163cf99538e464c106284f002756b4f28a5e10c178eb6949976220e8a9d6b2ee

Analysis

max time kernel
148s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02199ba87384404792a39113907e64e0.exe
Size

3.6MB
MD5

02199ba87384404792a39113907e64e0
SHA1

af209e88dfb9f47ea7a8fcbb83ca7a7aa07c22ba
SHA256

163cf99538e464c106284f002756b4f28a5e10c178eb6949976220e8a9d6b2ee
SHA512

f544a0c9e8cae6ae965a376c15b76d8ddebe0ba14953a93c08d8d95d0e730eed69a4a36b94e4af5d8d85b3e9c83358fef42ac4a86c11e1876daf715e6656a8c0
SSDEEP

98304:lk/Q8Juk9hG4FP1RRavH/Wyssk7rtIh6Nqa7:l+uqGSc3Hssk7rt5r7

Score

9^/10

evasion upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	02199ba87384404792a39113907e64e0.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00060000000231f4-9.dat	acprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	02199ba87384404792a39113907e64e0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	02199ba87384404792a39113907e64e0.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Wine	02199ba87384404792a39113907e64e0.exe

Loads dropped DLL 1 IoCs

pid	Process
4516	02199ba87384404792a39113907e64e0.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00060000000231f4-9.dat	upx
behavioral2/memory/4516-24-0x0000000010000000-0x0000000010269000-memory.dmp	upx
behavioral2/memory/4516-33-0x0000000010000000-0x0000000010269000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4516	02199ba87384404792a39113907e64e0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4516	02199ba87384404792a39113907e64e0.exe
4516	02199ba87384404792a39113907e64e0.exe

C:\Users\Admin\AppData\Local\Temp\02199ba87384404792a39113907e64e0.exe
"C:\Users\Admin\AppData\Local\Temp\02199ba87384404792a39113907e64e0.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5RUXdYLq1B.tmp\htmlayout.dll

Filesize
161KB

MD5
675184bf3b73e80729bbfa93184a2c13

SHA1
857fd8c17ca9d9f097e107ab418a59af63506a0b

SHA256
d6c827fb7c39d259fa955ae56dc038080a9870b9811b8e4bb15d36523898cdc3

SHA512
cf6f5b87c8bd6957ae1f868051181a8b6825b351a462d3f4685f9f86effca2a0dcbd02effbd447ba46dcaffbff1a4d4e80e40e168276e1ec4cafbe1e6933a9c8

Download Submit
memory/4516-28-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/4516-2-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/4516-8-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/4516-7-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/4516-13-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/4516-12-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/4516-1-0x0000000076FB4000-0x0000000076FB6000-memory.dmp

Filesize
8KB

Download
memory/4516-15-0x0000000000400000-0x0000000000A93000-memory.dmp

Filesize
6.6MB

Download
memory/4516-23-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/4516-22-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/4516-24-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/4516-26-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/4516-27-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/4516-25-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/4516-21-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/4516-20-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/4516-19-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/4516-18-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/4516-17-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/4516-16-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/4516-5-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/4516-6-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/4516-0-0x0000000000400000-0x0000000000A93000-memory.dmp

Filesize
6.6MB

Download
memory/4516-29-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/4516-4-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/4516-30-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/4516-31-0x0000000000400000-0x0000000000A93000-memory.dmp

Filesize
6.6MB

Download
memory/4516-32-0x0000000000400000-0x0000000000A93000-memory.dmp

Filesize
6.6MB

Download
memory/4516-33-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/4516-34-0x0000000000400000-0x0000000000A93000-memory.dmp

Filesize
6.6MB

Download
memory/4516-35-0x0000000000400000-0x0000000000A93000-memory.dmp

Filesize
6.6MB

Download
memory/4516-37-0x0000000000400000-0x0000000000A93000-memory.dmp

Filesize
6.6MB

Download
memory/4516-39-0x0000000000400000-0x0000000000A93000-memory.dmp

Filesize
6.6MB

Download
memory/4516-41-0x0000000000400000-0x0000000000A93000-memory.dmp

Filesize
6.6MB

Download
memory/4516-43-0x0000000000400000-0x0000000000A93000-memory.dmp

Filesize
6.6MB

Download
memory/4516-45-0x0000000000400000-0x0000000000A93000-memory.dmp

Filesize
6.6MB

Download
memory/4516-47-0x0000000000400000-0x0000000000A93000-memory.dmp

Filesize
6.6MB

Download
memory/4516-49-0x0000000000400000-0x0000000000A93000-memory.dmp

Filesize
6.6MB

Download
memory/4516-51-0x0000000000400000-0x0000000000A93000-memory.dmp

Filesize
6.6MB

Download
memory/4516-53-0x0000000000400000-0x0000000000A93000-memory.dmp

Filesize
6.6MB

Download
memory/4516-55-0x0000000000400000-0x0000000000A93000-memory.dmp

Filesize
6.6MB

Download
memory/4516-57-0x0000000000400000-0x0000000000A93000-memory.dmp

Filesize
6.6MB

Download
memory/4516-59-0x0000000000400000-0x0000000000A93000-memory.dmp

Filesize
6.6MB

Download
memory/4516-60-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download