ce53424db115fa951e62000ecfd0986fc5a141b1b4b0e5f8c213dafcf365e720

Analysis

max time kernel
309s
max time network
420s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce53424db115fa951e62000ecfd0986fc5a141b1b4b0e5f8c213dafcf365e720.exe
Size

5.6MB
MD5

ec52fc8c8d6c3b1e423d02b429818787
SHA1

b38d428a63d959a95ef296ef52218e7bcbf49d9b
SHA256

ce53424db115fa951e62000ecfd0986fc5a141b1b4b0e5f8c213dafcf365e720
SHA512

5035ebea06bb4c2739aaa8421d07b93e4e96b87776f272a1e36892f6392b7ad60eba1eab0bdc0584cddbbd88873af736032462491fd0439ae625cd345fd5df92
SSDEEP

98304:8fFQB3bYB9iogdtQoWIZYaRK9u2s3suPJF+U2ceIzxIbkV+VRn4+GX7f6wnz6PMq:8fFQF+9io4II/GlXq4bcXzx/+X4pr6QO

Score

9^/10

evasion spyware stealer trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ce53424db115fa951e62000ecfd0986fc5a141b1b4b0e5f8c213dafcf365e720.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ce53424db115fa951e62000ecfd0986fc5a141b1b4b0e5f8c213dafcf365e720.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ce53424db115fa951e62000ecfd0986fc5a141b1b4b0e5f8c213dafcf365e720.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ce53424db115fa951e62000ecfd0986fc5a141b1b4b0e5f8c213dafcf365e720.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ce53424db115fa951e62000ecfd0986fc5a141b1b4b0e5f8c213dafcf365e720.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ce53424db115fa951e62000ecfd0986fc5a141b1b4b0e5f8c213dafcf365e720.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ce53424db115fa951e62000ecfd0986fc5a141b1b4b0e5f8c213dafcf365e720.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ce53424db115fa951e62000ecfd0986fc5a141b1b4b0e5f8c213dafcf365e720.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

ce53424db115fa951e62000ecfd0986fc5a141b1b4b0e5f8c213dafcf365e720.exe

pid process

288 ce53424db115fa951e62000ecfd0986fc5a141b1b4b0e5f8c213dafcf365e720.exe

pid	process
288	ce53424db115fa951e62000ecfd0986fc5a141b1b4b0e5f8c213dafcf365e720.exe

C:\Users\Admin\AppData\Local\Temp\ce53424db115fa951e62000ecfd0986fc5a141b1b4b0e5f8c213dafcf365e720.exe
"C:\Users\Admin\AppData\Local\Temp\ce53424db115fa951e62000ecfd0986fc5a141b1b4b0e5f8c213dafcf365e720.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-55-0x0000000076DC0000-0x0000000076F69000-memory.dmp

Filesize
1.7MB

Download
memory/288-54-0x000000013F070000-0x000000013FF4B000-memory.dmp

Filesize
14.9MB

Download
memory/288-56-0x000000013F070000-0x000000013FF4B000-memory.dmp

Filesize
14.9MB

Download
memory/288-57-0x000000013F070000-0x000000013FF4B000-memory.dmp

Filesize
14.9MB

Download
memory/288-58-0x000000013F070000-0x000000013FF4B000-memory.dmp

Filesize
14.9MB

Download
memory/288-59-0x000000013F070000-0x000000013FF4B000-memory.dmp

Filesize
14.9MB

Download
memory/288-60-0x000000013F070000-0x000000013FF4B000-memory.dmp

Filesize
14.9MB

Download
memory/288-61-0x000000013F070000-0x000000013FF4B000-memory.dmp

Filesize
14.9MB

Download
memory/288-62-0x000000013F070000-0x000000013FF4B000-memory.dmp

Filesize
14.9MB

Download
memory/288-63-0x000000013F070000-0x000000013FF4B000-memory.dmp

Filesize
14.9MB

Download
memory/288-64-0x0000000076DC0000-0x0000000076F69000-memory.dmp

Filesize
1.7MB

Download