c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe

General

Target

c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe
Size

2.7MB
MD5

b68b2358f6d8ce60e22c2773d9e4e2f2
SHA1

23886b9615c714dc6c89ea25f6b0b65292f4e7a0
SHA256

c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe
SHA512

5dc61fc2ab0385e2d75e1ecfc87ff85dea048d12bbbbb558043dabe39ce74f99cf6d76e55d44cf8ea8528948550c8b79a07c70bb4d8d2607e265cffde9d32af2
SSDEEP

49152:w4GRMcTILl9XORhquCL7yoVVAOsie4MgOG+ebN2yOsWYGeAvuPxNf55ZGOsNe:w4iIvXikyOCONiB65ZVzbZGO4e

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Wine	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1084	1692	WerFault.exe	17

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
564	PING.EXE
3000	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe
1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe
1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe
1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe
1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe
1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe
1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe
1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe
1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe
1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe
1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe
1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe
1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 3000	1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe	28
PID 1692 wrote to memory of 3000	1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe	28
PID 1692 wrote to memory of 3000	1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe	28
PID 1692 wrote to memory of 3000	1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe	28
PID 1692 wrote to memory of 564	1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe	31
PID 1692 wrote to memory of 564	1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe	31
PID 1692 wrote to memory of 564	1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe	31
PID 1692 wrote to memory of 564	1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe	31
PID 1692 wrote to memory of 1084	1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe	35
PID 1692 wrote to memory of 1084	1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe	35
PID 1692 wrote to memory of 1084	1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe	35
PID 1692 wrote to memory of 1084	1692	c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe	35

C:\Users\Admin\AppData\Local\Temp\c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe
"C:\Users\Admin\AppData\Local\Temp\c1737f0d46ee79dfbecbc29cfbb50b1e6c1dff61585682d150cec131ee52dffe.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" www.baidu.com -n 2
  2⤵
  - Runs ping.exe
  PID:3000
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" www.baidu.com -n 2
  2⤵
  - Runs ping.exe
  PID:564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 1668
  2⤵
  - Program crash
  PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ad-mymacro9.xml.tmp

Filesize
3KB

MD5
6a004b4196400a627b5b6248a2a2dcba

SHA1
fa9a555e83a4c3a73e07a728ec92827f55fbcf02

SHA256
9cd3e3f97866082f8edfed25d56b40786c2809f264c4f8b10c022403e7f0f101

SHA512
1b5cea41dce0742e4ba7a7f3c4bef3eefc92c63d267a306e4098c68b768723abc0f0eace4a486ff3f4b1bb8a74279dd04e9c2a48df9a20125c21209e3d205624

Download Submit
C:\Users\Admin\AppData\Local\Temp\macADCC.tmp

Filesize
341B

MD5
c71b2bd80fb9d35df080125aaea70cf9

SHA1
2b7744efe1e19d52ebd3f26bd2bfc4cdef94a59b

SHA256
debf7c8cd0d8934af398024b383e65a22f26af584554737c2cc97cee76ad39ae

SHA512
dccac0275450925adba270d3e29bc0cef36dadd35b50701f4121776e79c8048276281ab83de11d421a3da16c663ab33c0dc3cc1e15bd3df1968972d619f7fd01

Download Submit
memory/1692-0-0x0000000000240000-0x0000000000988000-memory.dmp

Filesize
7.3MB

Download
memory/1692-6-0x0000000000240000-0x0000000000988000-memory.dmp

Filesize
7.3MB

Download
memory/1692-42-0x0000000000240000-0x0000000000988000-memory.dmp

Filesize
7.3MB

Download
memory/1692-43-0x0000000000240000-0x0000000000988000-memory.dmp

Filesize
7.3MB

Download
memory/1692-46-0x0000000000240000-0x0000000000988000-memory.dmp

Filesize
7.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads