7bed3ad93b19db82b353027a3faa0d7c73a08a49fbfff9991b71e4c0579c6dfe

General

Target

7bed3ad93b19db82b353027a3faa0d7c73a08a49fbfff9991b71e4c0579c6dfe.exe
Size

8.2MB
MD5

5314f9b66878db3fc8733be0a5890d7f
SHA1

2fda2c33e079041a9acbebe186bd6db616c7be0d
SHA256

7bed3ad93b19db82b353027a3faa0d7c73a08a49fbfff9991b71e4c0579c6dfe
SHA512

4bc72d360f906828537e5a0321bec74d97d53537fe720b5a7f0ab508dc3b887b6e7c6cb7ee5a387d079357d50ddee8baab768573d5a939a5ac385b7a429d1bb4
SSDEEP

98304:Tg8NoaGCGg0pL2OIUvKZa3ZnaGgux4QrPSNAPzpUCu+8PCvOLMtqlrynFQyfoIod:TN1m9vGapaGHrXzpUCelcIkPQIot96

Score

9^/10

evasion upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	£°£¶£°£¶.exe

Executes dropped EXE 3 IoCs

pid	Process
560	£°£¶£°£¶.exe
400	dns.exe
4640	~kjqhsls.vbe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000022e20-136.dat	upx
behavioral2/files/0x0009000000022e20-137.dat	upx
behavioral2/memory/400-143-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/560-146-0x0000000005420000-0x0000000005491000-memory.dmp	upx
behavioral2/memory/400-147-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/560-148-0x0000000005420000-0x0000000005491000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	7bed3ad93b19db82b353027a3faa0d7c73a08a49fbfff9991b71e4c0579c6dfe.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine	£°£¶£°£¶.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/400-143-0x0000000000400000-0x00000000004C4000-memory.dmp	autoit_exe
behavioral2/memory/400-147-0x0000000000400000-0x00000000004C4000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dns.vbe	dns.exe
File created	C:\Windows\SysWOW64\dns.vbe	dns.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
560	£°£¶£°£¶.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2228	560	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
560	£°£¶£°£¶.exe
560	£°£¶£°£¶.exe
400	dns.exe
400	dns.exe
400	dns.exe
400	dns.exe
400	dns.exe
400	dns.exe
400	dns.exe
400	dns.exe
400	dns.exe
400	dns.exe
400	dns.exe
400	dns.exe
400	dns.exe
400	dns.exe
400	dns.exe
400	dns.exe
560	£°£¶£°£¶.exe
560	£°£¶£°£¶.exe
400	dns.exe
400	dns.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
560	£°£¶£°£¶.exe
560	£°£¶£°£¶.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 560	3520	7bed3ad93b19db82b353027a3faa0d7c73a08a49fbfff9991b71e4c0579c6dfe.exe	80
PID 3520 wrote to memory of 560	3520	7bed3ad93b19db82b353027a3faa0d7c73a08a49fbfff9991b71e4c0579c6dfe.exe	80
PID 3520 wrote to memory of 560	3520	7bed3ad93b19db82b353027a3faa0d7c73a08a49fbfff9991b71e4c0579c6dfe.exe	80
PID 3520 wrote to memory of 400	3520	7bed3ad93b19db82b353027a3faa0d7c73a08a49fbfff9991b71e4c0579c6dfe.exe	81
PID 3520 wrote to memory of 400	3520	7bed3ad93b19db82b353027a3faa0d7c73a08a49fbfff9991b71e4c0579c6dfe.exe	81
PID 3520 wrote to memory of 400	3520	7bed3ad93b19db82b353027a3faa0d7c73a08a49fbfff9991b71e4c0579c6dfe.exe	81
PID 400 wrote to memory of 4640	400	dns.exe	82
PID 400 wrote to memory of 4640	400	dns.exe	82
PID 400 wrote to memory of 4640	400	dns.exe	82

C:\Users\Admin\AppData\Local\Temp\7bed3ad93b19db82b353027a3faa0d7c73a08a49fbfff9991b71e4c0579c6dfe.exe
"C:\Users\Admin\AppData\Local\Temp\7bed3ad93b19db82b353027a3faa0d7c73a08a49fbfff9991b71e4c0579c6dfe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Users\Admin\AppData\Local\Temp\£°£¶£°£¶.exe
  "C:\Users\Admin\AppData\Local\Temp\£°£¶£°£¶.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 1004
    3⤵
    - Program crash
    PID:2228
- C:\Users\Admin\AppData\Local\Temp\dns.exe
  "C:\Users\Admin\AppData\Local\Temp\dns.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Users\Admin\AppData\Local\Temp\~kjqhsls.vbe
    "C:\Users\Admin\AppData\Local\Temp\~kjqhsls.vbe" "C:\Windows\SysWOW64\dns.vbe"
    3⤵
    - Executes dropped EXE
    PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 560 -ip 560
1⤵
PID:5016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dns.exe

Filesize
411KB

MD5
e45e27446fe4bb66a6a9226414794ea0

SHA1
5e0676807b5ce74748e2201d861e7a16e855c448

SHA256
042fe3dc806396e06bbe307edfad4de4728f5af72820ae2e3fc4a22d63644bf5

SHA512
b1fc39be0b645272446e01a9bb17814c93299363335856a1154c331c6cd95a07270a04cdf514755ca9851acb6377a984084e6efa991a7a30a3997171baeba605

Download Submit
C:\Users\Admin\AppData\Local\Temp\dns.exe

Filesize
411KB

MD5
e45e27446fe4bb66a6a9226414794ea0

SHA1
5e0676807b5ce74748e2201d861e7a16e855c448

SHA256
042fe3dc806396e06bbe307edfad4de4728f5af72820ae2e3fc4a22d63644bf5

SHA512
b1fc39be0b645272446e01a9bb17814c93299363335856a1154c331c6cd95a07270a04cdf514755ca9851acb6377a984084e6efa991a7a30a3997171baeba605

Download Submit
C:\Users\Admin\AppData\Local\Temp\~kjqhsls.vbe

Filesize
138KB

MD5
d1ab72db2bedd2f255d35da3da0d4b16

SHA1
860265276b29b42b8c4b077e5c651def9c81b6e9

SHA256
047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

SHA512
b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

Download Submit
C:\Users\Admin\AppData\Local\Temp\~kjqhsls.vbe

Filesize
138KB

MD5
d1ab72db2bedd2f255d35da3da0d4b16

SHA1
860265276b29b42b8c4b077e5c651def9c81b6e9

SHA256
047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

SHA512
b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

Download Submit
C:\Users\Admin\AppData\Local\Temp\£°£¶£°£¶.exe

Filesize
7.8MB

MD5
16ff4b62d43bbf6a9f28cbcda002a7c2

SHA1
eee991d06c2e0b512a226e05440c8026f8d49e89

SHA256
bba918fefc6eb57ea5bde40b4744888a2dee4751cdf559b525073677e1643ec7

SHA512
5fd0467660983360dbe929b19e9abef3ae4dc57da80c0c8b62f58bb98bd84af520c7993360ce4d1ad05770c4e4f05dea5f9cc47a987e263c82b32fbe5929d8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\£°£¶£°£¶.exe

Filesize
7.8MB

MD5
16ff4b62d43bbf6a9f28cbcda002a7c2

SHA1
eee991d06c2e0b512a226e05440c8026f8d49e89

SHA256
bba918fefc6eb57ea5bde40b4744888a2dee4751cdf559b525073677e1643ec7

SHA512
5fd0467660983360dbe929b19e9abef3ae4dc57da80c0c8b62f58bb98bd84af520c7993360ce4d1ad05770c4e4f05dea5f9cc47a987e263c82b32fbe5929d8cd

Download Submit
C:\Windows\SysWOW64\dns.vbe

Filesize
752B

MD5
4d566e5d0f61678147812b9f3e677c42

SHA1
53646b8d2239a31f8ab173b75356fe2aabdd1087

SHA256
426a59e454b8b7329f3dbb356bbdb5e3cbe5e8bc97abfe5b8c8f63a85b30e3ff

SHA512
ad69478b4a0b3148436da1e315ce7f9115284ef2b7d70bbc7bd7745852f65db126ad6a37b4d3977c482af6405b03077103059146ad171eab430632725217d70d

Download Submit
memory/400-147-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/400-143-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/560-138-0x0000000000400000-0x0000000000F43000-memory.dmp

Filesize
11.3MB

Download
memory/560-144-0x00000000773C0000-0x0000000077563000-memory.dmp

Filesize
1.6MB

Download
memory/560-145-0x0000000000400000-0x0000000000F43000-memory.dmp

Filesize
11.3MB

Download
memory/560-146-0x0000000005420000-0x0000000005491000-memory.dmp

Filesize
452KB

Download
memory/560-148-0x0000000005420000-0x0000000005491000-memory.dmp

Filesize
452KB

Download
memory/560-149-0x0000000000400000-0x0000000000F43000-memory.dmp

Filesize
11.3MB

Download
memory/560-150-0x00000000773C0000-0x0000000077563000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads