Overview

overview

9

Static

static

3

etabs_v21_kg.exe

windows7-x64

9

etabs_v21_kg.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    61s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    19-02-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    etabs_v21_kg.exe

  • Size

    2.6MB

  • MD5

    6cf5ac6015952655a02c5ed140e8000d

  • SHA1

    ed410bf9c04b337d1e326a0bdb6631790ab6429c

  • SHA256

    5c56c83e12a350356d2604c2f41b0a0f6ae36d7f5c118e0cd65258604a6dc922

  • SHA512

    fc10b16717e4240420f070e26732f829bc0b95a69be5838aeaeae6be38742b4b2d361271e631fb5c9d978a7d2f2e98668ef1cffe37a647d9e300264175f6af70

  • SSDEEP

    49152:85OiwBSGFvc0kjG9QkvUHv6Raut/Ye1x57Xe2SQwL:/iwBO0spz6RBVY+x5LeRQ

Score
9/10
evasiontrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\etabs_v21_kg.exe
    "C:\Users\Admin\AppData\Local\Temp\etabs_v21_kg.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:1660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1660-0-0x0000000000AD0000-0x000000000116F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1660-1-0x00000000776C0000-0x00000000776C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1660-2-0x0000000000AD0000-0x000000000116F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1660-3-0x0000000000AD0000-0x000000000116F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1660-4-0x0000000000AD0000-0x000000000116F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1660-5-0x0000000000AD0000-0x000000000116F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1660-6-0x0000000000AD0000-0x000000000116F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1660-7-0x0000000000AD0000-0x000000000116F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1660-8-0x0000000000AD0000-0x000000000116F000-memory.dmp

    Filesize

    6.6MB

    Download