52e5753e9bc002e71b33e6b72582f7d69e5723e95c61e1d75a2b6e6956328428

General

Target

52e5753e9bc002e71b33e6b72582f7d69e5723e95c61e1d75a2b6e6956328428.exe
Size

17.2MB
MD5

485a218bdbfdc337875498281ac02f3c
SHA1

8ecfaf2f07710b3ef4173bd6c1919d0f7c829b09
SHA256

52e5753e9bc002e71b33e6b72582f7d69e5723e95c61e1d75a2b6e6956328428
SHA512

2d3ab0b00b73736d58c5bcc419c7cbd3261a467a7d6839f0c81352e6518ffa73e9df99bbe78b1dd56d5960532fe3f176a916f7d7fc2d95d51b5c848a4f79f540
SSDEEP

393216:KK8SMs7UPwyGg9UaC2FSiAcWhsCRpKV6rAS5Cy04WyuAHdfyW8:tAwyGIUaC2S9cwsGQAMOCUHDQN

Score

9^/10

evasion upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cfÈý½ðV6.2.exe

Executes dropped EXE 2 IoCs

pid	Process
1488	cfÈý½ðV6.2.exe
1536	dl.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1488-144-0x0000000005CC0000-0x0000000005D32000-memory.dmp	upx
behavioral2/memory/1488-146-0x0000000005CC0000-0x0000000005D32000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	52e5753e9bc002e71b33e6b72582f7d69e5723e95c61e1d75a2b6e6956328428.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine	cfÈý½ðV6.2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1488	cfÈý½ðV6.2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1488	cfÈý½ðV6.2.exe
1488	cfÈý½ðV6.2.exe
1488	cfÈý½ðV6.2.exe
1488	cfÈý½ðV6.2.exe
1488	cfÈý½ðV6.2.exe
1488	cfÈý½ðV6.2.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1536	dl.exe
1488	cfÈý½ðV6.2.exe
1488	cfÈý½ðV6.2.exe
1536	dl.exe
1536	dl.exe
1488	cfÈý½ðV6.2.exe
1488	cfÈý½ðV6.2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 1488	5080	52e5753e9bc002e71b33e6b72582f7d69e5723e95c61e1d75a2b6e6956328428.exe	82
PID 5080 wrote to memory of 1488	5080	52e5753e9bc002e71b33e6b72582f7d69e5723e95c61e1d75a2b6e6956328428.exe	82
PID 5080 wrote to memory of 1488	5080	52e5753e9bc002e71b33e6b72582f7d69e5723e95c61e1d75a2b6e6956328428.exe	82
PID 5080 wrote to memory of 1536	5080	52e5753e9bc002e71b33e6b72582f7d69e5723e95c61e1d75a2b6e6956328428.exe	83
PID 5080 wrote to memory of 1536	5080	52e5753e9bc002e71b33e6b72582f7d69e5723e95c61e1d75a2b6e6956328428.exe	83
PID 5080 wrote to memory of 1536	5080	52e5753e9bc002e71b33e6b72582f7d69e5723e95c61e1d75a2b6e6956328428.exe	83

C:\Users\Admin\AppData\Local\Temp\52e5753e9bc002e71b33e6b72582f7d69e5723e95c61e1d75a2b6e6956328428.exe
"C:\Users\Admin\AppData\Local\Temp\52e5753e9bc002e71b33e6b72582f7d69e5723e95c61e1d75a2b6e6956328428.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\cfÈý½ðV6.2.exe
  "C:\Users\Admin\AppData\Local\Temp\cfÈý½ðV6.2.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1488
- C:\Users\Admin\AppData\Local\Temp\dl.exe
  "C:\Users\Admin\AppData\Local\Temp\dl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cfÈý½ðV6.2.exe

Filesize
15.7MB

MD5
55a54cb933cab69c308c5a0f76322e55

SHA1
180b90b604dd7cde67b1ad969a73967d716f4aad

SHA256
0ebe9ff79bb2dbca9b1946c5b418c3b184f4d38f5f438f44fec874d60627a31b

SHA512
6b05404d5723130798dfd8e622de9920282a7875f7eaf58dbf476b4db1c3d2954c53a3feb718740efd53e1b455b592fd69a61779537145453c7723fbc50276a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfÈý½ðV6.2.exe

Filesize
15.7MB

MD5
55a54cb933cab69c308c5a0f76322e55

SHA1
180b90b604dd7cde67b1ad969a73967d716f4aad

SHA256
0ebe9ff79bb2dbca9b1946c5b418c3b184f4d38f5f438f44fec874d60627a31b

SHA512
6b05404d5723130798dfd8e622de9920282a7875f7eaf58dbf476b4db1c3d2954c53a3feb718740efd53e1b455b592fd69a61779537145453c7723fbc50276a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dl.exe

Filesize
32KB

MD5
aced796f88cbc02297c0b71d53ba37a7

SHA1
42a3782fc6d2ef30747e040f794894c75e799bb3

SHA256
7dcbb23d270585bf15d5c8200867233f37cdfa146b82f1ff33d65290ffed1aaa

SHA512
2b2a6aa9b274ccf51ce9d6caab9c34e60248aa3bf660b42e1a190b4f25c0b54d690e88a972b8905a826237e0826b72b59817457e2499424ab5ad2568a4a44e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\dl.exe

Filesize
32KB

MD5
aced796f88cbc02297c0b71d53ba37a7

SHA1
42a3782fc6d2ef30747e040f794894c75e799bb3

SHA256
7dcbb23d270585bf15d5c8200867233f37cdfa146b82f1ff33d65290ffed1aaa

SHA512
2b2a6aa9b274ccf51ce9d6caab9c34e60248aa3bf660b42e1a190b4f25c0b54d690e88a972b8905a826237e0826b72b59817457e2499424ab5ad2568a4a44e08

Download Submit
memory/1488-141-0x0000000000400000-0x0000000001689000-memory.dmp

Filesize
18.5MB

Download
memory/1488-143-0x0000000077770000-0x0000000077913000-memory.dmp

Filesize
1.6MB

Download
memory/1488-144-0x0000000005CC0000-0x0000000005D32000-memory.dmp

Filesize
456KB

Download
memory/1488-145-0x0000000000400000-0x0000000001689000-memory.dmp

Filesize
18.5MB

Download
memory/1488-146-0x0000000005CC0000-0x0000000005D32000-memory.dmp

Filesize
456KB

Download
memory/1488-147-0x0000000000400000-0x0000000001689000-memory.dmp

Filesize
18.5MB

Download
memory/1488-148-0x0000000077770000-0x0000000077913000-memory.dmp

Filesize
1.6MB

Download
memory/5080-132-0x0000000000400000-0x00000000015360D0-memory.dmp

Filesize
17.2MB

Download
memory/5080-139-0x0000000000400000-0x00000000015360D0-memory.dmp

Filesize
17.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads