00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9

Resubmissions

06/08/2024, 01:35

240806-bzplyayhpd 9

03/04/2024, 06:21

240403-g4fgqaaf33 9

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2024, 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
Size

8.9MB
MD5

63267d8b3821c488964c7f5dc21ce5f4
SHA1

82aceae9a96708e33d3273412ed9d2f1a6581576
SHA256

00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9
SHA512

75749f274172d15337637c0273576cf0317d713a614baaebbca286fb408f6e28efc3001972dff84b112495169c90279b00f8cf2682345e7ca544a2a09ecf5035
SSDEEP

196608:KhUC3fTTEi1xkEqX2PM+PX4SQV6jyi+S7l9I6SI78Bjn5:KhUs/EJS/jkPI4

Score

9^/10

aspackv2 evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00020000000228bc-25.dat	aspack_v212_v242

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Executes dropped EXE 1 IoCs

pid	Process
4112	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Loads dropped DLL 3 IoCs

pid	Process
2256	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
628	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
4112	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4112	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4112	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe
4112	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4112	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
628	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
628	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
628	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
628	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
628	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
628	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2256	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
628	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
628	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
4112	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe
4112	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe
4112	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe
4112	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 628	2256	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe	87
PID 2256 wrote to memory of 628	2256	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe	87
PID 2256 wrote to memory of 628	2256	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe	87
PID 628 wrote to memory of 4112	628	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe	88
PID 628 wrote to memory of 4112	628	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe	88
PID 628 wrote to memory of 4112	628	00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe	88

C:\Users\Admin\AppData\Local\Temp\00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
"C:\Users\Admin\AppData\Local\Temp\00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe
  C:\Users\Admin\AppData\Local\Temp\00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9.exe -a -d
  2⤵
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe
    "C:\Users\Admin\AppData\Local\Temp\00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00cac13d1158f31b58f2e348dc9829c2549674049bc2a421c2a0cfe772ae35c9_app.exe

Filesize
5.3MB

MD5
9531abc210972973d25f5a08e3166389

SHA1
43e54f65eaf479fe2b4241531d00bf326b9393f3

SHA256
1f4509f7187154e580e2c89a782dc257933f9436bac4ff28cb7db90af9973946

SHA512
aa48c61c248d651b3a0c71464e27b659861bceecfe513a5111d7dcf221bd840cd6c72478d75be7baaafdde2f6a990470460b0fe79aecc808939062ef9698acd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyyundun.dll

Filesize
332KB

MD5
8722259b998800a37c3991c58ce64f96

SHA1
d370272422272eaf9aca8bc17ba9bcba1b83df70

SHA256
b115d63bee020042256019ee14fa0570483180e29c4deb7ed5b8fab522b05244

SHA512
867872e22769ecdba19daca70d6ef2bbb9e310abd90ddd1c3ff5b9a3375ef11488f1f7ac021c579ab58b7e8125c8bada584a1e96bb15fcee5837307cb64a6857

Download Submit
C:\Users\Admin\AppData\Local\Temp\wincvtp.dll

Filesize
53KB

MD5
0eed4533257c57e70dfb96753e2d7afa

SHA1
b876936f10597e2f1b15a0af35da644076030376

SHA256
94fe80ee719e02e036902cc661b2ba07172de611afc3a2b8da45f1ec87bfde46

SHA512
66644a6bb211a7e3999c5ffe5301ded2e5b5f29ef1be098d3d38719758fd4f3b49fdc76623381e3d14619bf66afba65ce36ad20e299a1f63b8cdd79eee306445

Download Submit
memory/628-13-0x0000000073CA0000-0x0000000073D07000-memory.dmp

Filesize
412KB

Download
memory/628-56-0x0000000073CA0000-0x0000000073D07000-memory.dmp

Filesize
412KB

Download
memory/2256-5-0x0000000074270000-0x00000000742D7000-memory.dmp

Filesize
412KB

Download
memory/2256-6-0x0000000074270000-0x00000000742D7000-memory.dmp

Filesize
412KB

Download
memory/4112-18-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/4112-19-0x0000000077174000-0x0000000077176000-memory.dmp

Filesize
8KB

Download
memory/4112-26-0x0000000073160000-0x000000007317A000-memory.dmp

Filesize
104KB

Download
memory/4112-28-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/4112-30-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/4112-29-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/4112-31-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/4112-32-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/4112-33-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/4112-34-0x0000000005180000-0x0000000005182000-memory.dmp

Filesize
8KB

Download
memory/4112-35-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/4112-39-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/4112-38-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/4112-37-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/4112-36-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/4112-42-0x00000000054A0000-0x00000000054A2000-memory.dmp

Filesize
8KB

Download
memory/4112-40-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/4112-41-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/4112-43-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/4112-44-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/4112-45-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/4112-46-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/4112-47-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/4112-48-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/4112-49-0x0000000077174000-0x0000000077175000-memory.dmp

Filesize
4KB

Download
memory/4112-50-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/4112-51-0x0000000073160000-0x000000007317A000-memory.dmp

Filesize
104KB

Download
memory/4112-52-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/4112-53-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/4112-54-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/4112-55-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/4112-57-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/4112-58-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/4112-59-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/4112-60-0x0000000073160000-0x000000007317A000-memory.dmp

Filesize
104KB

Download
memory/4112-61-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/4112-62-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/4112-64-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/4112-65-0x0000000073160000-0x000000007317A000-memory.dmp

Filesize
104KB

Download
memory/4112-66-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/4112-79-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/4112-80-0x0000000073160000-0x000000007317A000-memory.dmp

Filesize
104KB

Download
memory/4112-81-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/4112-83-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/4112-85-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/4112-87-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/4112-89-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/4112-91-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/4112-93-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/4112-95-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/4112-96-0x0000000073160000-0x000000007317A000-memory.dmp

Filesize
104KB

Download
memory/4112-97-0x0000000000400000-0x000000000104C000-memory.dmp

Filesize
12.3MB

Download
memory/4112-98-0x0000000073160000-0x000000007317A000-memory.dmp

Filesize
104KB

Download