Overview

overview

9

Static

static

3

a8194f2b24...32.exe

windows7-x64

9

a8194f2b24...32.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    141s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    08/10/2023, 11:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8194f2b24d6b6511899a30a0d3aaa12217406dc7863e0cec42475aa7c3f4132.exe

  • Size

    6.1MB

  • MD5

    3cfc9ae205511aee6412d9777eab0ae8

  • SHA1

    faea5bf1780088e682c1d1ceaa454ecfc6fc6882

  • SHA256

    a8194f2b24d6b6511899a30a0d3aaa12217406dc7863e0cec42475aa7c3f4132

  • SHA512

    89ec9dbfe9cead6e3ea98ef4ea1b5c3c94dd5d34409ac182873a37beee421329db9a2b0afb96c6ac161f7ae41329a0f65f292075f2bd4b5af69ad5317b0ea629

  • SSDEEP

    98304:taAoMaqfStnkpT9w8pJ2KOjEZbRXUyi+FdFfEb0nVtBPi2zXVlienB+F:taxMaqfSapT9ppDPX/mSzw+y

Score
9/10
evasionupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8194f2b24d6b6511899a30a0d3aaa12217406dc7863e0cec42475aa7c3f4132.exe
    "C:\Users\Admin\AppData\Local\Temp\a8194f2b24d6b6511899a30a0d3aaa12217406dc7863e0cec42475aa7c3f4132.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 492
      2⤵
      • Program crash
      PID:2520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3020-0-0x0000000000400000-0x0000000000D93000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3020-1-0x00000000771C0000-0x00000000771C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3020-3-0x0000000000400000-0x0000000000D93000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3020-2-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-5-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-7-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-6-0x00000000049E0000-0x00000000049E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-8-0x00000000049A0000-0x00000000049A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-10-0x0000000004780000-0x0000000004781000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-4-0x0000000004910000-0x0000000004911000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-11-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-12-0x0000000004970000-0x0000000004971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-15-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-16-0x0000000004A20000-0x0000000004A21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-14-0x00000000047A0000-0x00000000047A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3020-19-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-20-0x00000000047B0000-0x00000000047B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-23-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-24-0x0000000004920000-0x0000000004921000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-26-0x00000000049F0000-0x00000000049F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-27-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-22-0x0000000004790000-0x0000000004791000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-28-0x0000000004A00000-0x0000000004A01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-31-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-32-0x0000000004A40000-0x0000000004A41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-35-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-36-0x00000000049B0000-0x00000000049B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-39-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-40-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-38-0x0000000004A70000-0x0000000004A71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-43-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-44-0x0000000004930000-0x0000000004931000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-47-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-42-0x0000000004950000-0x0000000004951000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-34-0x0000000004770000-0x0000000004771000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-30-0x0000000004A80000-0x0000000004A81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-18-0x00000000047C0000-0x00000000047C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-49-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-51-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-53-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-57-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-66-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-64-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-62-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-69-0x0000000000400000-0x0000000000D93000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3020-68-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-60-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-55-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3020-70-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download