80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb

General

Target

80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe
Size

13.3MB
MD5

9ac3f09bbc9f5310ea51c15d347616ce
SHA1

3647ee26a5f8b629f9c29dfaec0e6ac42c71478b
SHA256

80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb
SHA512

2c357b6f51462c673fa82fb2941554a7735e9d30580c77707f0f9c7fac42a9c17e1d6f9494b2bb25ebc8cba458bde8af4c5868ee26e17597a2286d2f352b75e8
SSDEEP

393216:jq94Usc5SuJMW7cs2UtQqfJPLi4LMp+Vz:eeUzcuJMW73G0LibgV

Score

9^/10

evasion vmprotect

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Wine	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe

Loads dropped DLL 1 IoCs

pid	Process
2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000b0000000230ee-12.dat	vmprotect
behavioral2/memory/2200-16-0x0000000010000000-0x0000000010652000-memory.dmp	vmprotect
behavioral2/files/0x000b0000000230ee-15.dat	vmprotect
behavioral2/memory/2200-17-0x0000000010000000-0x0000000010652000-memory.dmp	vmprotect
behavioral2/memory/2200-28-0x0000000010000000-0x0000000010652000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe
2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe
2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe
2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe
2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe
2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe
Token: SeSystemtimePrivilege	2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe
2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe
2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe
2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe
2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe
2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe
2200	80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe

C:\Users\Admin\AppData\Local\Temp\80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe
"C:\Users\Admin\AppData\Local\Temp\80131f5302fffccf86ee3a48544fd039a64faf77b1f6f6216a450d37fd9cf8cb.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dro.c

Filesize
3.0MB

MD5
b93ac2143be6021cba4663789fb365d4

SHA1
2b90c3c5500b679dc8d4a600ca718cfc66c08060

SHA256
25b299706935e534f66233e25b9c8609b8081e003c9bc82f7a15105c336a7359

SHA512
6a247a0386708b6d528d40bee85bcfb5a591c60cf6a5a92e7149fb3203c4a1a8aef6b75579403c92a5188bfdc3f7604fd251718b8c50eee2bd707feeb4c1f108

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dro.c

Filesize
3.0MB

MD5
b93ac2143be6021cba4663789fb365d4

SHA1
2b90c3c5500b679dc8d4a600ca718cfc66c08060

SHA256
25b299706935e534f66233e25b9c8609b8081e003c9bc82f7a15105c336a7359

SHA512
6a247a0386708b6d528d40bee85bcfb5a591c60cf6a5a92e7149fb3203c4a1a8aef6b75579403c92a5188bfdc3f7604fd251718b8c50eee2bd707feeb4c1f108

Download Submit
memory/2200-16-0x0000000010000000-0x0000000010652000-memory.dmp

Filesize
6.3MB

Download
memory/2200-1-0x0000000077254000-0x0000000077256000-memory.dmp

Filesize
8KB

Download
memory/2200-7-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download
memory/2200-6-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download
memory/2200-9-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download
memory/2200-2-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download
memory/2200-0-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download
memory/2200-5-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/2200-17-0x0000000010000000-0x0000000010652000-memory.dmp

Filesize
6.3MB

Download
memory/2200-26-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download
memory/2200-27-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download
memory/2200-28-0x0000000010000000-0x0000000010652000-memory.dmp

Filesize
6.3MB

Download
memory/2200-33-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download
memory/2200-39-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads