f30a867942507beb73c0870195da6c4a5a937781c5e07c279ea2f0c1d391e9c5

Analysis

max time kernel
35s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f30a867942507beb73c0870195da6c4a5a937781c5e07c279ea2f0c1d391e9c5.exe
Size

1.8MB
MD5

3c24dd3aeecda6634fcd0795c9efad25
SHA1

f832dc72a0ee21f5b54097a8746b0720be450a16
SHA256

f30a867942507beb73c0870195da6c4a5a937781c5e07c279ea2f0c1d391e9c5
SHA512

6527c7fca467e89d777914608977d3c753e54b623f06c64d67df217ecc22d10f47b9d5e39626addd3f32a51c23b541d71d2d81a183270f00b8271f56ee41df48
SSDEEP

49152:EgPY/gWJU8inIxGt+WbgMLz/oB88QkaoY2TQ1K9f0JDMG:iiIAt+GDLz/Q9aoC1KuJDM

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f30a867942507beb73c0870195da6c4a5a937781c5e07c279ea2f0c1d391e9c5.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E67FEB99.lnk	f30a867942507beb73c0870195da6c4a5a937781c5e07c279ea2f0c1d391e9c5.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Wine	f30a867942507beb73c0870195da6c4a5a937781c5e07c279ea2f0c1d391e9c5.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1928	f30a867942507beb73c0870195da6c4a5a937781c5e07c279ea2f0c1d391e9c5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1928	f30a867942507beb73c0870195da6c4a5a937781c5e07c279ea2f0c1d391e9c5.exe

C:\Users\Admin\AppData\Local\Temp\f30a867942507beb73c0870195da6c4a5a937781c5e07c279ea2f0c1d391e9c5.exe
"C:\Users\Admin\AppData\Local\Temp\f30a867942507beb73c0870195da6c4a5a937781c5e07c279ea2f0c1d391e9c5.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops startup file
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1928-54-0x0000000000400000-0x0000000000776000-memory.dmp

Filesize
3.5MB

Download
memory/1928-55-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1928-56-0x0000000077AC0000-0x0000000077C40000-memory.dmp

Filesize
1.5MB

Download
memory/1928-57-0x0000000000400000-0x0000000000776000-memory.dmp

Filesize
3.5MB

Download
memory/1928-58-0x0000000000400000-0x0000000000776000-memory.dmp

Filesize
3.5MB

Download
memory/1928-59-0x0000000077AC0000-0x0000000077C40000-memory.dmp

Filesize
1.5MB

Download