7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0

General

Target

7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exe
Size

1.3MB
MD5

228507635e59a9136b555610d081fea4
SHA1

78eea80b3be3ddeb90b7324ca5a9f7287de62718
SHA256

7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0
SHA512

5cc3b12d14492b1beec03c980bbbc3061dea4913df1354a5c9496caf3fde5c58c82ab8e5d326f641d20dd0e6070fe0b384fef54843908c22e94f407784065f79
SSDEEP

24576:tEOFPZNf4foo2+9BTE6qLa4uUuCS6L7WxOTOCKvAaic+ip9ryq9MW/mS5pqYYTv:tTZ14fvZ/89uDCGMTOCKvAtHeN/t574v

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Valkyrie.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Valkyrie.exe
Executes dropped EXE 1 IoCs

Processes:

Valkyrie.exe

pid process

856 Valkyrie.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Valkyrie.exe

pid	process
856	Valkyrie.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Valkyrie.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Wine Valkyrie.exe
Loads dropped DLL 1 IoCs

Processes:

7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exe

pid process

2044 7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Valkyrie.exe

pid process

856 Valkyrie.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Wine	Valkyrie.exe

pid	process
856	Valkyrie.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exeValkyrie.exe

pid	process
2044	7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exe
2044	7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exe
2044	7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe
856	Valkyrie.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Valkyrie.exe

description pid process

Token: SeDebugPrivilege 856 Valkyrie.exe

description	pid	process
Token: SeDebugPrivilege	856	Valkyrie.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exe

description	pid	process	target process
PID 2044 wrote to memory of 856	2044	7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exe	Valkyrie.exe
PID 2044 wrote to memory of 856	2044	7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exe	Valkyrie.exe
PID 2044 wrote to memory of 856	2044	7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exe	Valkyrie.exe
PID 2044 wrote to memory of 856	2044	7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exe	Valkyrie.exe

C:\Users\Admin\AppData\Local\Temp\7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exe
"C:\Users\Admin\AppData\Local\Temp\7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\Valkyrie.exe
  "C:\Users\Admin\AppData\Local\Temp\Valkyrie.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Valkyrie.exe

Filesize
1.2MB

MD5
ff8c1478bf136ee1ef61b7c7e6631909

SHA1
ea713a198755e1e1b1fdbb967c0bbbdf837c5de1

SHA256
d4b04cf64d1e6719385244f18a264147f0aa39a7ea5fe6e7115c436aa9e077d5

SHA512
c7f4733daa1ec747049444fc7a9775a194f0d85ab95a78172a974554d80e1ebe441289531e43ac2f0141a6bef878bbb1c8438b5e97d12c830ae35872b3b21dc3

Download Submit
\Users\Admin\AppData\Local\Temp\Valkyrie.exe

Filesize
1.2MB

MD5
ff8c1478bf136ee1ef61b7c7e6631909

SHA1
ea713a198755e1e1b1fdbb967c0bbbdf837c5de1

SHA256
d4b04cf64d1e6719385244f18a264147f0aa39a7ea5fe6e7115c436aa9e077d5

SHA512
c7f4733daa1ec747049444fc7a9775a194f0d85ab95a78172a974554d80e1ebe441289531e43ac2f0141a6bef878bbb1c8438b5e97d12c830ae35872b3b21dc3

Download Submit
memory/856-60-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/856-57-0x0000000000000000-mapping.dmp

Download
memory/856-62-0x0000000077B10000-0x0000000077C90000-memory.dmp

Filesize
1.5MB

Download
memory/856-63-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/856-65-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/856-66-0x0000000077B10000-0x0000000077C90000-memory.dmp

Filesize
1.5MB

Download
memory/856-68-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/2044-59-0x0000000003830000-0x0000000003B00000-memory.dmp

Filesize
2.8MB

Download
memory/2044-55-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2044-54-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/2044-64-0x0000000003830000-0x0000000003B00000-memory.dmp

Filesize
2.8MB

Download
memory/2044-67-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads