Analysis
-
max time kernel
149s -
max time network
55s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 03:18
Static task
static1
Behavioral task
behavioral1
Sample
261ad28bb11516f6557316778cbbf8bd.exe
Resource
win7-20231215-en
General
-
Target
261ad28bb11516f6557316778cbbf8bd.exe
-
Size
1.4MB
-
MD5
261ad28bb11516f6557316778cbbf8bd
-
SHA1
6bf3b451ecb45d758706c1c67a4c9f256f1dee29
-
SHA256
4643fd8421eeea214ea49a05937858d1fda72b9b4141861ab1dd52e83949601b
-
SHA512
ddba725d9b3dbcbbf9849eeeabaa516542c0a69fe1bed51fc6708244f93e0c2ec69996780a8a77a9ed5a45aa4b693b52c1f40cade3539b2e0d38d64368897d81
-
SSDEEP
24576:8thUkbMvMKfXX8mG4M5zvl611+Cq9n9tW00iqbXT3PLleQ8i5fDB0AX/aOugguqe:8Qkb2MY3lMw1+CQ9Oi0XTfLlsiF5Cm
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 261ad28bb11516f6557316778cbbf8bd.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 261ad28bb11516f6557316778cbbf8bd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Wine 261ad28bb11516f6557316778cbbf8bd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1036 set thread context of 5116 1036 261ad28bb11516f6557316778cbbf8bd.exe 37 -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeSecurityPrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeTakeOwnershipPrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeLoadDriverPrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeSystemProfilePrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeSystemtimePrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeProfSingleProcessPrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeIncBasePriorityPrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeCreatePagefilePrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeBackupPrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeRestorePrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeShutdownPrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeDebugPrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeSystemEnvironmentPrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeChangeNotifyPrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeRemoteShutdownPrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeUndockPrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeManageVolumePrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeImpersonatePrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: SeCreateGlobalPrivilege 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: 33 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: 34 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: 35 5116 261ad28bb11516f6557316778cbbf8bd.exe Token: 36 5116 261ad28bb11516f6557316778cbbf8bd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1036 261ad28bb11516f6557316778cbbf8bd.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1036 wrote to memory of 5116 1036 261ad28bb11516f6557316778cbbf8bd.exe 37 PID 1036 wrote to memory of 5116 1036 261ad28bb11516f6557316778cbbf8bd.exe 37 PID 1036 wrote to memory of 5116 1036 261ad28bb11516f6557316778cbbf8bd.exe 37 PID 1036 wrote to memory of 5116 1036 261ad28bb11516f6557316778cbbf8bd.exe 37 PID 1036 wrote to memory of 5116 1036 261ad28bb11516f6557316778cbbf8bd.exe 37 PID 1036 wrote to memory of 5116 1036 261ad28bb11516f6557316778cbbf8bd.exe 37 PID 1036 wrote to memory of 5116 1036 261ad28bb11516f6557316778cbbf8bd.exe 37 PID 1036 wrote to memory of 5116 1036 261ad28bb11516f6557316778cbbf8bd.exe 37 PID 1036 wrote to memory of 5116 1036 261ad28bb11516f6557316778cbbf8bd.exe 37 PID 1036 wrote to memory of 5116 1036 261ad28bb11516f6557316778cbbf8bd.exe 37 PID 1036 wrote to memory of 5116 1036 261ad28bb11516f6557316778cbbf8bd.exe 37 PID 1036 wrote to memory of 5116 1036 261ad28bb11516f6557316778cbbf8bd.exe 37 PID 1036 wrote to memory of 5116 1036 261ad28bb11516f6557316778cbbf8bd.exe 37 PID 1036 wrote to memory of 5116 1036 261ad28bb11516f6557316778cbbf8bd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\261ad28bb11516f6557316778cbbf8bd.exe"C:\Users\Admin\AppData\Local\Temp\261ad28bb11516f6557316778cbbf8bd.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\261ad28bb11516f6557316778cbbf8bd.exe"C:\Users\Admin\AppData\Local\Temp\261ad28bb11516f6557316778cbbf8bd.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5116
-