162e566a94f724a08647a8f0f42c0ad635d3bffaff976b32ab38d4202e637c7d

General

Target

0f423229f1a869f490e8f9e84fbb7afb.exe
Size

500KB
MD5

0f423229f1a869f490e8f9e84fbb7afb
SHA1

68ebd87a48250318100d4bdaff83a9c3a08b92fa
SHA256

162e566a94f724a08647a8f0f42c0ad635d3bffaff976b32ab38d4202e637c7d
SHA512

9c0b077a070429779db322417f4ab9442e9385c241c2748e0d37cdbd3b88729c123feea141dd53806823a50ca53e7ed6b40958f2780e30c26d1e07ff0aca719f
SSDEEP

6144:z5DK99xOtO8XMLOjyfdGdQK36OP9KEzmIr3JgYhCOPoKuRbdz5C241cOInPfnGfA:z5Dc3x8XPjy07n1C4uASOIP/so

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0f423229f1a869f490e8f9e84fbb7afb.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	0f423229f1a869f490e8f9e84fbb7afb.exe

Executes dropped EXE 1 IoCs

pid	Process
5780	s640.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4564	3880	WerFault.exe	82

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	0f423229f1a869f490e8f9e84fbb7afb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	0f423229f1a869f490e8f9e84fbb7afb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3880	0f423229f1a869f490e8f9e84fbb7afb.exe
3880	0f423229f1a869f490e8f9e84fbb7afb.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 5780	3880	0f423229f1a869f490e8f9e84fbb7afb.exe	91
PID 3880 wrote to memory of 5780	3880	0f423229f1a869f490e8f9e84fbb7afb.exe	91

C:\Users\Admin\AppData\Local\Temp\0f423229f1a869f490e8f9e84fbb7afb.exe
"C:\Users\Admin\AppData\Local\Temp\0f423229f1a869f490e8f9e84fbb7afb.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Users\Admin\AppData\Local\Temp\n640\s640.exe
  "C:\Users\Admin\AppData\Local\Temp\n640\s640.exe" ins.exe /h a46af.api.socdn.com /u e79b5525-92fa-11e3-8a58-80c16e6f498c /e 12909069 /t 53abfb15561ca38c138b48ee /v "C:\Users\Admin\AppData\Local\Temp\0f423229f1a869f490e8f9e84fbb7afb.exe"
  2⤵
  - Executes dropped EXE
  PID:5780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 4444
  2⤵
  - Program crash
  PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3880 -ip 3880
1⤵
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n640\s640.exe

Filesize
286KB

MD5
3e3ab97a3be5f358ef2410034ca1d11e

SHA1
132b2d344871a59eea8cd45dcb289f880754de0a

SHA256
9343341db998236ead9f7bc0847747fb92cc90cc4709e7b6ff4c2ff6809dd1bb

SHA512
31cae25593341fe970dce4532449af639fb4b05a91591c1a22a8be52e2d9937439ef2a73e87cc49e636d24d3c5986a5d1954e9736046da4adbb7ac9857d9e48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\n640\s640.exe

Filesize
59KB

MD5
d31bca1e3acfdb561ff75b8d98ed3865

SHA1
055fbb06e9766a793668a9cdee8b1bd1aeac11fd

SHA256
0d220102aa372ddcfdd6735a6f311c14bf91fa23aab33df0f02ad5d4ef0f6f67

SHA512
c3ebfe6de4f6ade5e088c99af8b9678ffdf3b76e4aca7cb092436fbeb58eb7f4070bb5e9209096d876d39b26d872d538995e0f78a2cc47d6fdc1c2be6ecbe8fb

Download Submit
memory/5780-34-0x0000000001060000-0x0000000001070000-memory.dmp

Filesize
64KB

Download
memory/5780-35-0x0000000001060000-0x0000000001070000-memory.dmp

Filesize
64KB

Download
memory/5780-26-0x000000001BA80000-0x000000001BA8A000-memory.dmp

Filesize
40KB

Download
memory/5780-30-0x000000001C090000-0x000000001C12C000-memory.dmp

Filesize
624KB

Download
memory/5780-29-0x000000001C610000-0x000000001CADE000-memory.dmp

Filesize
4.8MB

Download
memory/5780-31-0x000000001BA90000-0x000000001BA98000-memory.dmp

Filesize
32KB

Download
memory/5780-32-0x0000000001060000-0x0000000001070000-memory.dmp

Filesize
64KB

Download
memory/5780-33-0x0000000001060000-0x0000000001070000-memory.dmp

Filesize
64KB

Download
memory/5780-12-0x0000000001060000-0x0000000001070000-memory.dmp

Filesize
64KB

Download
memory/5780-11-0x00007FFE7D870000-0x00007FFE7E211000-memory.dmp

Filesize
9.6MB

Download
memory/5780-36-0x000000001FF20000-0x000000001FF82000-memory.dmp

Filesize
392KB

Download
memory/5780-37-0x0000000020460000-0x000000002059C000-memory.dmp

Filesize
1.2MB

Download
memory/5780-38-0x0000000020AB0000-0x0000000020FBE000-memory.dmp

Filesize
5.1MB

Download
memory/5780-39-0x00000000213C0000-0x00000000214C0000-memory.dmp

Filesize
1024KB

Download
memory/5780-41-0x0000000001060000-0x0000000001070000-memory.dmp

Filesize
64KB

Download
memory/5780-40-0x00007FFE7D870000-0x00007FFE7E211000-memory.dmp

Filesize
9.6MB

Download
memory/5780-42-0x0000000001060000-0x0000000001070000-memory.dmp

Filesize
64KB

Download
memory/5780-44-0x00007FFE7D870000-0x00007FFE7E211000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads