Overview

overview

9

Static

static

3

file.exe

windows7-x64

7

file.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    163s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 19:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    369KB

  • MD5

    ab8ca5e42346f12449880f6cec4d4cda

  • SHA1

    b9a1d7e06f7db0fff80a8fbeafe32f408ab2cc20

  • SHA256

    2f0d1740cabc87f0b68605d72189860b48ea5cf9b8b1570346e996626aec288b

  • SHA512

    a33cbffe2a2518a482d0d70585f31e8a578762a5b2b064ca164dbec7a049b3acb711b39228e9d0970d0d27b188a665c5720a912648cd38f85b41d537e85e974b

  • SSDEEP

    6144:JahOdUVuNLepz+4d3fj7tv+9EoLULd36Ls/0sBnNf4jkc/GcFSIXRr:JigTe+Sr7QKP0KNfYk4FHh

Score
9/10
evasionpersistence

Malware Config

Signatures

  • Enumerates VirtualBox DLL files 2 TTPs 8 IoCs
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\industryaddition.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\industryaddition.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3640
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\industryaddition.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\industryaddition.exe
        3⤵
        • Enumerates VirtualBox DLL files
        • Enumerates VirtualBox registry keys
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Looks for VirtualBox drivers on disk
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious behavior: EnumeratesProcesses
        PID:5108
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\industryaddiition.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\industryaddiition.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4892

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\industryaddiition.exe
          Filesize

          429KB

          MD5

          45a864cdab976946ebf002944a05f9a2

          SHA1

          a5a7872eba1ce0ebd5c77db55612cd4d14bf426b

          SHA256

          3b940d245ac6702f80cb4ffcddab7d1ceb42482dc715fc66c5c9d1a6de17f8e1

          SHA512

          38118890dd9df14b133b4943fd8673dd2daf4a9e00ab711851efd0400fa3c47fe8328c25954d2bdc9042c954278f758082593670be89a21c6fb436385d4358d9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\industryaddiition.exe
          Filesize

          429KB

          MD5

          45a864cdab976946ebf002944a05f9a2

          SHA1

          a5a7872eba1ce0ebd5c77db55612cd4d14bf426b

          SHA256

          3b940d245ac6702f80cb4ffcddab7d1ceb42482dc715fc66c5c9d1a6de17f8e1

          SHA512

          38118890dd9df14b133b4943fd8673dd2daf4a9e00ab711851efd0400fa3c47fe8328c25954d2bdc9042c954278f758082593670be89a21c6fb436385d4358d9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\industryaddition.exe
          Filesize

          429KB

          MD5

          92d15d0e639a5573540ebec0ce281efc

          SHA1

          9e5c6f39eee4178c4da656cd4e06608a7b750972

          SHA256

          6beb73691415668f0619b6d3fde859d67dcd814a2ad250610d7d4781f2d628f5

          SHA512

          f0eeb135692b3893ec966db3ea141c3c2ca48a00e8e93c8c1890031feecb84aadb1a803a93265d16d88d3c0018b1b92910377d3a69d8bbcadeb1b79d0c93b959

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\industryaddition.exe
          Filesize

          429KB

          MD5

          92d15d0e639a5573540ebec0ce281efc

          SHA1

          9e5c6f39eee4178c4da656cd4e06608a7b750972

          SHA256

          6beb73691415668f0619b6d3fde859d67dcd814a2ad250610d7d4781f2d628f5

          SHA512

          f0eeb135692b3893ec966db3ea141c3c2ca48a00e8e93c8c1890031feecb84aadb1a803a93265d16d88d3c0018b1b92910377d3a69d8bbcadeb1b79d0c93b959

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\industryaddition.exe
          Filesize

          429KB

          MD5

          92d15d0e639a5573540ebec0ce281efc

          SHA1

          9e5c6f39eee4178c4da656cd4e06608a7b750972

          SHA256

          6beb73691415668f0619b6d3fde859d67dcd814a2ad250610d7d4781f2d628f5

          SHA512

          f0eeb135692b3893ec966db3ea141c3c2ca48a00e8e93c8c1890031feecb84aadb1a803a93265d16d88d3c0018b1b92910377d3a69d8bbcadeb1b79d0c93b959

          Download Submit

        • memory/3640-11-0x000001E251E20000-0x000001E251E6E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/3640-10-0x000001E237BC0000-0x000001E237C20000-memory.dmp

          Filesize

          384KB

          Download

        • memory/3640-12-0x000001E251FF0000-0x000001E25203C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3640-13-0x00007FFEB3B90000-0x00007FFEB4651000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3640-14-0x000001E251E70000-0x000001E251E80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3640-9-0x000001E251E70000-0x000001E251E80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3640-8-0x00007FFEB3B90000-0x00007FFEB4651000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3640-7-0x000001E2376C0000-0x000001E23772E000-memory.dmp

          Filesize

          440KB

          Download

        • memory/3640-21-0x00007FFEB3B90000-0x00007FFEB4651000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4892-27-0x0000023ED52C0000-0x0000023ED532E000-memory.dmp

          Filesize

          440KB

          Download

        • memory/4892-28-0x00007FFEB3BA0000-0x00007FFEB4661000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4892-29-0x0000023ED5900000-0x0000023ED5910000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4892-30-0x0000023EEFB20000-0x0000023EEFC26000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4892-31-0x0000023EEFC30000-0x0000023EEFD26000-memory.dmp

          Filesize

          984KB

          Download

        • memory/4892-33-0x00007FFEB3BA0000-0x00007FFEB4661000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4892-34-0x0000023ED5900000-0x0000023ED5910000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5108-24-0x0000000140000000-0x000000014005A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/5108-22-0x0000000140000000-0x000000014005A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/5108-19-0x0000000140000000-0x000000014005A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/5108-18-0x0000000140000000-0x000000014005A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/5108-15-0x0000000140000000-0x000000014005A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/5108-32-0x0000000140000000-0x000000014005A000-memory.dmp

          Filesize

          360KB

          Download