744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb

Analysis

max time kernel
38s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe
Size

897KB
MD5

8c0de0256142e6c494b02630cdf0b667
SHA1

91c6377097f4681d7b1f1a5dfce1a95865f30324
SHA256

744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb
SHA512

781cda77d387c5c55291d55a8ae9e49560d4ec0006e3c02b7e4fdb9ca674e2546be395256afef76dd603457a18dd741afbc83045ecabd2a181a9720394f23646
SSDEEP

24576:o5f0X77Gu9o9UpgWoaYQ/ObNshEOQJ+riG:u1u9fvPYSGN6ErJq

Score

9^/10

evasion upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	apocalyps32.exe

Executes dropped EXE 1 IoCs

pid	Process
1736	apocalyps32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1736-66-0x0000000040010000-0x000000004004C000-memory.dmp	upx

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Wine	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Wine	apocalyps32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2036	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe
1736	apocalyps32.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\apocalyps32.exe	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe
File opened for modification	C:\Windows\apocalyps32.exe	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe
File created	C:\Windows\apocalyps32.exe	apocalyps32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2036	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe
1736	apocalyps32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1736	2036	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe	26
PID 2036 wrote to memory of 1736	2036	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe	26
PID 2036 wrote to memory of 1736	2036	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe	26
PID 2036 wrote to memory of 1736	2036	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe	26
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27
PID 1736 wrote to memory of 1616	1736	apocalyps32.exe	27

C:\Users\Admin\AppData\Local\Temp\744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe
"C:\Users\Admin\AppData\Local\Temp\744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\apocalyps32.exe
  -bs
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apocalyps32.exe

Filesize
897KB

MD5
8c0de0256142e6c494b02630cdf0b667

SHA1
91c6377097f4681d7b1f1a5dfce1a95865f30324

SHA256
744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb

SHA512
781cda77d387c5c55291d55a8ae9e49560d4ec0006e3c02b7e4fdb9ca674e2546be395256afef76dd603457a18dd741afbc83045ecabd2a181a9720394f23646

Download Submit
C:\Windows\apocalyps32.exe

Filesize
897KB

MD5
8c0de0256142e6c494b02630cdf0b667

SHA1
91c6377097f4681d7b1f1a5dfce1a95865f30324

SHA256
744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb

SHA512
781cda77d387c5c55291d55a8ae9e49560d4ec0006e3c02b7e4fdb9ca674e2546be395256afef76dd603457a18dd741afbc83045ecabd2a181a9720394f23646

Download Submit
memory/1736-62-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/1736-70-0x0000000077670000-0x00000000777F0000-memory.dmp

Filesize
1.5MB

Download
memory/1736-69-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/1736-66-0x0000000040010000-0x000000004004C000-memory.dmp

Filesize
240KB

Download
memory/2036-57-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/2036-61-0x0000000077670000-0x00000000777F0000-memory.dmp

Filesize
1.5MB

Download
memory/2036-60-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/2036-54-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/2036-56-0x0000000077670000-0x00000000777F0000-memory.dmp

Filesize
1.5MB

Download
memory/2036-55-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download