fc1859f620c59d3e70bb6f7e12ce963afaadae57c20edfff376c89b07f5a50a4

Analysis

max time kernel
0s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14e0a4f87f833d3298b4856f1dc14ae0.exe
Size

564KB
MD5

14e0a4f87f833d3298b4856f1dc14ae0
SHA1

a147dbe8f655c0a032699f29c92b749291d74029
SHA256

fc1859f620c59d3e70bb6f7e12ce963afaadae57c20edfff376c89b07f5a50a4
SHA512

747a3d64e89cbc7e7b719851cefd83f4891bb7e55143963e2e413c3a91647537cab0b08d40f5d90b3b48d9be65dc9231833057ce4053ed41ba801d876dc39dd2
SSDEEP

12288:LNr8AzhxTY5O3R4YalsuKni4Lu9oSO4SVomdu3lW:LNrdxTQGzuoSyymdUE

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	14e0a4f87f833d3298b4856f1dc14ae0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4656	3228	WerFault.exe	14

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	14e0a4f87f833d3298b4856f1dc14ae0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	14e0a4f87f833d3298b4856f1dc14ae0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3228	14e0a4f87f833d3298b4856f1dc14ae0.exe
3228	14e0a4f87f833d3298b4856f1dc14ae0.exe

C:\Users\Admin\AppData\Local\Temp\14e0a4f87f833d3298b4856f1dc14ae0.exe
"C:\Users\Admin\AppData\Local\Temp\14e0a4f87f833d3298b4856f1dc14ae0.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3228
- C:\Users\Admin\AppData\Local\Temp\n2790\s2790.exe
  "C:\Users\Admin\AppData\Local\Temp\n2790\s2790.exe" ins.exe /e 12848026 /u 50d1d9d5-cf90-407c-820a-35e05bc06f2f /h b04302.api.socdn.com /v "C:\Users\Admin\AppData\Local\Temp\14e0a4f87f833d3298b4856f1dc14ae0.exe"
  2⤵
  PID:2892
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 1856
    3⤵
    PID:4612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 3888
  2⤵
  - Program crash
  PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3228 -ip 3228
1⤵
PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n2790\s2790.exe

Filesize
411KB

MD5
13b0085a03720e67fb8c73db3f14609e

SHA1
ddf811f21e6c066b644d03e6751e16efb0fbecce

SHA256
f9449897f9ca99b99837ad322c8b6737e7a47e3827b6a4c073c6ca8911d8c340

SHA512
39b95dce14b3eea6f191d4dbaaff87ebbc8f3b6982e7b4ee5ebeed83d3b7397441665f25dec5eb9f8a1f3b12f4ddcd604d5852b781f592488263161c0d620e82

Download Submit
memory/2892-15-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2892-14-0x00007FFEDB090000-0x00007FFEDBA31000-memory.dmp

Filesize
9.6MB

Download
memory/2892-31-0x000000001BF70000-0x000000001BF7E000-memory.dmp

Filesize
56KB

Download
memory/2892-35-0x000000001CF30000-0x000000001CFCC000-memory.dmp

Filesize
624KB

Download
memory/2892-36-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2892-34-0x000000001CA60000-0x000000001CF2E000-memory.dmp

Filesize
4.8MB

Download
memory/2892-43-0x00007FFEDB090000-0x00007FFEDBA31000-memory.dmp

Filesize
9.6MB

Download