Analysis
-
max time kernel
79s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:51
Static task
static1
Behavioral task
behavioral1
Sample
f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe
Resource
win10v2004-20220414-en
General
-
Target
f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe
-
Size
110KB
-
MD5
2926548716d0ffc875d9cddf62c03911
-
SHA1
175d40cb33cc6c01077fd3e765950e36d8773e0a
-
SHA256
f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c
-
SHA512
1af5252e8430b285269b4a9a31527f9af5c35db50310f306068ded2601f71fae647c39b3190113e82d2c8ef20f94032b82dab481cc4a40c6649b0064d770efcd
Malware Config
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Wine f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exepid process 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exedescription pid process target process PID 1668 set thread context of 1944 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe svchost.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1312 1944 WerFault.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exepid process 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exepid process 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exesvchost.exedescription pid process target process PID 1668 wrote to memory of 1944 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe svchost.exe PID 1668 wrote to memory of 1944 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe svchost.exe PID 1668 wrote to memory of 1944 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe svchost.exe PID 1668 wrote to memory of 1944 1668 f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe svchost.exe PID 1944 wrote to memory of 1312 1944 svchost.exe WerFault.exe PID 1944 wrote to memory of 1312 1944 svchost.exe WerFault.exe PID 1944 wrote to memory of 1312 1944 svchost.exe WerFault.exe PID 1944 wrote to memory of 1312 1944 svchost.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe"C:\Users\Admin\AppData\Local\Temp\f895e4d8abe7ebe924498dc1c5af9ab9af5533bb713404f752d9a4536968441c.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 1043⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1312-59-0x0000000000000000-mapping.dmp
-
memory/1668-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmpFilesize
8KB
-
memory/1668-55-0x0000000000230000-0x000000000023C000-memory.dmpFilesize
48KB
-
memory/1668-56-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1944-57-0x00000000000C6089-mapping.dmp
-
memory/1944-58-0x00000000000C0000-0x00000000000D1000-memory.dmpFilesize
68KB
-
memory/1944-60-0x00000000008A0000-0x00000000018A0000-memory.dmpFilesize
16.0MB