b191a4f2c437e19ce0dd89013d615688994c8e6a5d5c4f45c682f89dafd9dcc6

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/01/2023, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b191a4f2c437e19ce0dd89013d615688994c8e6a5d5c4f45c682f89dafd9dcc6.exe
Size

1.5MB
MD5

de7fe179d579fc3f098d5a95c9900532
SHA1

7434d820cdd606efe67608977ebf1bd4ec84c896
SHA256

b191a4f2c437e19ce0dd89013d615688994c8e6a5d5c4f45c682f89dafd9dcc6
SHA512

8094bb046cfb64779526a1e44afb1658441d953d60ef7c7eca07591a7f28987465359e2184d195497173cf1abd17ac37c26c99d31ffedf828f2b31499ee2dbeb
SSDEEP

24576:WlDEyMVobKAuX+6Snd7Q7qIRmWecfJJ7ryDi1nNNkd5gEbc/KJaSxh:WeyMi5uX+DnK7qIlDfvEd5L5Jh

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b191a4f2c437e19ce0dd89013d615688994c8e6a5d5c4f45c682f89dafd9dcc6.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b191a4f2c437e19ce0dd89013d615688994c8e6a5d5c4f45c682f89dafd9dcc6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b191a4f2c437e19ce0dd89013d615688994c8e6a5d5c4f45c682f89dafd9dcc6.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Wine	b191a4f2c437e19ce0dd89013d615688994c8e6a5d5c4f45c682f89dafd9dcc6.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1464	b191a4f2c437e19ce0dd89013d615688994c8e6a5d5c4f45c682f89dafd9dcc6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1464	b191a4f2c437e19ce0dd89013d615688994c8e6a5d5c4f45c682f89dafd9dcc6.exe
1464	b191a4f2c437e19ce0dd89013d615688994c8e6a5d5c4f45c682f89dafd9dcc6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1464	b191a4f2c437e19ce0dd89013d615688994c8e6a5d5c4f45c682f89dafd9dcc6.exe

C:\Users\Admin\AppData\Local\Temp\b191a4f2c437e19ce0dd89013d615688994c8e6a5d5c4f45c682f89dafd9dcc6.exe
"C:\Users\Admin\AppData\Local\Temp\b191a4f2c437e19ce0dd89013d615688994c8e6a5d5c4f45c682f89dafd9dcc6.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1464-54-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/1464-55-0x0000000076581000-0x0000000076583000-memory.dmp

Filesize
8KB

Download
memory/1464-56-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/1464-57-0x0000000077BB0000-0x0000000077D30000-memory.dmp

Filesize
1.5MB

Download