aa8764c82ac6963672dfd4f3c25bf248108f435eb5d464ad2902000546a765be

General

Target

74f42b1bc557572f11e9a450c0a0a232.exe
Size

3.6MB
MD5

74f42b1bc557572f11e9a450c0a0a232
SHA1

33190f5cd1b03c6439b6bc8289b054c85ffdc0ef
SHA256

aa8764c82ac6963672dfd4f3c25bf248108f435eb5d464ad2902000546a765be
SHA512

99eea1b9bcb448131f8d17bb67a4967583adc4fbfc8c532fd688ad29d3798094472996e117f1aeba3090c11da41a3ddf43513c4da38c15b573c3cbe6a7f75f16
SSDEEP

98304:gt03hK/8jmL4pXPIPc1WY6I+e1nutwE/5Ql21T6:1K/0mMlHZ+e1b/U6

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

74f42b1bc557572f11e9a450c0a0a232.exeWinDef.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	74f42b1bc557572f11e9a450c0a0a232.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WinDef.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

74f42b1bc557572f11e9a450c0a0a232.exeWinDef.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	74f42b1bc557572f11e9a450c0a0a232.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WinDef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WinDef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	74f42b1bc557572f11e9a450c0a0a232.exe

Drops startup file 1 IoCs

Processes:

74f42b1bc557572f11e9a450c0a0a232.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinDef.lnk	74f42b1bc557572f11e9a450c0a0a232.exe

Executes dropped EXE 1 IoCs

Processes:

WinDef.exe

pid process

2812 WinDef.exe

pid	process
2812	WinDef.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

74f42b1bc557572f11e9a450c0a0a232.exeWinDef.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Wine	74f42b1bc557572f11e9a450c0a0a232.exe
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Wine	WinDef.exe

Loads dropped DLL 2 IoCs

Processes:

74f42b1bc557572f11e9a450c0a0a232.exe

pid process

2324 74f42b1bc557572f11e9a450c0a0a232.exe
2324 74f42b1bc557572f11e9a450c0a0a232.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

74f42b1bc557572f11e9a450c0a0a232.exeWinDef.exe

pid process

2324 74f42b1bc557572f11e9a450c0a0a232.exe
2812 WinDef.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WinDef.exe

pid process

2812 WinDef.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

74f42b1bc557572f11e9a450c0a0a232.exeWinDef.exe

pid process

2324 74f42b1bc557572f11e9a450c0a0a232.exe
2812 WinDef.exe

pid	process
2324	74f42b1bc557572f11e9a450c0a0a232.exe
2324	74f42b1bc557572f11e9a450c0a0a232.exe

pid	process
2324	74f42b1bc557572f11e9a450c0a0a232.exe
2812	WinDef.exe

pid	process
2812	WinDef.exe

pid	process
2324	74f42b1bc557572f11e9a450c0a0a232.exe
2812	WinDef.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

74f42b1bc557572f11e9a450c0a0a232.exe

description	pid	process	target process
PID 2324 wrote to memory of 2812	2324	74f42b1bc557572f11e9a450c0a0a232.exe	WinDef.exe
PID 2324 wrote to memory of 2812	2324	74f42b1bc557572f11e9a450c0a0a232.exe	WinDef.exe
PID 2324 wrote to memory of 2812	2324	74f42b1bc557572f11e9a450c0a0a232.exe	WinDef.exe
PID 2324 wrote to memory of 2812	2324	74f42b1bc557572f11e9a450c0a0a232.exe	WinDef.exe

C:\Users\Admin\AppData\Local\Temp\74f42b1bc557572f11e9a450c0a0a232.exe
"C:\Users\Admin\AppData\Local\Temp\74f42b1bc557572f11e9a450c0a0a232.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Roaming\Windows Def\WinDef.exe
"C:\Users\Admin\AppData\Roaming\Windows Def\WinDef.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:2812

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows Def\WinDef.exe
Filesize
854KB

MD5
bc841e21558793a31c7ab9cb72a9bdd6

SHA1
4dc73837115154a24a23c550ecefc2cdbc0859d0

SHA256
058575125fc65957e04e3611b93fdace13e62dbbbfdfa6d24e66efffe7f696d0

SHA512
5cad944aa75cf255f527676cca8d1389f987aab0114f7bee3b9d0ba05b7d8187115360234fa1c86e9775fd8f52dd58b129a22ff100ad6bd16f7666be61f20e7e

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Def\WinDef.exe
Filesize
683KB

MD5
f5b9f04bbbcdfec646e26aef7720e42c

SHA1
c03bce60d999aaaa72ecf75bb67c250722487562

SHA256
22302f3aaa3e553cd1190f26271b1a2b921faa74269f54a537cba0ce68c4265c

SHA512
f021c1de53684eb9611f53cb6b570182f9b91ea2d35dabe2a7642019853d99926032d3d488e42380fa1496b9aed6f012db65d79bfa7d93b9c08d554f63746748

Download Submit
\Users\Admin\AppData\Roaming\Windows Def\WinDef.exe
Filesize
2.3MB

MD5
c956e4cf3c100e0826c4c90801cb3e08

SHA1
2a3e50d46cb9e6ad7916de6593b11047e5daac10

SHA256
f4ad144fe3debacf4a09d120697facd4e41b081b1923ad5c006740c9731a8529

SHA512
e0adb331b61c43fb00fb7c92f05169afd1f5b39ae2a830ee11eb6d9aed2cae047dcefed644df6fb53b5b62ff12b37dc35adc5c379261c0c83b50c3c4b578fb1a

Download Submit
\Users\Admin\AppData\Roaming\Windows Def\WinDef.exe
Filesize
489KB

MD5
a5a09a7891e2a6b51453c3d5ae0938fe

SHA1
f7c36f9a9a1a85f6fe3bd5f0325ff76c9389265b

SHA256
59b57eb413abddccbedb27bbf11735d3e1c4767a110af4755a7c6ae78937c643

SHA512
5a617129c54767bfecc8bc8300956dd55c21baf4703d88081f26447bba6ebff671c5d6b029b9c53bb7b75f2175c1cba7f5e615603724fc3606fd45721b2db0fa

Download Submit
memory/2324-7-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2324-3-0x00000000002D0000-0x0000000000B1F000-memory.dmp

Filesize
8.3MB

Download
memory/2324-8-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/2324-0-0x00000000002D0000-0x0000000000B1F000-memory.dmp

Filesize
8.3MB

Download
memory/2324-6-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/2324-5-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2324-4-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2324-11-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2324-16-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/2324-21-0x00000000002D0000-0x0000000000B1F000-memory.dmp

Filesize
8.3MB

Download
memory/2324-10-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2324-22-0x0000000003840000-0x000000000408F000-memory.dmp

Filesize
8.3MB

Download
memory/2324-1-0x0000000077480000-0x0000000077482000-memory.dmp

Filesize
8KB

Download
memory/2324-9-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/2812-32-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/2812-24-0x0000000000FD0000-0x000000000181F000-memory.dmp

Filesize
8.3MB

Download
memory/2812-28-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/2812-35-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2812-34-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2812-33-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2812-23-0x0000000000FD0000-0x000000000181F000-memory.dmp

Filesize
8.3MB

Download
memory/2812-31-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2812-30-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2812-29-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/2812-27-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2812-26-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2812-25-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads