71c2d5981f47cae1a23c89835ae21f641f1134e1b0ae5d062f449a1b69fa8bd8

General

Target

----˵˵5.0/----˵˵5.0.exe
Size

2.6MB
MD5

36c779d08c223b155a73442b602da82d
SHA1

0293101e8811600b4e9dc8e37944f86dfaa8ab65
SHA256

8d87c5e5a3bb2b16bc09dc6ed72dd3245cb28fc2f58d1c664365c7a244231745
SHA512

a7054af4f696eb211c79024190681de529e776c5c70db7452f3df0a2194e135ca65f38a27ca2c0d596aaecb30a7321976a0c5c290adbc41738840870d9d45910
SSDEEP

49152:5HzO9vwYkZIilK7cYFIEdZVzuqAzw7rhVTrYsNribXGjTeI/iUtk+VBX5u:5Hq9vwYkKilAcYF1HVDAzYrhV3YoSXGp

Score

9^/10

evasion upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	----˵˵5.0.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4752-133-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-135-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-136-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-139-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-141-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-143-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-145-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-151-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-149-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-147-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-153-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-155-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-157-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-159-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-161-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-163-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-165-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-167-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-169-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-171-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-173-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-175-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-177-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-178-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4752-182-0x0000000010000000-0x000000001003F000-memory.dmp	upx

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Wine	----˵˵5.0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4752	----˵˵5.0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4752	----˵˵5.0.exe
4752	----˵˵5.0.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4752	----˵˵5.0.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4752	----˵˵5.0.exe
4752	----˵˵5.0.exe
4752	----˵˵5.0.exe
4752	----˵˵5.0.exe
4752	----˵˵5.0.exe
4752	----˵˵5.0.exe
4752	----˵˵5.0.exe

C:\Users\Admin\AppData\Local\Temp\----˵˵5.0\----˵˵5.0.exe
"C:\Users\Admin\AppData\Local\Temp\----˵˵5.0\----˵˵5.0.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4752-132-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download
memory/4752-134-0x0000000077590000-0x0000000077733000-memory.dmp

Filesize
1.6MB

Download
memory/4752-133-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-137-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download
memory/4752-135-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-136-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-139-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-141-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-143-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-145-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-151-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-149-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-147-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-153-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-155-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-157-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-159-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-161-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-163-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-165-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-167-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-169-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-171-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-173-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-175-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-177-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-178-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4752-179-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download
memory/4752-180-0x0000000077590000-0x0000000077733000-memory.dmp

Filesize
1.6MB

Download
memory/4752-181-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download
memory/4752-182-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads