744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb

Analysis

max time kernel
69s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe
Size

897KB
MD5

8c0de0256142e6c494b02630cdf0b667
SHA1

91c6377097f4681d7b1f1a5dfce1a95865f30324
SHA256

744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb
SHA512

781cda77d387c5c55291d55a8ae9e49560d4ec0006e3c02b7e4fdb9ca674e2546be395256afef76dd603457a18dd741afbc83045ecabd2a181a9720394f23646
SSDEEP

24576:o5f0X77Gu9o9UpgWoaYQ/ObNshEOQJ+riG:u1u9fvPYSGN6ErJq

Score

9^/10

evasion upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	apocalyps32.exe

Executes dropped EXE 1 IoCs

pid	Process
4376	apocalyps32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4376-143-0x0000000040010000-0x000000004004C000-memory.dmp	upx

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine	apocalyps32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1752	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe
4376	apocalyps32.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\apocalyps32.exe	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe
File opened for modification	C:\Windows\apocalyps32.exe	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe
File created	C:\Windows\apocalyps32.exe	apocalyps32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1752	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe
1752	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe
4376	apocalyps32.exe
4376	apocalyps32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 4376	1752	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe	80
PID 1752 wrote to memory of 4376	1752	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe	80
PID 1752 wrote to memory of 4376	1752	744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe	80
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81
PID 4376 wrote to memory of 1284	4376	apocalyps32.exe	81

C:\Users\Admin\AppData\Local\Temp\744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe
"C:\Users\Admin\AppData\Local\Temp\744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\apocalyps32.exe
  -bs
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apocalyps32.exe

Filesize
897KB

MD5
8c0de0256142e6c494b02630cdf0b667

SHA1
91c6377097f4681d7b1f1a5dfce1a95865f30324

SHA256
744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb

SHA512
781cda77d387c5c55291d55a8ae9e49560d4ec0006e3c02b7e4fdb9ca674e2546be395256afef76dd603457a18dd741afbc83045ecabd2a181a9720394f23646

Download Submit
C:\Windows\apocalyps32.exe

Filesize
897KB

MD5
8c0de0256142e6c494b02630cdf0b667

SHA1
91c6377097f4681d7b1f1a5dfce1a95865f30324

SHA256
744de75df602abe008bda830f8343b9af530ee62763d7525ac86403038d5b1eb

SHA512
781cda77d387c5c55291d55a8ae9e49560d4ec0006e3c02b7e4fdb9ca674e2546be395256afef76dd603457a18dd741afbc83045ecabd2a181a9720394f23646

Download Submit
memory/1752-139-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/1752-133-0x0000000077C50000-0x0000000077DF3000-memory.dmp

Filesize
1.6MB

Download
memory/1752-134-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/1752-140-0x0000000077C50000-0x0000000077DF3000-memory.dmp

Filesize
1.6MB

Download
memory/1752-132-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/4376-138-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download
memory/4376-141-0x0000000077C50000-0x0000000077DF3000-memory.dmp

Filesize
1.6MB

Download
memory/4376-143-0x0000000040010000-0x000000004004C000-memory.dmp

Filesize
240KB

Download
memory/4376-146-0x0000000077C50000-0x0000000077DF3000-memory.dmp

Filesize
1.6MB

Download
memory/4376-147-0x0000000000400000-0x00000000005E2000-memory.dmp

Filesize
1.9MB

Download