Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 19:18
Behavioral task
behavioral1
Sample
eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a.exe
Resource
win10v2004-20221111-en
General
-
Target
eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a.exe
-
Size
4.3MB
-
MD5
c018e236df1b2de9c3f60276b78fdccf
-
SHA1
412f56aa0096a4aa91105c2df8940279e5b06487
-
SHA256
eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a
-
SHA512
814029f49c30dc228a04271e78f0b25f320534694a5cb5f3f8cc73917be4e4dca37af2025f5ba88d1a9fc11815a6c2ffd53a9fc0ac5c012c58f2decc6d525c09
-
SSDEEP
98304:x1lYHpNeV/riwz58R42is6e3RXjOWDucCnp1DA9sv7o2s2kbsUOEGx4VKP3Q9Oh8:4djjqPdDsDbsU0akJyxL405+fiX
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a.exe -
Loads dropped DLL 1 IoCs
Processes:
eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a.exepid process 1264 eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a.exepid process 1264 eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a.exepid process 1264 eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a.exe"C:\Users\Admin\AppData\Local\Temp\eb7077dfc703f04833e949eb097b1eeba23fa5d15acde3dc1323db0fc54e433a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\f690d5bb-6a3e-4700-84fa-ac236253a73e\AgileDotNetRT.dllFilesize
1.0MB
MD5d2340ef740ece066503d415beb9ac276
SHA125a859b812ff4e5dd57150964ffea1de7b4d24f2
SHA2561e1b9669fd464401e53fbed81ec00e2af926b75ae8b7c6987709cc281c85f1af
SHA512e248ab2edd7a83557d57deae826fa3f0da0ec1ec2806599b239a320535f937eb5806ba962e5e7daa5bd0fb634e8b4b104e25a898ba0804857c3e7362c98106c7
-
memory/1264-54-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB
-
memory/1264-57-0x0000000074500000-0x0000000074AAB000-memory.dmpFilesize
5.7MB
-
memory/1264-58-0x0000000072950000-0x0000000072C44000-memory.dmpFilesize
3.0MB
-
memory/1264-59-0x0000000077340000-0x00000000774C0000-memory.dmpFilesize
1.5MB
-
memory/1264-60-0x0000000074500000-0x0000000074AAB000-memory.dmpFilesize
5.7MB
-
memory/1264-61-0x0000000072950000-0x0000000072C44000-memory.dmpFilesize
3.0MB
-
memory/1264-62-0x0000000077340000-0x00000000774C0000-memory.dmpFilesize
1.5MB