6edb794a9f28cbd60dcb9fefc0e145f64c9e623b3df235a4a907ca948fd1edb9

General

Target

618a1e3551560b86454450f3ea580029.exe
Size

584KB
MD5

618a1e3551560b86454450f3ea580029
SHA1

39d86228750d1eebdb78f60b03c3b638acf72d34
SHA256

6edb794a9f28cbd60dcb9fefc0e145f64c9e623b3df235a4a907ca948fd1edb9
SHA512

d5b309a0ff9b07e74c9cee1df37a627193393de7cc0fe079ab606d94b2beac948c8d7d25378de3cf87b00c7227c70fa8e49291d6060a7254e2ce0439a09c2305

Score

9^/10

evasion

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

618a1e3551560b86454450f3ea580029.exe

pid process

3984 618a1e3551560b86454450f3ea580029.exe
3984 618a1e3551560b86454450f3ea580029.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

618a1e3551560b86454450f3ea580029.exe66545a.exe

pid	process
3984	618a1e3551560b86454450f3ea580029.exe
3984	618a1e3551560b86454450f3ea580029.exe
3984	618a1e3551560b86454450f3ea580029.exe
3984	618a1e3551560b86454450f3ea580029.exe
3984	618a1e3551560b86454450f3ea580029.exe
3984	618a1e3551560b86454450f3ea580029.exe
3984	618a1e3551560b86454450f3ea580029.exe
3984	618a1e3551560b86454450f3ea580029.exe
3984	618a1e3551560b86454450f3ea580029.exe
3984	618a1e3551560b86454450f3ea580029.exe
3984	618a1e3551560b86454450f3ea580029.exe
3984	618a1e3551560b86454450f3ea580029.exe
3984	618a1e3551560b86454450f3ea580029.exe
3984	618a1e3551560b86454450f3ea580029.exe
3984	618a1e3551560b86454450f3ea580029.exe
3984	618a1e3551560b86454450f3ea580029.exe
3744	66545a.exe
3744	66545a.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

618a1e3551560b86454450f3ea580029.exe

description	pid	process	target process
PID 3984 wrote to memory of 3744	3984	618a1e3551560b86454450f3ea580029.exe	66545a.exe
PID 3984 wrote to memory of 3744	3984	618a1e3551560b86454450f3ea580029.exe	66545a.exe
PID 3984 wrote to memory of 3744	3984	618a1e3551560b86454450f3ea580029.exe	66545a.exe
PID 3984 wrote to memory of 424	3984	618a1e3551560b86454450f3ea580029.exe	cmd.exe
PID 3984 wrote to memory of 424	3984	618a1e3551560b86454450f3ea580029.exe	cmd.exe
PID 3984 wrote to memory of 424	3984	618a1e3551560b86454450f3ea580029.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

66545a.exe

pid process

3744 66545a.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

66545a.exe

pid process

3744 66545a.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

66545a.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 66545a.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

System Information Discovery
T1082

Processes:

66545a.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Wine 66545a.exe

pid	process
3744	66545a.exe

pid	process
3744	66545a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	66545a.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Wine	66545a.exe

C:\Users\Admin\AppData\Local\Temp\618a1e3551560b86454450f3ea580029.exe
"C:\Users\Admin\AppData\Local\Temp\618a1e3551560b86454450f3ea580029.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Local\Temp\66545a.exe
"C:\Users\Admin\AppData\Local\Temp\66545a.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:3744

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\618a1e3551560b86454450f3ea580029.exe"
2⤵
PID:424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\66545a.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\66545a.exe

Download Submit
memory/424-3-0x0000000000000000-mapping.dmp

Download
memory/3744-0-0x0000000000000000-mapping.dmp

Download
memory/3744-4-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/3744-5-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing