Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
27-03-2023 09:33
General
-
Target
客户端(Client)_KEY.exe
-
Size
1.2MB
-
MD5
b0aacc897731ccf1adee875390c6cfcf
-
SHA1
494182a125ce93921252c79f155d4c10db049899
-
SHA256
e182e12f86fcc70e57c6ed760c5789e6c1a08dac5b4bfb005509c1a7038e9990
-
SHA512
b3f8f4793d9b00f1015ea0f9a77a0cf6672fc700036781adf5d5e4c559573f191d4ef982e57e964f7ad107664995d6f5cab6bd20d81f9f6f592602468fab2eab
-
SSDEEP
24576:4zOhmv9L5ldZz5NLDvHvK2OZkh0y634ek4cKWd6JqjzD8E:wZHzz6y63Jk4bg0VE
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\客户端(Client)_KEY.exe"C:\Users\Admin\AppData\Local\Temp\客户端(Client)_KEY.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4980-133-0x0000000000400000-0x00000000006DF000-memory.dmpFilesize
2.9MB
-
memory/4980-134-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/4980-135-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/4980-136-0x0000000004970000-0x0000000004971000-memory.dmpFilesize
4KB
-
memory/4980-138-0x00000000048C0000-0x00000000048C1000-memory.dmpFilesize
4KB
-
memory/4980-137-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/4980-139-0x0000000004920000-0x0000000004921000-memory.dmpFilesize
4KB
-
memory/4980-140-0x00000000048E0000-0x00000000048E2000-memory.dmpFilesize
8KB
-
memory/4980-141-0x00000000048F0000-0x00000000048F1000-memory.dmpFilesize
4KB
-
memory/4980-142-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/4980-144-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/4980-143-0x00000000048B0000-0x00000000048B1000-memory.dmpFilesize
4KB
-
memory/4980-145-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/4980-146-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/4980-148-0x0000000004950000-0x0000000004951000-memory.dmpFilesize
4KB
-
memory/4980-149-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB
-
memory/4980-147-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/4980-150-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/4980-152-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/4980-151-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB
-
memory/4980-153-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/4980-154-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/4980-155-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/4980-156-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/4980-157-0x0000000004AA0000-0x0000000004AA1000-memory.dmpFilesize
4KB
-
memory/4980-159-0x0000000004A10000-0x0000000004A12000-memory.dmpFilesize
8KB
-
memory/4980-160-0x0000000000400000-0x00000000006DF000-memory.dmpFilesize
2.9MB