Analysis
-
max time kernel
18s -
max time network
29s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 01:30
Behavioral task
behavioral1
Sample
MW2019_VIP.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
MW2019_VIP.exe
Resource
win10v2004-20240611-en
Errors
General
-
Target
MW2019_VIP.exe
-
Size
5.5MB
-
MD5
19595e158228641282d88264642899eb
-
SHA1
99ab466acb14b66d19711984c74884fa62021dc1
-
SHA256
2156b5680ac6d329f93bbe7993a2acd725b6abb53ae0e4b4ea76ec41176c4627
-
SHA512
60b77bee0bc6097c546523e79c367241cb733f4b90b00b77b0c5262893fe7102adf17eefe4b7289baafee6bfc3a5f4b7a59dd8850a12142628e11496b10883be
-
SSDEEP
98304:buvioI5S9jWCQx4+HS1nLn9BmJbTB3NKfjlSwd3O0qa:buvisjFieLn9INofjlndf
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
MW2019_VIP.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MW2019_VIP.exe -
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MW2019_VIP.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MW2019_VIP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MW2019_VIP.exe -
Processes:
resource yara_rule behavioral2/memory/2516-0-0x00007FF6C4B60000-0x00007FF6C597C000-memory.dmp themida behavioral2/memory/2516-4-0x00007FF6C4B60000-0x00007FF6C597C000-memory.dmp themida behavioral2/memory/2516-2-0x00007FF6C4B60000-0x00007FF6C597C000-memory.dmp themida behavioral2/memory/2516-3-0x00007FF6C4B60000-0x00007FF6C597C000-memory.dmp themida behavioral2/memory/2516-7-0x00007FF6C4B60000-0x00007FF6C597C000-memory.dmp themida behavioral2/memory/2516-6-0x00007FF6C4B60000-0x00007FF6C597C000-memory.dmp themida behavioral2/memory/2516-5-0x00007FF6C4B60000-0x00007FF6C597C000-memory.dmp themida behavioral2/memory/2516-9-0x00007FF6C4B60000-0x00007FF6C597C000-memory.dmp themida -
Processes:
MW2019_VIP.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MW2019_VIP.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
MW2019_VIP.exepid process 2516 MW2019_VIP.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "111" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid process Token: SeShutdownPrivilege 4188 shutdown.exe Token: SeRemoteShutdownPrivilege 4188 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 2344 LogonUI.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
MW2019_VIP.execmd.execmd.exedescription pid process target process PID 2516 wrote to memory of 2296 2516 MW2019_VIP.exe cmd.exe PID 2516 wrote to memory of 2296 2516 MW2019_VIP.exe cmd.exe PID 2296 wrote to memory of 1524 2296 cmd.exe bcdedit.exe PID 2296 wrote to memory of 1524 2296 cmd.exe bcdedit.exe PID 2516 wrote to memory of 3884 2516 MW2019_VIP.exe cmd.exe PID 2516 wrote to memory of 3884 2516 MW2019_VIP.exe cmd.exe PID 2516 wrote to memory of 5056 2516 MW2019_VIP.exe cmd.exe PID 2516 wrote to memory of 5056 2516 MW2019_VIP.exe cmd.exe PID 2516 wrote to memory of 1448 2516 MW2019_VIP.exe cmd.exe PID 2516 wrote to memory of 1448 2516 MW2019_VIP.exe cmd.exe PID 2516 wrote to memory of 3384 2516 MW2019_VIP.exe cmd.exe PID 2516 wrote to memory of 3384 2516 MW2019_VIP.exe cmd.exe PID 2516 wrote to memory of 3804 2516 MW2019_VIP.exe cmd.exe PID 2516 wrote to memory of 3804 2516 MW2019_VIP.exe cmd.exe PID 2516 wrote to memory of 2392 2516 MW2019_VIP.exe cmd.exe PID 2516 wrote to memory of 2392 2516 MW2019_VIP.exe cmd.exe PID 2392 wrote to memory of 4188 2392 cmd.exe shutdown.exe PID 2392 wrote to memory of 4188 2392 cmd.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MW2019_VIP.exe"C:\Users\Admin\AppData\Local\Temp\MW2019_VIP.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set hypervisorlaunchtype off3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c shutdown /r /f /t 0 >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\shutdown.exeshutdown /r /f /t 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39bb855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2516-0-0x00007FF6C4B60000-0x00007FF6C597C000-memory.dmpFilesize
14.1MB
-
memory/2516-1-0x00007FFE7F9B0000-0x00007FFE7F9B2000-memory.dmpFilesize
8KB
-
memory/2516-4-0x00007FF6C4B60000-0x00007FF6C597C000-memory.dmpFilesize
14.1MB
-
memory/2516-2-0x00007FF6C4B60000-0x00007FF6C597C000-memory.dmpFilesize
14.1MB
-
memory/2516-3-0x00007FF6C4B60000-0x00007FF6C597C000-memory.dmpFilesize
14.1MB
-
memory/2516-7-0x00007FF6C4B60000-0x00007FF6C597C000-memory.dmpFilesize
14.1MB
-
memory/2516-6-0x00007FF6C4B60000-0x00007FF6C597C000-memory.dmpFilesize
14.1MB
-
memory/2516-5-0x00007FF6C4B60000-0x00007FF6C597C000-memory.dmpFilesize
14.1MB
-
memory/2516-9-0x00007FF6C4B60000-0x00007FF6C597C000-memory.dmpFilesize
14.1MB