Overview

overview

9

Static

static

3

6cd588d051...2f.exe

windows7-x64

9

6cd588d051...2f.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 12:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6cd588d0515be40fa37b5a09a288682f.exe

  • Size

    214KB

  • MD5

    6cd588d0515be40fa37b5a09a288682f

  • SHA1

    630aa3f99a394ce2d1f1aa95d4e76100a61b2f4e

  • SHA256

    497fcfe8d44cf501dc57628ac10bee0b11062abd358690a441773dec8b1a72eb

  • SHA512

    b253166e315e1b27dca64d2c378498b7ba4389507332f80492d95e2c2a0dd0b6793f92978a7814951db6827b71d2d3a4fc17504ba03248bcfe401c9f29de4699

  • SSDEEP

    6144:uL38YSBhz9vFjw93+xmcg3VHglNX2NNNyWkEg:uL38Y+99vFjw93+YlAPmN5Zg

Score
9/10
evasion

Malware Config

Signatures

  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 3 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6cd588d0515be40fa37b5a09a288682f.exe
    "C:\Users\Admin\AppData\Local\Temp\6cd588d0515be40fa37b5a09a288682f.exe"
    1⤵
    • Enumerates VirtualBox registry keys
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Checks system information in the registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks for VirtualBox DLLs, possible anti-VM trick
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 492
      2⤵
      • Program crash
      PID:2820
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:2352

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\log.txt
      Filesize

      4KB

      MD5

      fe26db4db55f5b603bb7dd39d9b1a91d

      SHA1

      afcb12ed588e15713a9a8b4f622833939249286f

      SHA256

      e4d084974481d7737702e0e92f736fb1314a0699ad372888c1cb50869f531d23

      SHA512

      c781064de5e9cf9debb3a8313815b49ee9bea2496daea05b59ad55cba11fccbcf260cd2c1be9eb451030b355f234548fac797d25b55ec594d790ec3d34e2b7f5

      Download Submit