ed4b61b0ea2f4b11b981f0f58b034fb4135ed4c07a5609cd51cef01e52c4be9f

General

Target

ed4b61b0ea2f4b11b981f0f58b034fb4135ed4c07a5609cd51cef01e52c4be9f.exe
Size

618KB
MD5

0b61e24bd23ff9fa9ecb4126240dc95c
SHA1

a950562cb377c3046ec2a78ac4a502f3f763f427
SHA256

ed4b61b0ea2f4b11b981f0f58b034fb4135ed4c07a5609cd51cef01e52c4be9f
SHA512

0f57103306bb883d0ff1cfb2da748e41f9cb89208ae10c3f2a25b3ecc1886b1303dc3b477500253882c3c787da2851a06f8f94e416f9ecc5f25c90ebfb8a25e3
SSDEEP

12288:yKfC2/WC5btCQFxZITbejP27e73Rrx8FkWIGoC3tXkg/DKWO4g8CXdpYiY+F:K2/W0NDZ/b6uumGpdXkg/DKWOj8C8iYe

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ed4b61b0ea2f4b11b981f0f58b034fb4135ed4c07a5609cd51cef01e52c4be9f.exe

Executes dropped EXE 1 IoCs

pid	Process
1984	s8186.exe

Loads dropped DLL 4 IoCs

pid	Process
1256	ed4b61b0ea2f4b11b981f0f58b034fb4135ed4c07a5609cd51cef01e52c4be9f.exe
1256	ed4b61b0ea2f4b11b981f0f58b034fb4135ed4c07a5609cd51cef01e52c4be9f.exe
1256	ed4b61b0ea2f4b11b981f0f58b034fb4135ed4c07a5609cd51cef01e52c4be9f.exe
1256	ed4b61b0ea2f4b11b981f0f58b034fb4135ed4c07a5609cd51cef01e52c4be9f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ed4b61b0ea2f4b11b981f0f58b034fb4135ed4c07a5609cd51cef01e52c4be9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	ed4b61b0ea2f4b11b981f0f58b034fb4135ed4c07a5609cd51cef01e52c4be9f.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	s8186.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	s8186.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	s8186.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	s8186.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1256	ed4b61b0ea2f4b11b981f0f58b034fb4135ed4c07a5609cd51cef01e52c4be9f.exe
1984	s8186.exe
1984	s8186.exe
1984	s8186.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	s8186.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1984	s8186.exe
1984	s8186.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 1984	1256	ed4b61b0ea2f4b11b981f0f58b034fb4135ed4c07a5609cd51cef01e52c4be9f.exe	27
PID 1256 wrote to memory of 1984	1256	ed4b61b0ea2f4b11b981f0f58b034fb4135ed4c07a5609cd51cef01e52c4be9f.exe	27
PID 1256 wrote to memory of 1984	1256	ed4b61b0ea2f4b11b981f0f58b034fb4135ed4c07a5609cd51cef01e52c4be9f.exe	27
PID 1256 wrote to memory of 1984	1256	ed4b61b0ea2f4b11b981f0f58b034fb4135ed4c07a5609cd51cef01e52c4be9f.exe	27

C:\Users\Admin\AppData\Local\Temp\ed4b61b0ea2f4b11b981f0f58b034fb4135ed4c07a5609cd51cef01e52c4be9f.exe
"C:\Users\Admin\AppData\Local\Temp\ed4b61b0ea2f4b11b981f0f58b034fb4135ed4c07a5609cd51cef01e52c4be9f.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\n8186\s8186.exe
  "C:\Users\Admin\AppData\Local\Temp\n8186\s8186.exe" 6cbbb58b9fe71e2083910c61W0SHN9v2GFmcaWAX84co8EuAe9apXi1khiZJlmrJ8CScHngP4vI0sBt8g3T6WS4iPQH03C1IFZUxkNuNiQE90+Sag9kYIAOmoR0Foe/Qw76Y8fnZ5BRzfRgFZasu6ehQ/zImdqSdjuHYHb4FTxS5IxXtdbpD8M+jz4lze2k= /v "C:\Users\Admin\AppData\Local\Temp\ed4b61b0ea2f4b11b981f0f58b034fb4135ed4c07a5609cd51cef01e52c4be9f.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n8186\s8186.exe

Filesize
350KB

MD5
54394ba7de5b2c5e3df92557ea95f014

SHA1
47a99735e089139495643c9027effcb6b1fc5504

SHA256
339f7dd54a1e07bfcabb5749047ef4ab615462213f5baaa62fb690c894bef1eb

SHA512
45928ffec4f1bf9a86469bb54f83ba6fdcd275ef9826bd923e890fce83d7a8f975c309bda4849d3f2d066ea458f23fa8e6aefe26be5e874249712462ecd69660

Download Submit
C:\Users\Admin\AppData\Local\Temp\n8186\s8186.exe

Filesize
350KB

MD5
54394ba7de5b2c5e3df92557ea95f014

SHA1
47a99735e089139495643c9027effcb6b1fc5504

SHA256
339f7dd54a1e07bfcabb5749047ef4ab615462213f5baaa62fb690c894bef1eb

SHA512
45928ffec4f1bf9a86469bb54f83ba6fdcd275ef9826bd923e890fce83d7a8f975c309bda4849d3f2d066ea458f23fa8e6aefe26be5e874249712462ecd69660

Download Submit
\Users\Admin\AppData\Local\Temp\n8186\s8186.exe

Filesize
350KB

MD5
54394ba7de5b2c5e3df92557ea95f014

SHA1
47a99735e089139495643c9027effcb6b1fc5504

SHA256
339f7dd54a1e07bfcabb5749047ef4ab615462213f5baaa62fb690c894bef1eb

SHA512
45928ffec4f1bf9a86469bb54f83ba6fdcd275ef9826bd923e890fce83d7a8f975c309bda4849d3f2d066ea458f23fa8e6aefe26be5e874249712462ecd69660

Download Submit
\Users\Admin\AppData\Local\Temp\n8186\s8186.exe

Filesize
350KB

MD5
54394ba7de5b2c5e3df92557ea95f014

SHA1
47a99735e089139495643c9027effcb6b1fc5504

SHA256
339f7dd54a1e07bfcabb5749047ef4ab615462213f5baaa62fb690c894bef1eb

SHA512
45928ffec4f1bf9a86469bb54f83ba6fdcd275ef9826bd923e890fce83d7a8f975c309bda4849d3f2d066ea458f23fa8e6aefe26be5e874249712462ecd69660

Download Submit
\Users\Admin\AppData\Local\Temp\n8186\s8186.exe

Filesize
350KB

MD5
54394ba7de5b2c5e3df92557ea95f014

SHA1
47a99735e089139495643c9027effcb6b1fc5504

SHA256
339f7dd54a1e07bfcabb5749047ef4ab615462213f5baaa62fb690c894bef1eb

SHA512
45928ffec4f1bf9a86469bb54f83ba6fdcd275ef9826bd923e890fce83d7a8f975c309bda4849d3f2d066ea458f23fa8e6aefe26be5e874249712462ecd69660

Download Submit
\Users\Admin\AppData\Local\Temp\n8186\s8186.exe

Filesize
350KB

MD5
54394ba7de5b2c5e3df92557ea95f014

SHA1
47a99735e089139495643c9027effcb6b1fc5504

SHA256
339f7dd54a1e07bfcabb5749047ef4ab615462213f5baaa62fb690c894bef1eb

SHA512
45928ffec4f1bf9a86469bb54f83ba6fdcd275ef9826bd923e890fce83d7a8f975c309bda4849d3f2d066ea458f23fa8e6aefe26be5e874249712462ecd69660

Download Submit
memory/1256-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1984-62-0x000007FEF3250000-0x000007FEF3C73000-memory.dmp

Filesize
10.1MB

Download
memory/1984-63-0x000007FEF1AD0000-0x000007FEF2B66000-memory.dmp

Filesize
16.6MB

Download
memory/1984-64-0x0000000000BC6000-0x0000000000BE5000-memory.dmp

Filesize
124KB

Download
memory/1984-65-0x0000000000BC6000-0x0000000000BE5000-memory.dmp

Filesize
124KB

Download
memory/1984-66-0x000007FEED800000-0x000007FEEE68F000-memory.dmp

Filesize
14.6MB

Download
memory/1984-67-0x000007FEF2F60000-0x000007FEF324A000-memory.dmp

Filesize
2.9MB

Download
memory/1984-68-0x0000000000BC6000-0x0000000000BE5000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads