c0244966bbd12dae893167331e18d7b8778564ceee39d805309556a8a85e0ffe

Analysis

max time kernel
72s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
22-01-2021 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5566554.exe
Size

16.1MB
MD5

24934cf064e46433dfd46748768f50aa
SHA1

4fc217871854247510a2d13aa285fbb7ee13ed05
SHA256

c0244966bbd12dae893167331e18d7b8778564ceee39d805309556a8a85e0ffe
SHA512

7fa8afac244f02d646b7c493858887ad564d5d2434d32aae60d1a30df815b339fab8d2c98b60eea770dbcd0ead1cefe184baedb1074b4c9013ba50efa3085119

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 1 IoCs

Processes:

CL_Debug_Log.txt

pid process

960 CL_Debug_Log.txt

pid	process
960	CL_Debug_Log.txt

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5566554.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5566554.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5566554.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

5566554.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine 5566554.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

5566554.exe

pid process

740 5566554.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1672 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5566554.exe

pid process

740 5566554.exe
740 5566554.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	5566554.exe

pid	process
740	5566554.exe

pid	process
1672	schtasks.exe

pid	process
740	5566554.exe
740	5566554.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

CL_Debug_Log.txt

description	pid	process
Token: SeRestorePrivilege	960	CL_Debug_Log.txt
Token: 35	960	CL_Debug_Log.txt
Token: SeSecurityPrivilege	960	CL_Debug_Log.txt
Token: SeSecurityPrivilege	960	CL_Debug_Log.txt

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

5566554.exe

pid process

740 5566554.exe
740 5566554.exe
740 5566554.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

5566554.exe

pid process

740 5566554.exe
740 5566554.exe
740 5566554.exe

pid	process
740	5566554.exe
740	5566554.exe
740	5566554.exe

pid	process
740	5566554.exe
740	5566554.exe
740	5566554.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5566554.execmd.exe

description	pid	process	target process
PID 740 wrote to memory of 960	740	5566554.exe	CL_Debug_Log.txt
PID 740 wrote to memory of 960	740	5566554.exe	CL_Debug_Log.txt
PID 740 wrote to memory of 960	740	5566554.exe	CL_Debug_Log.txt
PID 740 wrote to memory of 1200	740	5566554.exe	cmd.exe
PID 740 wrote to memory of 1200	740	5566554.exe	cmd.exe
PID 740 wrote to memory of 1200	740	5566554.exe	cmd.exe
PID 1200 wrote to memory of 1672	1200	cmd.exe	schtasks.exe
PID 1200 wrote to memory of 1672	1200	cmd.exe	schtasks.exe
PID 1200 wrote to memory of 1672	1200	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5566554.exe
"C:\Users\Admin\AppData\Local\Temp\5566554.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\start2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /XML "SystemCheck.xml" /TN "System\SystemCheck"
3⤵
- Creates scheduled task(s)
PID:1672

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32.exe
MD5
8bbd4a4df746b749c8c73857fbb14623

SHA1
27a3d57f2ae0fd9463c7c4801da38291e710ae0c

SHA256
b7d73ac25f4a7da1ce803c70fc897f1bb6e520ef9275106e933934ed262f2f6d

SHA512
e9a8bd766c9ce4fe85e29c071f3c701c705384e3f2eed38aaa2b59afeda0122648deaddf42780b1d05555591285a005ef189bd709de1e11fe6fbaf8766f9a489

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe
MD5
cc262a17ac8b9a09d5b61d62d02058a2

SHA1
df86ac5a9f3cad4504b25fccbb8b50c2e6667f96

SHA256
35476f69b04d6b15b7c67b7857deaf3a539a52501e92171672268a6ebea6b974

SHA512
31a1743d2154d12886ed9001e2038bdc6bf4c730ed86ef71ec5d7b03b70954fff34ee3d7b378e6a77fdcdc5c26a62050ab5879315de99fa4c09a73654f3ad0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt
MD5
d73945172530096fa58363db958468cf

SHA1
127515f970dd9d20027429c7ba0fc1e5712657bf

SHA256
7792b626d3b441652c08f76ec276a0143e96d47ad5e6e278895810a2585504d3

SHA512
9a1ad6544f5add2fd1b3180c01cbce55b3de4ce3e60b430c7cb4a2b4fa226a94518f806e364d316c7006796312d4d8a7d1ccd0ac06fd48080a4e40f78faddc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml
MD5
04a0a7f7f0136f5461b6589751a8e44f

SHA1
e5cdbfe0a1cab2c27f9c464efb0933db1b258fce

SHA256
a6d64b2a57916fe29a63f8b515d62c576276bd090042023ccc36ad29fee3df0c

SHA512
ced46b3f679c48bd0e0755d58af9a7d3b1a1289ee1b2e5f64261aaecb09e0c72c8101e6262de2810d329d5d70a49304f1340353f0c3a496a956e1b0e35414e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\asacpiex.dll
MD5
864a4fdcdf7ed369a036831b0c62a680

SHA1
be7ef0c402accdb1f098300be8e5c7dd93d4e6f5

SHA256
0756a6d1f819a606a3385eb81502072a1ff511fdcb6be920f6241f88eae1bef4

SHA512
56d3aba77a6a2653bfed82c27702740f4dcd42e170f36133190059a775e420fe41c0dd69fe26326a2ba1da5e93f3372ad2f664c59588b326b04cd92910b4bcf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.bat
MD5
17e775273e9fc08eb4df35d875cd9db3

SHA1
03c0cbab2b4f8373b525961aa0ba7242d279dae2

SHA256
3bec18bbb83921f2a0917c45e65f79d4e631b33c4ea78041148d61b8860fd441

SHA512
e33f9d9ff587397ab3fee2ca918552665c7f61b993d0e46e8d493f4a1f7598fab2cd2631d4a3fdda5cec6af0228e9262f7f76508ba73de170eb3b227a5b242d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\start2.bat
MD5
1e5ea39d6fd8ba6d7c15f71abaf86c01

SHA1
d06c57258448a096a45caf09e1c0bc2d3a255499

SHA256
4fe522f71153e8f1c0bce3babc158a6f640f2c1817359c79c9b31ae942de10c2

SHA512
2ec66d3eb02aa0ba21515c66819ceb1df19670d44fe4b7095a4218d825e444e94e1c8a559075908be03b67060e2a1628307b80b239b40fe4ef08e77b0823afe0

Download Submit
memory/740-11-0x000000000C170000-0x000000000C171000-memory.dmp

Filesize
4KB

Download
memory/740-23-0x000000000C3A0000-0x000000000C3A1000-memory.dmp

Filesize
4KB

Download
memory/740-14-0x000000000C3F0000-0x000000000C3F1000-memory.dmp

Filesize
4KB

Download
memory/740-12-0x000000000C350000-0x000000000C351000-memory.dmp

Filesize
4KB

Download
memory/740-16-0x000000000C0F0000-0x000000000C0F1000-memory.dmp

Filesize
4KB

Download
memory/740-15-0x000000000C3E0000-0x000000000C3E1000-memory.dmp

Filesize
4KB

Download
memory/740-17-0x000000000C120000-0x000000000C121000-memory.dmp

Filesize
4KB

Download
memory/740-18-0x000000000C110000-0x000000000C111000-memory.dmp

Filesize
4KB

Download
memory/740-20-0x000000000C3D0000-0x000000000C3D1000-memory.dmp

Filesize
4KB

Download
memory/740-19-0x000000000C320000-0x000000000C322000-memory.dmp

Filesize
8KB

Download
memory/740-21-0x000000000C380000-0x000000000C381000-memory.dmp

Filesize
4KB

Download
memory/740-6-0x000000000C180000-0x000000000C181000-memory.dmp

Filesize
4KB

Download
memory/740-22-0x000000000C3B0000-0x000000000C3B1000-memory.dmp

Filesize
4KB

Download
memory/740-13-0x000000000C3C0000-0x000000000C3C1000-memory.dmp

Filesize
4KB

Download
memory/740-2-0x000000000AB10000-0x000000000AB11000-memory.dmp

Filesize
4KB

Download
memory/740-10-0x000000000C190000-0x000000000C191000-memory.dmp

Filesize
4KB

Download
memory/740-3-0x000000000B310000-0x000000000B311000-memory.dmp

Filesize
4KB

Download
memory/740-9-0x000000000C130000-0x000000000C131000-memory.dmp

Filesize
4KB

Download
memory/740-7-0x000000000C0E0000-0x000000000C0E1000-memory.dmp

Filesize
4KB

Download
memory/740-4-0x0000000077D14000-0x0000000077D15000-memory.dmp

Filesize
4KB

Download
memory/740-8-0x000000000C1B0000-0x000000000C1B1000-memory.dmp

Filesize
4KB

Download
memory/740-32-0x000000000AE80000-0x000000000AE81000-memory.dmp

Filesize
4KB

Download
memory/740-36-0x000000000C2E0000-0x000000000C2E2000-memory.dmp

Filesize
8KB

Download
memory/740-5-0x000000000C1A0000-0x000000000C1A1000-memory.dmp

Filesize
4KB

Download
memory/960-24-0x0000000000000000-mapping.dmp

Download
memory/1200-27-0x0000000000000000-mapping.dmp

Download
memory/1672-30-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads