Overview

overview

9

Static

static

5b7e022f50...7d.exe

windows7-x64

9

5b7e022f50...7d.exe

windows10-2004-x64

9

Resubmissions

31/05/2023, 15:39

230531-s3qrvagc31 9

31/05/2023, 11:18

230531-neex8aee66 9

27/11/2022, 11:41

221127-ntgeladh62 9

Analysis

  • max time kernel
    117s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 11:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe

  • Size

    2.2MB

  • MD5

    55c447191d9566c7442e25c4caf0d2fe

  • SHA1

    646762cee3a5caab9accd21efcb100cd49b8ef8a

  • SHA256

    5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d

  • SHA512

    9da8d4eb744308253f9befc238f4d1bd3122e06aa578b50ad2d27cb7a11d76fd1a95428df66ef287783139e5d3c8bf10d6fca6833867f8285cd06637843faa7e

  • SSDEEP

    49152:ZQwS6fiVzAdAqfR8K+CQmh2l2qf4LSQmCRnXhRaNQRWGNfbzQUo:+N6aVzAyqfnzQf4LptnXasW4fwU

Score
9/10
evasion

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe
    "C:\Users\Admin\AppData\Local\Temp\5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /delete /TN Microsoft\Windows\Shell\Init /F
      2⤵
        PID:1440
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /create /F /sc onstart /tn Microsoft\Windows\Shell\Init /tr "\"C:\Windows\System\20vumXJ\D8xDwUJe.exe\"" /ru system
        2⤵
        • Creates scheduled task(s)
        PID:436
      • C:\Windows\System\20vumXJ\D8xDwUJe.exe
        "C:\Windows\System\20vumXJ\D8xDwUJe.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Drops file in Windows directory
        PID:1516
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5B7E02~1.EXE >> NUL
        2⤵
        • Deletes itself
        PID:316

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\system\20vumXJ\D8xDwUJe.exe
      Filesize

      2.2MB

      MD5

      55c447191d9566c7442e25c4caf0d2fe

      SHA1

      646762cee3a5caab9accd21efcb100cd49b8ef8a

      SHA256

      5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d

      SHA512

      9da8d4eb744308253f9befc238f4d1bd3122e06aa578b50ad2d27cb7a11d76fd1a95428df66ef287783139e5d3c8bf10d6fca6833867f8285cd06637843faa7e

      Download Submit

    • \Users\Admin\AppData\Local\Temp\4BA1.tmp
      Filesize

      106KB

      MD5

      d6ce4b6db8407ca80193ede96d812bb7

      SHA1

      0a181d703e3adf1b3b9f043559e1952446a0b0cd

      SHA256

      7127ea6a185af63fc77fa2a7f87605d981a15c90277eaa3e9899d333e2e108e2

      SHA512

      25a1e5f60571486c1fd23dde44ca565a3bac051542831d9a24484a9c160e5ca9322daa376ab3a5bdc397113b61227955d4d951987cc01e9b18556f3513a9ab87

      Download Submit

    • \Users\Admin\AppData\Local\Temp\E85D.tmp
      Filesize

      106KB

      MD5

      d6ce4b6db8407ca80193ede96d812bb7

      SHA1

      0a181d703e3adf1b3b9f043559e1952446a0b0cd

      SHA256

      7127ea6a185af63fc77fa2a7f87605d981a15c90277eaa3e9899d333e2e108e2

      SHA512

      25a1e5f60571486c1fd23dde44ca565a3bac051542831d9a24484a9c160e5ca9322daa376ab3a5bdc397113b61227955d4d951987cc01e9b18556f3513a9ab87

      Download Submit

    • \Windows\system\20vumXJ\D8xDwUJe.exe
      Filesize

      2.2MB

      MD5

      55c447191d9566c7442e25c4caf0d2fe

      SHA1

      646762cee3a5caab9accd21efcb100cd49b8ef8a

      SHA256

      5b7e022f5009004985b34cf091d06752c765a25b445a46050eef51a17be8267d

      SHA512

      9da8d4eb744308253f9befc238f4d1bd3122e06aa578b50ad2d27cb7a11d76fd1a95428df66ef287783139e5d3c8bf10d6fca6833867f8285cd06637843faa7e

      Download Submit

    • memory/956-56-0x0000000000400000-0x00000000008F8000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/956-54-0x0000000000400000-0x00000000008F8000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/956-57-0x0000000000400000-0x00000000008F8000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/956-59-0x0000000000400000-0x00000000008F8000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/956-66-0x0000000000400000-0x00000000008F8000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/956-55-0x0000000076091000-0x0000000076093000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1516-67-0x0000000000400000-0x00000000008F8000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/1516-69-0x0000000000400000-0x00000000008F8000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/1516-71-0x0000000000400000-0x00000000008F8000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/1516-72-0x0000000000400000-0x00000000008F8000-memory.dmp

      Filesize

      5.0MB

      Download