00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9

Resubmissions

06/08/2024, 01:35

240806-bzplyayhpd 9

03/04/2024, 06:21

240403-g4fgqaaf33 9

Analysis

max time kernel
147s
max time network
141s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
03/04/2024, 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
Size

8.9MB
MD5

63267d8b3821c488964c7f5dc21ce5f4
SHA1

82aceae9a96708e33d3273412ed9d2f1a6581576
SHA256

00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9
SHA512

75749f274172d15337637c0273576cf0317d713a614baaebbca286fb408f6e28efc3001972dff84b112495169c90279b00f8cf2682345e7ca544a2a09ecf5035
SSDEEP

196608:KhUC3fTTEi1xkEqX2PM+PX4SQV6jyi+S7l9I6SI78Bjn5:KhUs/EJS/jkPI4

Score

9^/10

aspackv2 evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00330000000150d9-23.dat	aspack_v212_v242

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Executes dropped EXE 1 IoCs

pid	Process
3008	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Loads dropped DLL 4 IoCs

pid	Process
1636	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
2968	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
2968	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
3008	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3008	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3008	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2968	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
2968	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
2968	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2968	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
2968	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
2968	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1636	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
2968	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
2968	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
3008	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe
3008	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe
3008	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe
3008	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2968	1636	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe	28
PID 1636 wrote to memory of 2968	1636	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe	28
PID 1636 wrote to memory of 2968	1636	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe	28
PID 1636 wrote to memory of 2968	1636	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe	28
PID 2968 wrote to memory of 3008	2968	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe	29
PID 2968 wrote to memory of 3008	2968	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe	29
PID 2968 wrote to memory of 3008	2968	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe	29
PID 2968 wrote to memory of 3008	2968	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe	29

C:\Users\Admin\AppData\Local\Temp\00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
"C:\Users\Admin\AppData\Local\Temp\00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
  C:\Users\Admin\AppData\Local\Temp\00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe -a -d
  2⤵
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe
    "C:\Users\Admin\AppData\Local\Temp\00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Filesize
5.3MB

MD5
9531abc210972973d25f5a08e3166389

SHA1
43e54f65eaf479fe2b4241531d00bf326b9393f3

SHA256
1f4509f7187154e580e2c89a782dc257933f9436bac4ff28cb7db90af9973946

SHA512
aa48c61c248d651b3a0c71464e27b659861bceecfe513a5111d7dcf221bd840cd6c72478d75be7baaafdde2f6a990470460b0fe79aecc808939062ef9698acd2

Download Submit
\Users\Admin\AppData\Local\Temp\cyyundun.dll

Filesize
332KB

MD5
8722259b998800a37c3991c58ce64f96

SHA1
d370272422272eaf9aca8bc17ba9bcba1b83df70

SHA256
b115d63bee020042256019ee14fa0570483180e29c4deb7ed5b8fab522b05244

SHA512
867872e22769ecdba19daca70d6ef2bbb9e310abd90ddd1c3ff5b9a3375ef11488f1f7ac021c579ab58b7e8125c8bada584a1e96bb15fcee5837307cb64a6857

Download Submit
\Users\Admin\AppData\Local\Temp\wincvtp.dll

Filesize
53KB

MD5
0eed4533257c57e70dfb96753e2d7afa

SHA1
b876936f10597e2f1b15a0af35da644076030376

SHA256
94fe80ee719e02e036902cc661b2ba07172de611afc3a2b8da45f1ec87bfde46

SHA512
66644a6bb211a7e3999c5ffe5301ded2e5b5f29ef1be098d3d38719758fd4f3b49fdc76623381e3d14619bf66afba65ce36ad20e299a1f63b8cdd79eee306445

Download Submit
memory/1636-4-0x0000000074B30000-0x0000000074B97000-memory.dmp

Filesize
412KB

Download
memory/1636-5-0x0000000074B30000-0x0000000074B97000-memory.dmp

Filesize
412KB

Download
memory/2968-12-0x0000000074B30000-0x0000000074B97000-memory.dmp

Filesize
412KB

Download
memory/2968-18-0x0000000004B00000-0x000000000574C000-memory.dmp

Filesize
12.3MB

Download
memory/2968-55-0x0000000074B30000-0x0000000074B97000-memory.dmp

Filesize
412KB

Download
memory/2968-56-0x0000000004B00000-0x000000000574C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-19-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-20-0x0000000077910000-0x0000000077912000-memory.dmp

Filesize
8KB

Download
memory/3008-27-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-32-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/3008-48-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/3008-53-0x0000000077910000-0x0000000077911000-memory.dmp

Filesize
4KB

Download
memory/3008-52-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3008-51-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/3008-50-0x00000000746C0000-0x00000000746DA000-memory.dmp

Filesize
104KB

Download
memory/3008-49-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/3008-47-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/3008-46-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/3008-45-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/3008-44-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/3008-43-0x0000000004F40000-0x0000000004F42000-memory.dmp

Filesize
8KB

Download
memory/3008-42-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/3008-41-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/3008-40-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/3008-39-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/3008-38-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/3008-37-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/3008-36-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3008-35-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/3008-34-0x0000000004AB0000-0x0000000004AB2000-memory.dmp

Filesize
8KB

Download
memory/3008-33-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/3008-31-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/3008-29-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/3008-28-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/3008-26-0x00000000746C0000-0x00000000746DA000-memory.dmp

Filesize
104KB

Download
memory/3008-57-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/3008-58-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-59-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/3008-60-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/3008-61-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-62-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/3008-64-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-65-0x00000000746C0000-0x00000000746DA000-memory.dmp

Filesize
104KB

Download
memory/3008-69-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-70-0x00000000746C0000-0x00000000746DA000-memory.dmp

Filesize
104KB

Download
memory/3008-73-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-74-0x00000000746C0000-0x00000000746DA000-memory.dmp

Filesize
104KB

Download
memory/3008-78-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-82-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-87-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-120-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-121-0x00000000746C0000-0x00000000746DA000-memory.dmp

Filesize
104KB

Download
memory/3008-122-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-123-0x00000000746C0000-0x00000000746DA000-memory.dmp

Filesize
104KB

Download
memory/3008-124-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-126-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-128-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-130-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-132-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-133-0x00000000746C0000-0x00000000746DA000-memory.dmp

Filesize
104KB

Download
memory/3008-134-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/3008-135-0x00000000746C0000-0x00000000746DA000-memory.dmp

Filesize
104KB

Download