5126f8d490dcbf38d6e05b0cb4b3bc4f9b85aa03ac9d813c84e55c15d9d85165

General

Target

JC_5126f8d490dcbf38d6e05b0cb4b3bc4f9b85aa03ac9d813c84e55c15d9d85165.exe
Size

2.4MB
MD5

cc94e6bf5facdbb6ba6bdf115da648f1
SHA1

8ccfa5597218e3c0976c0a11733eb458cd04ee77
SHA256

5126f8d490dcbf38d6e05b0cb4b3bc4f9b85aa03ac9d813c84e55c15d9d85165
SHA512

e86c7ce40c1d195fd5ec01e10c6308d0360efe8466ec9e6ac9112680c130e0c868393fb30c8c01ddc1870a431286971d140cf1cc70e8398d0c28dc13f425fe4e
SSDEEP

49152:Kquu8YgI4dHY5B1izK/5p+yUMo6XPzw37bVqRs+xI09m2Vsj4I:ADI55CzY5p+yF7XM7bYrIfosjr

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JC_5126f8d490dcbf38d6e05b0cb4b3bc4f9b85aa03ac9d813c84e55c15d9d85165.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JC_5126f8d490dcbf38d6e05b0cb4b3bc4f9b85aa03ac9d813c84e55c15d9d85165.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JC_5126f8d490dcbf38d6e05b0cb4b3bc4f9b85aa03ac9d813c84e55c15d9d85165.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Wine	JC_5126f8d490dcbf38d6e05b0cb4b3bc4f9b85aa03ac9d813c84e55c15d9d85165.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JC_5126f8d490dcbf38d6e05b0cb4b3bc4f9b85aa03ac9d813c84e55c15d9d85165.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2820	JC_5126f8d490dcbf38d6e05b0cb4b3bc4f9b85aa03ac9d813c84e55c15d9d85165.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2820	JC_5126f8d490dcbf38d6e05b0cb4b3bc4f9b85aa03ac9d813c84e55c15d9d85165.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2820	JC_5126f8d490dcbf38d6e05b0cb4b3bc4f9b85aa03ac9d813c84e55c15d9d85165.exe
2820	JC_5126f8d490dcbf38d6e05b0cb4b3bc4f9b85aa03ac9d813c84e55c15d9d85165.exe
2820	JC_5126f8d490dcbf38d6e05b0cb4b3bc4f9b85aa03ac9d813c84e55c15d9d85165.exe
2820	JC_5126f8d490dcbf38d6e05b0cb4b3bc4f9b85aa03ac9d813c84e55c15d9d85165.exe
2820	JC_5126f8d490dcbf38d6e05b0cb4b3bc4f9b85aa03ac9d813c84e55c15d9d85165.exe

C:\Users\Admin\AppData\Local\Temp\JC_5126f8d490dcbf38d6e05b0cb4b3bc4f9b85aa03ac9d813c84e55c15d9d85165.exe
"C:\Users\Admin\AppData\Local\Temp\JC_5126f8d490dcbf38d6e05b0cb4b3bc4f9b85aa03ac9d813c84e55c15d9d85165.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2820-0-0x0000000000400000-0x0000000000A11000-memory.dmp

Filesize
6.1MB

Download
memory/2820-1-0x00000000773C0000-0x00000000773C2000-memory.dmp

Filesize
8KB

Download
memory/2820-11-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/2820-12-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/2820-13-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/2820-10-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/2820-9-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/2820-8-0x00000000045A0000-0x00000000045A1000-memory.dmp

Filesize
4KB

Download
memory/2820-7-0x0000000004650000-0x0000000004651000-memory.dmp

Filesize
4KB

Download
memory/2820-6-0x0000000004540000-0x0000000004542000-memory.dmp

Filesize
8KB

Download
memory/2820-5-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/2820-4-0x00000000045D0000-0x00000000045D1000-memory.dmp

Filesize
4KB

Download
memory/2820-3-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/2820-2-0x0000000004580000-0x0000000004582000-memory.dmp

Filesize
8KB

Download
memory/2820-14-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download
memory/2820-15-0x0000000000400000-0x0000000000A11000-memory.dmp

Filesize
6.1MB

Download
memory/2820-19-0x00000000045E0000-0x00000000045E1000-memory.dmp

Filesize
4KB

Download
memory/2820-20-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/2820-18-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/2820-26-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/2820-27-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/2820-25-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/2820-24-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download
memory/2820-23-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/2820-22-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/2820-21-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/2820-17-0x00000000048B0000-0x00000000048B2000-memory.dmp

Filesize
8KB

Download
memory/2820-16-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/2820-28-0x0000000000400000-0x0000000000A11000-memory.dmp

Filesize
6.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads