e30d46be4dfd5ee6e4dd5c5bf668329629c13d350858cfa65f67158ef530ed60

General

Target

11.exe
Size

7.8MB
MD5

d047797106617b5ad99807fc6e7bde75
SHA1

73d889f597f98823619e9eafaecc6bf6d11285da
SHA256

e30d46be4dfd5ee6e4dd5c5bf668329629c13d350858cfa65f67158ef530ed60
SHA512

c94233f60563e9b48bcce18de67a5ea242bb6b1f83524e2ed0ea580050efa28d61eac4964d6e8514ef6b190e8bd8fd970c0df66016ed1ca111d6386a75919f33

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

11.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	11.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	11.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

11.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine 11.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

11.exe

pid process

2000 11.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

11.exe

pid process

2000 11.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

11.exe

pid process

2000 11.exe
2000 11.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

11.exe

pid process

2000 11.exe
2000 11.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

11.exe

pid process

2000 11.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	11.exe

pid	process
2000	11.exe

pid	process
2000	11.exe

pid	process
2000	11.exe
2000	11.exe

pid	process
2000	11.exe
2000	11.exe

pid	process
2000	11.exe

C:\Users\Admin\AppData\Local\Temp\11.exe
"C:\Users\Admin\AppData\Local\Temp\11.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2000

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2000-59-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/2000-71-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/2000-70-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2000-87-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/2000-93-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/2000-94-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/2000-92-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/2000-91-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/2000-90-0x0000000005780000-0x0000000005782000-memory.dmp

Filesize
8KB

Download
memory/2000-89-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/2000-88-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/2000-86-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/2000-85-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/2000-84-0x0000000003600000-0x0000000003601000-memory.dmp

Filesize
4KB

Download
memory/2000-83-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/2000-82-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/2000-81-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/2000-80-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/2000-79-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/2000-78-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/2000-77-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/2000-76-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/2000-75-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/2000-74-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/2000-73-0x0000000005980000-0x0000000005982000-memory.dmp

Filesize
8KB

Download
memory/2000-72-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/2000-69-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/2000-68-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/2000-67-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/2000-66-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/2000-65-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/2000-64-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/2000-63-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/2000-62-0x0000000005A50000-0x0000000005A52000-memory.dmp

Filesize
8KB

Download
memory/2000-61-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/2000-60-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing