cd601f67c1725d57b8a4239378eef72baabd3f50b42967318c3864a2b0c51ecb

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

echo-F82C61-Nzg2Njg3-l=RtNp-f.exe
Size

15.9MB
MD5

fbb2df189ef881accd51591bd08e6049
SHA1

163fb496ff085356745a7db39513046311b9101b
SHA256

cd601f67c1725d57b8a4239378eef72baabd3f50b42967318c3864a2b0c51ecb
SHA512

2d2b9efdd47af0214ca4a7f9b92100dfb8a3c19f9179a860c53967fda39c99e8164dea9eafe43f9a09544dedd877ee2ad0e812eae214ed11abe475ec741748de
SSDEEP

196608:jCHz+d/TzVVzrkGwQ4vvuY6bX7jeYg+pyatKY8:2T+dzsGwPvDEX7jeYgPtY8

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	echo-F82C61-Nzg2Njg3-l=RtNp-f.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	echo-F82C61-Nzg2Njg3-l=RtNp-f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	echo-F82C61-Nzg2Njg3-l=RtNp-f.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	echo-F82C61-Nzg2Njg3-l=RtNp-f.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3400	echo-F82C61-Nzg2Njg3-l=RtNp-f.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3400	echo-F82C61-Nzg2Njg3-l=RtNp-f.exe
3400	echo-F82C61-Nzg2Njg3-l=RtNp-f.exe
3400	echo-F82C61-Nzg2Njg3-l=RtNp-f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3400	echo-F82C61-Nzg2Njg3-l=RtNp-f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3400	echo-F82C61-Nzg2Njg3-l=RtNp-f.exe

C:\Users\Admin\AppData\Local\Temp\echo-F82C61-Nzg2Njg3-l=RtNp-f.exe
"C:\Users\Admin\AppData\Local\Temp\echo-F82C61-Nzg2Njg3-l=RtNp-f.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3400-0-0x00007FF865FE0000-0x00007FF8662A9000-memory.dmp

Filesize
2.8MB

Download
memory/3400-1-0x00007FF865FE0000-0x00007FF8662A9000-memory.dmp

Filesize
2.8MB

Download
memory/3400-2-0x00007FF800000000-0x00007FF800002000-memory.dmp

Filesize
8KB

Download
memory/3400-3-0x00007FF865FE0000-0x00007FF8662A9000-memory.dmp

Filesize
2.8MB

Download
memory/3400-4-0x00007FF867C10000-0x00007FF867CCE000-memory.dmp

Filesize
760KB

Download
memory/3400-5-0x00007FF865FE0000-0x00007FF8662A9000-memory.dmp

Filesize
2.8MB

Download
memory/3400-6-0x00007FF800030000-0x00007FF800031000-memory.dmp

Filesize
4KB

Download
memory/3400-7-0x00007FF8682F0000-0x00007FF8684E5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-9-0x0000000180000000-0x0000000180008000-memory.dmp

Filesize
32KB

Download
memory/3400-15-0x00007FF800010000-0x00007FF800011000-memory.dmp

Filesize
4KB

Download
memory/3400-16-0x00007FF8668C0000-0x00007FF8668C1000-memory.dmp

Filesize
4KB

Download
memory/3400-17-0x00007FF865FE0000-0x00007FF8662A9000-memory.dmp

Filesize
2.8MB

Download
memory/3400-18-0x00007FF867C10000-0x00007FF867CCE000-memory.dmp

Filesize
760KB

Download
memory/3400-19-0x00007FF7C0A50000-0x00007FF7C2944000-memory.dmp

Filesize
31.0MB

Download
memory/3400-20-0x00007FF800000000-0x00007FF800002000-memory.dmp

Filesize
8KB

Download
memory/3400-22-0x00007FF8682F0000-0x00007FF8684E5000-memory.dmp

Filesize
2.0MB

Download