2df79e3cd2ef051cf0cb94915b6c62fd0e86447373fa6af26612e0fad2c77b23

Analysis

max time kernel
151s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53b4d6e8187e16c1f2fe5b9d24b70fa8.exe
Size

4.0MB
MD5

53b4d6e8187e16c1f2fe5b9d24b70fa8
SHA1

0e26139b49c33436b418c1f0f3a2c6772fb61f0c
SHA256

2df79e3cd2ef051cf0cb94915b6c62fd0e86447373fa6af26612e0fad2c77b23
SHA512

32e6e2574de8bbeec70d017b418b4fcb80c6a8e056c1b462f5003a36be1bbf7e8d9a5e1a10d7b0a2da0f60c66973d0b0becb8d1022ccb17ab5caa7ad25b40b5c
SSDEEP

98304:88VeFzbX1LFSMBVXmL+NCFptAxErv0EzMIVL2:8jFz/9pmL+NCDEpIJ2

Score

9^/10

evasion upx vmprotect

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	53b4d6e8187e16c1f2fe5b9d24b70fa8.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	53b4d6e8187e16c1f2fe5b9d24b70fa8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	53b4d6e8187e16c1f2fe5b9d24b70fa8.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Wine	53b4d6e8187e16c1f2fe5b9d24b70fa8.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3244-29-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-32-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-33-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-35-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-34-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-38-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-40-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-42-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-45-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-47-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-50-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-52-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-54-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-56-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-59-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-61-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-63-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-66-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-69-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-71-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-73-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-76-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-78-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-80-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-82-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-88-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3244-89-0x0000000010000000-0x000000001003D000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3244-22-0x0000000005230000-0x00000000053FD000-memory.dmp	vmprotect
behavioral2/memory/3244-24-0x0000000005230000-0x00000000053FD000-memory.dmp	vmprotect
behavioral2/memory/3244-25-0x0000000005230000-0x00000000053FD000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3244	53b4d6e8187e16c1f2fe5b9d24b70fa8.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2424	3244	WerFault.exe	85
3252	3244	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3244	53b4d6e8187e16c1f2fe5b9d24b70fa8.exe
3244	53b4d6e8187e16c1f2fe5b9d24b70fa8.exe
3244	53b4d6e8187e16c1f2fe5b9d24b70fa8.exe
3244	53b4d6e8187e16c1f2fe5b9d24b70fa8.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3244	53b4d6e8187e16c1f2fe5b9d24b70fa8.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3244	53b4d6e8187e16c1f2fe5b9d24b70fa8.exe
3244	53b4d6e8187e16c1f2fe5b9d24b70fa8.exe
3244	53b4d6e8187e16c1f2fe5b9d24b70fa8.exe

C:\Users\Admin\AppData\Local\Temp\53b4d6e8187e16c1f2fe5b9d24b70fa8.exe
"C:\Users\Admin\AppData\Local\Temp\53b4d6e8187e16c1f2fe5b9d24b70fa8.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:3244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1752
  2⤵
  - Program crash
  PID:2424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1772
  2⤵
  - Program crash
  PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3244 -ip 3244
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3244 -ip 3244
1⤵
PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3244-0-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/3244-1-0x0000000077C94000-0x0000000077C96000-memory.dmp

Filesize
8KB

Download
memory/3244-2-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/3244-3-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3244-4-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/3244-5-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/3244-6-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/3244-7-0x0000000004D30000-0x0000000004D32000-memory.dmp

Filesize
8KB

Download
memory/3244-8-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/3244-10-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/3244-9-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/3244-11-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/3244-12-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/3244-13-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/3244-15-0x0000000005000000-0x0000000005002000-memory.dmp

Filesize
8KB

Download
memory/3244-14-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/3244-17-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/3244-16-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/3244-18-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3244-19-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/3244-20-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/3244-21-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/3244-22-0x0000000005230000-0x00000000053FD000-memory.dmp

Filesize
1.8MB

Download
memory/3244-24-0x0000000005230000-0x00000000053FD000-memory.dmp

Filesize
1.8MB

Download
memory/3244-25-0x0000000005230000-0x00000000053FD000-memory.dmp

Filesize
1.8MB

Download
memory/3244-29-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-32-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-33-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-35-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-34-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-38-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-40-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-42-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-43-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/3244-45-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-47-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-50-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-52-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-54-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-56-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-59-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-58-0x0000000005230000-0x00000000053FD000-memory.dmp

Filesize
1.8MB

Download
memory/3244-61-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-63-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-66-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-69-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-71-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-73-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-76-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-74-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/3244-78-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-80-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-82-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-83-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/3244-84-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/3244-85-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/3244-88-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-89-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3244-121-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/3244-122-0x0000000005230000-0x00000000053FD000-memory.dmp

Filesize
1.8MB

Download
memory/3244-123-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download