fa587739cd100217ad8237008479e8b27826b6384dd5acc338753af2790026ee

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 13:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fa587739cd100217ad8237008479e8b27826b6384dd5acc338753af2790026ee.exe
Size

857KB
MD5

0a0ac38cb6945a87873eb043a1fa1340
SHA1

8b5fd9ef3b65da8b0b26a2dffcc550f49edb45fe
SHA256

fa587739cd100217ad8237008479e8b27826b6384dd5acc338753af2790026ee
SHA512

1e19ff3c25ec3e1901e13f838d99ec51ea627f196d3998f44bce0bb4cc9c322eaf095358e200079c4f1b90ba13592dd86f23141a2e49af643d25ba85ea096f57
SSDEEP

24576:aZmzHY2E0GmJBEs41omt0q8Fev48djbAZgN:iEEAn/OogtdXmgN

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fa587739cd100217ad8237008479e8b27826b6384dd5acc338753af2790026ee.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine	fa587739cd100217ad8237008479e8b27826b6384dd5acc338753af2790026ee.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1168	fa587739cd100217ad8237008479e8b27826b6384dd5acc338753af2790026ee.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1168	fa587739cd100217ad8237008479e8b27826b6384dd5acc338753af2790026ee.exe

C:\Users\Admin\AppData\Local\Temp\fa587739cd100217ad8237008479e8b27826b6384dd5acc338753af2790026ee.exe
"C:\Users\Admin\AppData\Local\Temp\fa587739cd100217ad8237008479e8b27826b6384dd5acc338753af2790026ee.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1168-54-0x0000000000400000-0x00000000005DD200-memory.dmp

Filesize
1.9MB

Download
memory/1168-55-0x0000000000400000-0x00000000005DD200-memory.dmp

Filesize
1.9MB

Download
memory/1168-56-0x0000000077550000-0x00000000776D0000-memory.dmp

Filesize
1.5MB

Download
memory/1168-57-0x0000000000400000-0x00000000005DD200-memory.dmp

Filesize
1.9MB

Download
memory/1168-58-0x0000000000400000-0x00000000005DD200-memory.dmp

Filesize
1.9MB

Download
memory/1168-59-0x0000000077550000-0x00000000776D0000-memory.dmp

Filesize
1.5MB

Download