46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2023, 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Size

4.9MB
MD5

890656aada6aee91d45effd316023cbd
SHA1

3edcbdae52e0a995a1dec62491087035fa8aad6b
SHA256

46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0
SHA512

6126a19913ef02c8d9f3808c7cb8d44b18466c31afa4aa4232eb00cb77424704a0fe9e1b6b95dc2587cf20f6d8a4ddca19166aaa54bc7f73abcc756c4dc9f4d3
SSDEEP

98304:4nhLTDcdqwb3KfoNDUFMxQ7pbw+abYNuJ+ly:Wc4qKstD1

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Wine	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe

Loads dropped DLL 4 IoCs

pid	Process
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment"	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary"	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine"	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine"	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel = "Apartment"	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine"	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine"	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine"	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment"	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}"	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary"	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine"	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary"	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
1756	46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe

C:\Users\Admin\AppData\Local\Temp\46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe
"C:\Users\Admin\AppData\Local\Temp\46869c7e52efbec951441a8e71b43eed77fed7e5cda746e8d6ee1262b8b171f0.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cfgdll.dll

Filesize
59KB

MD5
3f9711ab8cfa0cbbeaeceba7904c8700

SHA1
94085220d65eb8c572fb394ab0d19815dcf80680

SHA256
517df7f719bcc34ea934868e46c77932768ee77abccc3bccac62bf9bfeed0af5

SHA512
e595acdc6b857a6180f88ddb0bd8c50f66bd1768d129e996dcd8934e9462150d041dc79addd2251b933e1a63ccccf03070ecce8ed485ea35622af1c18c60fcc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfgdll.dll

Filesize
59KB

MD5
3f9711ab8cfa0cbbeaeceba7904c8700

SHA1
94085220d65eb8c572fb394ab0d19815dcf80680

SHA256
517df7f719bcc34ea934868e46c77932768ee77abccc3bccac62bf9bfeed0af5

SHA512
e595acdc6b857a6180f88ddb0bd8c50f66bd1768d129e996dcd8934e9462150d041dc79addd2251b933e1a63ccccf03070ecce8ed485ea35622af1c18c60fcc5

Download Submit
C:\Users\Admin\AppData\Roaming\mymacro\qdisp.dll

Filesize
43KB

MD5
7171bc500507f070355c8903e0ea6d3d

SHA1
073d479fdbd1f2af5d494e90b950098be63dee75

SHA256
3e02f67604dcc1f9e2f107e3dc04f9dcdc59431b2a9323838b61c427c63b997c

SHA512
a8162de29e73f7a198ab7b592c393c8b39e42d5f6649efeca300a90dd7c70178fca1cfcd1f721588dcff296d5245f9ebfa289c6525c7e8621c8eef3e77787622

Download Submit
C:\Users\Admin\AppData\Roaming\mymacro\qdisp.dll

Filesize
43KB

MD5
7171bc500507f070355c8903e0ea6d3d

SHA1
073d479fdbd1f2af5d494e90b950098be63dee75

SHA256
3e02f67604dcc1f9e2f107e3dc04f9dcdc59431b2a9323838b61c427c63b997c

SHA512
a8162de29e73f7a198ab7b592c393c8b39e42d5f6649efeca300a90dd7c70178fca1cfcd1f721588dcff296d5245f9ebfa289c6525c7e8621c8eef3e77787622

Download Submit
memory/1756-132-0x0000000000400000-0x00000000008DD000-memory.dmp

Filesize
4.9MB

Download
memory/1756-133-0x0000000000400000-0x00000000008DD000-memory.dmp

Filesize
4.9MB

Download
memory/1756-138-0x0000000006690000-0x000000000669F000-memory.dmp

Filesize
60KB

Download
memory/1756-139-0x0000000000C7E000-0x0000000000C83000-memory.dmp

Filesize
20KB

Download
memory/1756-140-0x0000000000400000-0x00000000008DD000-memory.dmp

Filesize
4.9MB

Download
memory/1756-141-0x0000000000400000-0x00000000008DD000-memory.dmp

Filesize
4.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads