Managed XDR

icube-billsoft.exe — malware analysis report

File info

Filename
icube-billsoft.exe
File type
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File size
87.6 MB
First seen
Last seen

Environment

w10/x86 en

Hashes

SHA1
d9533e4d3a7cb1c8717e22ac60357588485992a0
SHA256
c9c7cc007f985e74e48b0f7c1960f3be80ab783ed8d36427b1fc29fd1979f16f
MD5
de0333840f57d81d03c3bc0b01b10afc

Signatures

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Defense Evasion

T1497.001 antivm_generic_bios: Checks the BIOS version, possibly for anti-virtualization
T1497.001 antivm_firmware: Attempts to detect VM by firmware
T1497.001 antivm_vbox_acpi: Detects virtualization using ACPI
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1222 icacls: May obtain or change Discretionary access control lists (DACLs)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1497 checks_firmware: Attempts to read firmware information (potentially for evasion)
T1497.001 antivm_generic_video: Checks information about video adapters in registry, possibly for anti-virtualization

Discovery

T1497.001 antivm_generic_bios: Checks the BIOS version, possibly for anti-virtualization
T1497.001 antivm_firmware: Attempts to detect VM by firmware
T1497.001 antivm_vbox_acpi: Detects virtualization using ACPI
T1518 locates_browser: Attempts to identify where browsers are installed
T1082 checks_firmware: Attempts to read firmware information (potentially for evasion)
T1497 checks_firmware: Attempts to read firmware information (potentially for evasion)
T1497.001 antivm_generic_video: Checks information about video adapters in registry, possibly for anti-virtualization

Other

pe_in_bcryptdecrypt: PE found in BCryptDecrypt function
creates_exe: Creates executable files in the file system
unexpected_exception: Unexpected exception
creates_suspended_process: Creates suspended process
dotnet_import_unmanaged_code: Dotnet program statically imports unmanaged functions/modules
message_box: Displays a message
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
writes_data: Writes big amount of data to disk
yara_rules: Static rules
dotnet_downloader_possible_network_problem: Dotnet program possibly has network problem