Overview

overview

9

Static

static

3

Warehub_No..._2.exe

windows7-x64

6

Warehub_No..._2.exe

windows10-2004-x64

9

Resubmissions

04/10/2023, 11:36

231004-nqnphadb83 9

04/10/2023, 11:30

231004-nmcg3abc2x 9

Analysis

  • max time kernel
    54s
  • max time network
    62s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2023, 11:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Warehub_Nova_New_Interface_2.exe

  • Size

    12.8MB

  • MD5

    bda719bb15bfb020769ca3286ed546d5

  • SHA1

    a50fff9224aeedaa81bdc075d0414c26e5fcacde

  • SHA256

    e47cb33f11d4c2c8c7bc853e0a13ae38d1f762ea196ac31dd699a5d1dabcd8e2

  • SHA512

    c210d6f40ebcb12980bf2e096165c82d51f861be5e94cb001a1e66ada4e483d61662a8d1a0c31d2f55260f5bd99b8852822aad7cfa730e7218336ee22becabd2

  • SSDEEP

    196608:eCLzhlNSOMoR94Hk8IlUBFSmYPWZpQzznz+Yd4I2r0TEToTq9/WTkwPWUxsTBpYF:l/Nd8IlUBu2pi4I2rq3q9IgoM

Score
9/10
evasion

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Warehub_Nova_New_Interface_2.exe
    "C:\Users\Admin\AppData\Local\Temp\Warehub_Nova_New_Interface_2.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Looks for VirtualBox Guest Additions in registry
    • Checks BIOS information in registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks for VirtualBox DLLs, possible anti-VM trick
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4788
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Warehub_Nova_New_Interface_2.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4944
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Warehub_Nova_New_Interface_2.exe" MD5
        3⤵
          PID:2592
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:4464
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:2996
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c pause >nul
            2⤵
              PID:2168

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/4788-1-0x00007FF709010000-0x00007FF70A84F000-memory.dmp

                  Filesize

                  24.2MB

                  Download

                • memory/4788-0-0x00007FFBFBD90000-0x00007FFBFBD92000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4788-2-0x00007FFBFBDA0000-0x00007FFBFBDA2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4788-3-0x00007FF709010000-0x00007FF70A84F000-memory.dmp

                  Filesize

                  24.2MB

                  Download

                • memory/4788-23-0x00007FFBFBB90000-0x00007FFBFBD85000-memory.dmp

                  Filesize

                  2.0MB

                  Download

                • memory/4788-24-0x0000020A352F0000-0x0000020A352F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4788-25-0x0000020A35300000-0x0000020A35301000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4788-26-0x0000020A35310000-0x0000020A35311000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4788-27-0x0000020A35330000-0x0000020A35331000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4788-28-0x00007FF709010000-0x00007FF70A84F000-memory.dmp

                  Filesize

                  24.2MB

                  Download

                • memory/4788-29-0x00007FFBFBB90000-0x00007FFBFBD85000-memory.dmp

                  Filesize

                  2.0MB

                  Download

                • memory/4788-30-0x00007FFBFBB90000-0x00007FFBFBD85000-memory.dmp

                  Filesize

                  2.0MB

                  Download