448e58ff51c6c611f5bc5785ca105f91783e1377d0ece9e9c7f9ea5e600a48da

General

Target

74ede59e4cfc7c330f8a48dd3c775fe3.exe
Size

3.3MB
MD5

74ede59e4cfc7c330f8a48dd3c775fe3
SHA1

ba99acdbf190aa7e39aa6074384439de0336d629
SHA256

448e58ff51c6c611f5bc5785ca105f91783e1377d0ece9e9c7f9ea5e600a48da
SHA512

f4ee80e8679a48e60f5dd3fd623f202b036b3e1c9fe4e0da6ad3bf71adb9b5bbc061c7ba88dfce342915bd2f5af17583a625e353a2ddcb608590a217bb84950e
SSDEEP

98304:HILlpufGXeNgKbVm4YO54XeoHv7/MiRek0Xa:HILMGXeNNVJYOg1RB

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

74ede59e4cfc7c330f8a48dd3c775fe3.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 74ede59e4cfc7c330f8a48dd3c775fe3.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

74ede59e4cfc7c330f8a48dd3c775fe3.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Wine 74ede59e4cfc7c330f8a48dd3c775fe3.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

74ede59e4cfc7c330f8a48dd3c775fe3.exe

pid process

3032 74ede59e4cfc7c330f8a48dd3c775fe3.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

74ede59e4cfc7c330f8a48dd3c775fe3.exe

pid process

3032 74ede59e4cfc7c330f8a48dd3c775fe3.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

74ede59e4cfc7c330f8a48dd3c775fe3.exe

pid process

3032 74ede59e4cfc7c330f8a48dd3c775fe3.exe
3032 74ede59e4cfc7c330f8a48dd3c775fe3.exe
3032 74ede59e4cfc7c330f8a48dd3c775fe3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	74ede59e4cfc7c330f8a48dd3c775fe3.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Wine	74ede59e4cfc7c330f8a48dd3c775fe3.exe

pid	process
3032	74ede59e4cfc7c330f8a48dd3c775fe3.exe

pid	process
3032	74ede59e4cfc7c330f8a48dd3c775fe3.exe

pid	process
3032	74ede59e4cfc7c330f8a48dd3c775fe3.exe
3032	74ede59e4cfc7c330f8a48dd3c775fe3.exe
3032	74ede59e4cfc7c330f8a48dd3c775fe3.exe

C:\Users\Admin\AppData\Local\Temp\74ede59e4cfc7c330f8a48dd3c775fe3.exe
"C:\Users\Admin\AppData\Local\Temp\74ede59e4cfc7c330f8a48dd3c775fe3.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3032

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3032-0-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download
memory/3032-1-0x0000000076F80000-0x0000000076F82000-memory.dmp

Filesize
8KB

Download
memory/3032-22-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/3032-21-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/3032-23-0x00000000045E0000-0x00000000045E1000-memory.dmp

Filesize
4KB

Download
memory/3032-20-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/3032-19-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/3032-18-0x00000000045A0000-0x00000000045A1000-memory.dmp

Filesize
4KB

Download
memory/3032-17-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/3032-16-0x00000000045D0000-0x00000000045D1000-memory.dmp

Filesize
4KB

Download
memory/3032-15-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/3032-14-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/3032-13-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/3032-12-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/3032-11-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/3032-10-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/3032-9-0x00000000044F0000-0x00000000044F2000-memory.dmp

Filesize
8KB

Download
memory/3032-8-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/3032-7-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/3032-6-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/3032-5-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/3032-4-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/3032-3-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/3032-2-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download
memory/3032-24-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/3032-25-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3032-27-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/3032-26-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/3032-28-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download
memory/3032-29-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download
memory/3032-30-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download
memory/3032-31-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download
memory/3032-32-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download
memory/3032-33-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download
memory/3032-34-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download
memory/3032-35-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download
memory/3032-36-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download
memory/3032-37-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download
memory/3032-38-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download
memory/3032-39-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download
memory/3032-40-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download
memory/3032-41-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download
memory/3032-42-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download

Analysis

Sharing