3e4f235697282e8f59af60dedbb4a5e53c2e344a876d78b8e6174a54366f16f1

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
01-07-2022 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e4f235697282e8f59af60dedbb4a5e53c2e344a876d78b8e6174a54366f16f1.exe
Size

3.8MB
MD5

ba8ae30fabb76bbbfa36e93af3d5a036
SHA1

73a9e8c4c3024b332a6ce8604aded9220fafa3a7
SHA256

3e4f235697282e8f59af60dedbb4a5e53c2e344a876d78b8e6174a54366f16f1
SHA512

f3bc6c8ed5b9da02ff68c575bd88f1fd2951f572634d12a816d26cc4bee3f19d2db4031139177285f151dc36d04560583b5abad94970850c484606eb313b4d41

Score

9^/10

evasion spyware stealer

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

java.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ java.exe
Executes dropped EXE 1 IoCs

Processes:

java.exe

pid process

1280 java.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	java.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

java.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	java.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	java.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3e4f235697282e8f59af60dedbb4a5e53c2e344a876d78b8e6174a54366f16f1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	3e4f235697282e8f59af60dedbb4a5e53c2e344a876d78b8e6174a54366f16f1.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

java.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Wine java.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Wine	java.exe

Loads dropped DLL 23 IoCs

Processes:

java.exe

pid	process
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe
1280	java.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

java.exe

pid process

1280 java.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

java.exe

pid process

1280 java.exe
1280 java.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3e4f235697282e8f59af60dedbb4a5e53c2e344a876d78b8e6174a54366f16f1.exe

description	pid	process	target process
PID 4532 wrote to memory of 1280	4532	3e4f235697282e8f59af60dedbb4a5e53c2e344a876d78b8e6174a54366f16f1.exe	java.exe
PID 4532 wrote to memory of 1280	4532	3e4f235697282e8f59af60dedbb4a5e53c2e344a876d78b8e6174a54366f16f1.exe	java.exe
PID 4532 wrote to memory of 1280	4532	3e4f235697282e8f59af60dedbb4a5e53c2e344a876d78b8e6174a54366f16f1.exe	java.exe

C:\Users\Admin\AppData\Local\Temp\3e4f235697282e8f59af60dedbb4a5e53c2e344a876d78b8e6174a54366f16f1.exe
"C:\Users\Admin\AppData\Local\Temp\3e4f235697282e8f59af60dedbb4a5e53c2e344a876d78b8e6174a54366f16f1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4532

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\java.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\java.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MSVCR100.dll
Filesize
740KB

MD5
0e8888aadab9669d06f55767f2ccaf7b

SHA1
4a1917b4fbda7705782216594fc912e41e76465a

SHA256
43af6d081b5ded0bd3b1b269719b3a63400da25a805d46d579c4dd2a77861ba1

SHA512
66aea1fb8e3e205ae336c0d4dfc8c7a0b635b2f58be893bae47c04e55c128cec2c95cd377fea5ea33befe86b3af7e9dbf35dedd5a9aa5a8bca8b2dbdc5e55ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\java.exe
Filesize
2.9MB

MD5
795a4e9c3f19573bece0e67bc0608794

SHA1
d401857ff97b7e0ad9553dca8b158d1dae49b355

SHA256
9089b64ea35e9a711c1ac2dcb8fc54376f33b7fcfc3519d72fe20531d3a2e4dc

SHA512
765fe0c852237b8a14fff755ff2ffc847a466041d967b8290f42b2b52e8a07dc0efe462bf4722e4ec2773ff0188badf05341638738a42e95d3af08a99036768f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\java.exe
Filesize
2.9MB

MD5
795a4e9c3f19573bece0e67bc0608794

SHA1
d401857ff97b7e0ad9553dca8b158d1dae49b355

SHA256
9089b64ea35e9a711c1ac2dcb8fc54376f33b7fcfc3519d72fe20531d3a2e4dc

SHA512
765fe0c852237b8a14fff755ff2ffc847a466041d967b8290f42b2b52e8a07dc0efe462bf4722e4ec2773ff0188badf05341638738a42e95d3af08a99036768f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\libcurl.dll
Filesize
268KB

MD5
96b6090bf24e2899e01346c995bd401b

SHA1
0aa75b06f61f3ebc20c8dbf93235f10f20ec83cb

SHA256
4e4543d3925202e350acdb39eac4f31bb255b4f934ab09504d36bd3ca6319279

SHA512
2f17052ecf0448994a7888c78f6121f0d104f8aa35cea568a9993cee6db4cd8c3aa4421dd7e7a940bfe5b0f2c65d22db046daccc354118a7045c763097965014

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\libcurl.dll
Filesize
268KB

MD5
96b6090bf24e2899e01346c995bd401b

SHA1
0aa75b06f61f3ebc20c8dbf93235f10f20ec83cb

SHA256
4e4543d3925202e350acdb39eac4f31bb255b4f934ab09504d36bd3ca6319279

SHA512
2f17052ecf0448994a7888c78f6121f0d104f8aa35cea568a9993cee6db4cd8c3aa4421dd7e7a940bfe5b0f2c65d22db046daccc354118a7045c763097965014

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\msvcr100.dll
Filesize
740KB

MD5
0e8888aadab9669d06f55767f2ccaf7b

SHA1
4a1917b4fbda7705782216594fc912e41e76465a

SHA256
43af6d081b5ded0bd3b1b269719b3a63400da25a805d46d579c4dd2a77861ba1

SHA512
66aea1fb8e3e205ae336c0d4dfc8c7a0b635b2f58be893bae47c04e55c128cec2c95cd377fea5ea33befe86b3af7e9dbf35dedd5a9aa5a8bca8b2dbdc5e55ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/1280-130-0x0000000000000000-mapping.dmp

Download
memory/1280-138-0x0000000077840000-0x00000000779E3000-memory.dmp

Filesize
1.6MB

Download
memory/1280-133-0x0000000000330000-0x00000000008A0000-memory.dmp

Filesize
5.4MB

Download
memory/1280-161-0x0000000000330000-0x00000000008A0000-memory.dmp

Filesize
5.4MB

Download
memory/1280-162-0x0000000000330000-0x00000000008A0000-memory.dmp

Filesize
5.4MB

Download
memory/1280-163-0x0000000077840000-0x00000000779E3000-memory.dmp

Filesize
1.6MB

Download