -
Loads dropped DLL 1 IoCs
pid Process 4860 utility.exe -
resource yara_rule behavioral1/files/0x001900000002aae8-19.dat themida behavioral1/memory/4860-22-0x0000000180000000-0x0000000181261000-memory.dmp themida behavioral1/memory/4860-27-0x0000000180000000-0x0000000181261000-memory.dmp themida behavioral1/memory/4860-26-0x0000000180000000-0x0000000181261000-memory.dmp themida behavioral1/memory/4860-25-0x0000000180000000-0x0000000181261000-memory.dmp themida behavioral1/memory/4860-28-0x0000000180000000-0x0000000181261000-memory.dmp themida behavioral1/memory/4860-40-0x0000000180000000-0x0000000181261000-memory.dmp themida behavioral1/memory/4860-42-0x0000000180000000-0x0000000181261000-memory.dmp themida behavioral1/memory/4860-50-0x0000000180000000-0x0000000181261000-memory.dmp themida -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA utility.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4860 utility.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe 4860 utility.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4860 utility.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1832 wrote to memory of 4860 1832 utility-1.0.6.3.exe 78 PID 1832 wrote to memory of 4860 1832 utility-1.0.6.3.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\utility-1.0.6.3.exe"C:\Users\Admin\AppData\Local\Temp\utility-1.0.6.3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.4MB
MD51536bbb84ce32cfcaf72dbcfd5949401
SHA11c6742ed78c708672e06f2c8a4c989bc5e5a838d
SHA256e3bcb8faecc22a443d41312b80e798a6358749d8b266a1bfc66ede45009e7b92
SHA512387dda2304d0da1ed732c3d4a8f49987e5998251634cd8b449dd4821a0f7834830d7caaea5a0616ed5810ac4595d8355645266856cc8ba1e4bfed50c874c755e