93fa018caa6ee1e49dc83c478e9e66a16490943ad293ae487ce3c1ff3a261e71

General

Target

93fa018caa6ee1e49dc83c478e9e66a16490943ad293ae487ce3c1ff3a261e71.exe
Size

13.6MB
MD5

80fd943bfe9b46fd35870fabbde3ca37
SHA1

8ce273a8ae00d5112fb7a884b3d2f5ce88808f25
SHA256

93fa018caa6ee1e49dc83c478e9e66a16490943ad293ae487ce3c1ff3a261e71
SHA512

3974302adcbdd65130cb5b96449a14a087f7786d6a97eb284842b2155245cabd24e1d1804fa4124d5fa750693f7c09a32485b667580d1247bf69024ed551875c
SSDEEP

196608:nQtY6qgkU3sKCt3U1cST9/ODMRs9HJ2nTtiH3YMprYgA1kgu+/0q+n2JIaf71:nQWgkcJ1cScYR62JiXrvzDqIu7

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	93fa018caa6ee1e49dc83c478e9e66a16490943ad293ae487ce3c1ff3a261e71.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	93fa018caa6ee1e49dc83c478e9e66a16490943ad293ae487ce3c1ff3a261e71.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	93fa018caa6ee1e49dc83c478e9e66a16490943ad293ae487ce3c1ff3a261e71.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Wine	93fa018caa6ee1e49dc83c478e9e66a16490943ad293ae487ce3c1ff3a261e71.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1984	93fa018caa6ee1e49dc83c478e9e66a16490943ad293ae487ce3c1ff3a261e71.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1984	93fa018caa6ee1e49dc83c478e9e66a16490943ad293ae487ce3c1ff3a261e71.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1984	93fa018caa6ee1e49dc83c478e9e66a16490943ad293ae487ce3c1ff3a261e71.exe
1984	93fa018caa6ee1e49dc83c478e9e66a16490943ad293ae487ce3c1ff3a261e71.exe

C:\Users\Admin\AppData\Local\Temp\93fa018caa6ee1e49dc83c478e9e66a16490943ad293ae487ce3c1ff3a261e71.exe
"C:\Users\Admin\AppData\Local\Temp\93fa018caa6ee1e49dc83c478e9e66a16490943ad293ae487ce3c1ff3a261e71.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1984-0-0x0000000000400000-0x0000000001710000-memory.dmp

Filesize
19.1MB

Download
memory/1984-1-0x0000000077670000-0x0000000077672000-memory.dmp

Filesize
8KB

Download
memory/1984-2-0x0000000000400000-0x0000000001710000-memory.dmp

Filesize
19.1MB

Download
memory/1984-3-0x0000000005140000-0x0000000005142000-memory.dmp

Filesize
8KB

Download
memory/1984-6-0x0000000005350000-0x0000000005352000-memory.dmp

Filesize
8KB

Download
memory/1984-7-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/1984-8-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/1984-12-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/1984-19-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/1984-18-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/1984-17-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/1984-16-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/1984-15-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/1984-14-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/1984-13-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/1984-11-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/1984-20-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/1984-10-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/1984-9-0x00000000052D0000-0x00000000052D2000-memory.dmp

Filesize
8KB

Download
memory/1984-5-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/1984-4-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/1984-22-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/1984-25-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/1984-28-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/1984-27-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/1984-26-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/1984-24-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/1984-23-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/1984-29-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/1984-30-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/1984-32-0x0000000005520000-0x0000000005522000-memory.dmp

Filesize
8KB

Download
memory/1984-31-0x0000000000400000-0x0000000001710000-memory.dmp

Filesize
19.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads