Overview

overview

9

Static

static

7ab6d49b35...f0.exe

windows7-x64

9

7ab6d49b35...f0.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    176s
  • max time network
    209s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 13:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exe

  • Size

    1.3MB

  • MD5

    228507635e59a9136b555610d081fea4

  • SHA1

    78eea80b3be3ddeb90b7324ca5a9f7287de62718

  • SHA256

    7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0

  • SHA512

    5cc3b12d14492b1beec03c980bbbc3061dea4913df1354a5c9496caf3fde5c58c82ab8e5d326f641d20dd0e6070fe0b384fef54843908c22e94f407784065f79

  • SSDEEP

    24576:tEOFPZNf4foo2+9BTE6qLa4uUuCS6L7WxOTOCKvAaic+ip9ryq9MW/mS5pqYYTv:tTZ14fvZ/89uDCGMTOCKvAtHeN/t574v

Score
9/10
evasion

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exe
    "C:\Users\Admin\AppData\Local\Temp\7ab6d49b35535dbe8e786f46d6ab678a380e1c03bbff6b697ccbbdf5afea27f0.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Users\Admin\AppData\Local\Temp\Valkyrie.exe
      "C:\Users\Admin\AppData\Local\Temp\Valkyrie.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:5004

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Valkyrie.exe
    Filesize

    1.2MB

    MD5

    ff8c1478bf136ee1ef61b7c7e6631909

    SHA1

    ea713a198755e1e1b1fdbb967c0bbbdf837c5de1

    SHA256

    d4b04cf64d1e6719385244f18a264147f0aa39a7ea5fe6e7115c436aa9e077d5

    SHA512

    c7f4733daa1ec747049444fc7a9775a194f0d85ab95a78172a974554d80e1ebe441289531e43ac2f0141a6bef878bbb1c8438b5e97d12c830ae35872b3b21dc3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Valkyrie.exe
    Filesize

    1.2MB

    MD5

    ff8c1478bf136ee1ef61b7c7e6631909

    SHA1

    ea713a198755e1e1b1fdbb967c0bbbdf837c5de1

    SHA256

    d4b04cf64d1e6719385244f18a264147f0aa39a7ea5fe6e7115c436aa9e077d5

    SHA512

    c7f4733daa1ec747049444fc7a9775a194f0d85ab95a78172a974554d80e1ebe441289531e43ac2f0141a6bef878bbb1c8438b5e97d12c830ae35872b3b21dc3

    Download Submit

  • memory/548-132-0x0000000000400000-0x000000000058E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/548-138-0x0000000000400000-0x000000000058E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/5004-133-0x0000000000000000-mapping.dmp

    Download

  • memory/5004-136-0x0000000000400000-0x00000000006D0000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/5004-137-0x0000000000400000-0x00000000006D0000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/5004-139-0x0000000076F80000-0x0000000077123000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/5004-140-0x0000000000400000-0x00000000006D0000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/5004-141-0x0000000076F80000-0x0000000077123000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/5004-142-0x0000000000400000-0x00000000006D0000-memory.dmp

    Filesize

    2.8MB

    Download