Overview

overview

9

Static

static

eb0deb2560...8e.exe

windows7-x64

9

eb0deb2560...8e.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    268s
  • max time network
    295s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb0deb25600ed4bd927e310f825278f412178e91523c38215555ef5f55aa568e.exe

  • Size

    1.8MB

  • MD5

    844ae729e51154cd161ecc3b9addc20d

  • SHA1

    93f671334d4838cd6e3f632dd21dfae47fc742b5

  • SHA256

    eb0deb25600ed4bd927e310f825278f412178e91523c38215555ef5f55aa568e

  • SHA512

    cf5324caf2aef459afd2630a0b4f8fff6a6e8e10c0bfa16c58de9a0c3832ae1179bb8b745b18f2641516d319b285dd44e7b64a7b27e1723b8cc19cd3593e19cd

  • SSDEEP

    49152:Vb9j4giaUnc+cKsyn1bnen3gjAX61cVwmc+UmHkK7OSlzS:jBiaUnc/Kh1benQm614wIUmEPSlzS

Score
9/10
evasionspywarestealertrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb0deb25600ed4bd927e310f825278f412178e91523c38215555ef5f55aa568e.exe
    "C:\Users\Admin\AppData\Local\Temp\eb0deb25600ed4bd927e310f825278f412178e91523c38215555ef5f55aa568e.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3068
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
    1⤵
      PID:2952
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
      1⤵
        PID:3724

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      3
      T1012

      Virtualization/Sandbox Evasion

      2
      T1497

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3068-132-0x0000000000400000-0x00000000017FC000-memory.dmp
        Filesize

        20.0MB

        Download
      • memory/3068-133-0x0000000077440000-0x00000000775E3000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3068-134-0x0000000000400000-0x00000000017FC000-memory.dmp
        Filesize

        20.0MB

        Download
      • memory/3068-135-0x0000000077440000-0x00000000775E3000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3068-136-0x0000000000400000-0x00000000017FC000-memory.dmp
        Filesize

        20.0MB

        Download