1533629ea7819e0cc5ae30ebd3a3ed467c56ff6e67b4a973832bc1a90e94c92d

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2023 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

启动器5.exe
Size

8.6MB
MD5

427a6f4998a86ac166094df773204e15
SHA1

4f9d98837fdb519051c990dbd722f95cd53bb3d0
SHA256

1533629ea7819e0cc5ae30ebd3a3ed467c56ff6e67b4a973832bc1a90e94c92d
SHA512

b4b368904d3b6d4fd6ce2955f38044f55f9f7e98419b91f073c992d1e6e4d84da2daae1a1216cedb95a21e43360421d5ff8232da02c4d5002b639e4335312d62
SSDEEP

98304:/r3frjoeEg5qcAd4p5BlmkC+/C4OWoHI7NINa4tqR+zqbJ278QnV4jEMSD6BXlkz:/7frMM5qr4FlmIdCIetOl27qEMSOsJ

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	启动器5.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	启动器5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	启动器5.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Wine	启动器5.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4468	启动器5.exe
4468	启动器5.exe
4468	启动器5.exe
4468	启动器5.exe

C:\Users\Admin\AppData\Local\Temp\启动器5.exe
"C:\Users\Admin\AppData\Local\Temp\启动器5.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of SetWindowsHookEx
PID:4468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ad-mymacro9.xml.tmp

Filesize
3KB

MD5
6a004b4196400a627b5b6248a2a2dcba

SHA1
fa9a555e83a4c3a73e07a728ec92827f55fbcf02

SHA256
9cd3e3f97866082f8edfed25d56b40786c2809f264c4f8b10c022403e7f0f101

SHA512
1b5cea41dce0742e4ba7a7f3c4bef3eefc92c63d267a306e4098c68b768723abc0f0eace4a486ff3f4b1bb8a74279dd04e9c2a48df9a20125c21209e3d205624

Download Submit
memory/4468-151-0x0000000000B30000-0x00000000012B7000-memory.dmp

Filesize
7.5MB

Download
memory/4468-148-0x0000000000B30000-0x00000000012B7000-memory.dmp

Filesize
7.5MB

Download
memory/4468-152-0x0000000000B30000-0x00000000012B7000-memory.dmp

Filesize
7.5MB

Download
memory/4468-147-0x0000000000B30000-0x00000000012B7000-memory.dmp

Filesize
7.5MB

Download
memory/4468-153-0x0000000000B30000-0x00000000012B7000-memory.dmp

Filesize
7.5MB

Download
memory/4468-149-0x0000000000B30000-0x00000000012B7000-memory.dmp

Filesize
7.5MB

Download
memory/4468-150-0x0000000000B30000-0x00000000012B7000-memory.dmp

Filesize
7.5MB

Download
memory/4468-154-0x0000000000B30000-0x00000000012B7000-memory.dmp

Filesize
7.5MB

Download
memory/4468-146-0x0000000000B30000-0x00000000012B7000-memory.dmp

Filesize
7.5MB

Download
memory/4468-139-0x0000000000B30000-0x00000000012B7000-memory.dmp

Filesize
7.5MB

Download
memory/4468-133-0x0000000000B30000-0x00000000012B7000-memory.dmp

Filesize
7.5MB

Download
memory/4468-155-0x0000000000B30000-0x00000000012B7000-memory.dmp

Filesize
7.5MB

Download
memory/4468-156-0x0000000000B30000-0x00000000012B7000-memory.dmp

Filesize
7.5MB

Download
memory/4468-157-0x0000000000B30000-0x00000000012B7000-memory.dmp

Filesize
7.5MB

Download
memory/4468-158-0x0000000000B30000-0x00000000012B7000-memory.dmp

Filesize
7.5MB

Download
memory/4468-159-0x0000000000B30000-0x00000000012B7000-memory.dmp

Filesize
7.5MB

Download
memory/4468-160-0x0000000000B30000-0x00000000012B7000-memory.dmp

Filesize
7.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads