c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72

Analysis

max time kernel
133s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe
Size

5.2MB
MD5

49c379918af59eccf4ae0fa66a641582
SHA1

e8f91ee61a3704670fd174f296c4fa0c7e166533
SHA256

c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72
SHA512

043606de8f7f160cafb58d742a7a45dc3b7b37eccc7581489ca1148aa1bbfab36229ed454d9f5a98544995ee03731ac62448b89db925ccdddae73ee82ae56298
SSDEEP

98304:ooBAkdr72GZAG/wK3EDOxmDITSKKjzxsFL/LfSMI5d2VWsN67GnYP3OKa:ooBAkh72GK4w+eOwDeSRfgb+KWsN6Cn7

Score

9^/10

evasion persistence

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Wine	c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\indice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe"	c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe

pid process

1004 c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe

pid	process
1004	c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe
1004	c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe
1004	c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe
1004	c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe
1004	c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe

pid process

1004 c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe

C:\Users\Admin\AppData\Local\Temp\c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe
"C:\Users\Admin\AppData\Local\Temp\c4e3b5845fcb50f348a4bc74d01584a1d14654a23202fb9fa89738cc8e707e72.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1004-54-0x0000000000400000-0x0000000000CE9000-memory.dmp

Filesize
8.9MB

Download
memory/1004-55-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1004-56-0x0000000077610000-0x0000000077790000-memory.dmp

Filesize
1.5MB

Download
memory/1004-57-0x0000000000400000-0x0000000000CE9000-memory.dmp

Filesize
8.9MB

Download
memory/1004-58-0x0000000000400000-0x0000000000CE9000-memory.dmp

Filesize
8.9MB

Download
memory/1004-59-0x0000000077610000-0x0000000077790000-memory.dmp

Filesize
1.5MB

Download