Overview

overview

9

Static

static

ae814e6e50...6e.exe

windows7-x64

9

ae814e6e50...6e.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    87s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 23:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae814e6e500b38e79f0e5541148857657b78da331e1f2b8e6959e90e7f427a6e.exe

  • Size

    1.9MB

  • MD5

    7429b8f292f85ffa84e1657e60abc887

  • SHA1

    b6aa0c059bb76a4928f4d2d9854bf8a0b5ebad67

  • SHA256

    ae814e6e500b38e79f0e5541148857657b78da331e1f2b8e6959e90e7f427a6e

  • SHA512

    5f426ce668781d2b1ac2f4155fc4198a241c8394227b9b0e51763d3ea06c7f229591e07e9cfc1061c0af3449b7554c97f332a1c1757483b63bff5cbc2bfdf51e

  • SSDEEP

    24576:PdDIebyqqi2saCSwBjDfx+5w/R13lrUi8DZCTfQxVPBkZQpFXSKQZCTfQxVPBkZo:PtvJqiGQ1+m1RpWCTav4CTavX

Score
9/10
evasiontrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae814e6e500b38e79f0e5541148857657b78da331e1f2b8e6959e90e7f427a6e.exe
    "C:\Users\Admin\AppData\Local\Temp\ae814e6e500b38e79f0e5541148857657b78da331e1f2b8e6959e90e7f427a6e.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Identifies Wine through registry keys
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Users\Admin\AppData\Local\Temp\ae814e6e500b38e79f0e5541148857657b78da331e1f2b8e6959e90e7f427a6e.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ae814e6e500b38e79f0e5541148857657b78da331e1f2b8e6959e90e7f427a6e.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1124
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1124 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NSI31JUT.txt
    Filesize

    539B

    MD5

    1ab25c87166de1fc4c805a15718e1a05

    SHA1

    480d1a5f828c663025c5629ae17618515ce26315

    SHA256

    a02f1b2ccb31437413a682629391874ac91a1beb54a63212279f15faf8e3b7df

    SHA512

    9dff7470ae579e4d85cff28cf9481f27b17d3328df022706e5a61d403e8df0d1655639b240ea6d4f36dc24857a388c95250cc55d8f48c035af1a3919e3c61590

    Download Submit
  • memory/1588-64-0x0000000000400000-0x0000000000436000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1588-58-0x0000000000400000-0x0000000000436000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1588-59-0x0000000000400000-0x0000000000436000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1588-61-0x0000000000400000-0x0000000000436000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1588-62-0x0000000000400000-0x0000000000436000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1588-65-0x0000000000400000-0x0000000000436000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1588-66-0x000000000042CF2E-mapping.dmp
    Download
  • memory/1588-69-0x0000000000402000-0x000000000042D000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1588-68-0x0000000000402000-0x000000000042D000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1972-54-0x00000000751A1000-0x00000000751A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1972-70-0x00000000774C0000-0x0000000077640000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1972-57-0x00000000774C0000-0x0000000077640000-memory.dmp
    Filesize

    1.5MB

    Download