a0c64dde9d8dc7ad5361842d2e9728b2356e6f85f0b43a5291cbd9690c896480

Analysis

max time kernel
22s
max time network
16s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/04/2024, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bloodytb_v1.exe
Size

1.6MB
MD5

e10adac7fcc184081a512ccb6ee3ddf0
SHA1

7339ec9a77a71b68c45dd688723af88cbdf2cf4e
SHA256

a0c64dde9d8dc7ad5361842d2e9728b2356e6f85f0b43a5291cbd9690c896480
SHA512

6d6fc45554aafffce22c9fc50ffaebb8b9b5911297ff90814d3038176921ad03e82a8555c3206b4dd43d39b868acb988b5a0eb6c47a36a097189ae1860f5252f
SSDEEP

49152:ZujTLzypvzYQTI8X+kcLp0BI+FxOiEHlC:oj/z6v508uJp0BLbOf4

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bloodytb_v1.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bloodytb_v1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bloodytb_v1.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	bloodytb_v1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2128	bloodytb_v1.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2128	bloodytb_v1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2128	bloodytb_v1.exe

C:\Users\Admin\AppData\Local\Temp\bloodytb_v1.exe
"C:\Users\Admin\AppData\Local\Temp\bloodytb_v1.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2128-0-0x0000000001310000-0x00000000016A0000-memory.dmp

Filesize
3.6MB

Download
memory/2128-1-0x00000000777F0000-0x00000000777F2000-memory.dmp

Filesize
8KB

Download
memory/2128-2-0x00000000768B0000-0x00000000769A0000-memory.dmp

Filesize
960KB

Download
memory/2128-3-0x0000000075550000-0x000000007561C000-memory.dmp

Filesize
816KB

Download
memory/2128-4-0x00000000750D0000-0x00000000750D9000-memory.dmp

Filesize
36KB

Download
memory/2128-5-0x0000000074EE0000-0x0000000074F2A000-memory.dmp

Filesize
296KB

Download
memory/2128-6-0x0000000001310000-0x00000000016A0000-memory.dmp

Filesize
3.6MB

Download
memory/2128-8-0x0000000001310000-0x00000000016A0000-memory.dmp

Filesize
3.6MB

Download
memory/2128-7-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-9-0x00000000745F0000-0x0000000074670000-memory.dmp

Filesize
512KB

Download
memory/2128-12-0x0000000074270000-0x0000000074287000-memory.dmp

Filesize
92KB

Download
memory/2128-11-0x00000000076A0000-0x00000000076E0000-memory.dmp

Filesize
256KB

Download
memory/2128-10-0x0000000074290000-0x000000007429B000-memory.dmp

Filesize
44KB

Download
memory/2128-13-0x0000000073EC0000-0x0000000073ED3000-memory.dmp

Filesize
76KB

Download
memory/2128-14-0x0000000073C20000-0x0000000073C96000-memory.dmp

Filesize
472KB

Download
memory/2128-16-0x00000000076A0000-0x00000000076E0000-memory.dmp

Filesize
256KB

Download
memory/2128-15-0x00000000076A0000-0x00000000076E0000-memory.dmp

Filesize
256KB

Download
memory/2128-17-0x0000000001310000-0x00000000016A0000-memory.dmp

Filesize
3.6MB

Download
memory/2128-18-0x0000000077120000-0x00000000771A3000-memory.dmp

Filesize
524KB

Download
memory/2128-19-0x0000000075550000-0x000000007561C000-memory.dmp

Filesize
816KB

Download
memory/2128-20-0x0000000073EB0000-0x0000000073EBE000-memory.dmp

Filesize
56KB

Download
memory/2128-21-0x00000000768B0000-0x00000000769A0000-memory.dmp

Filesize
960KB

Download
memory/2128-22-0x0000000074EE0000-0x0000000074F2A000-memory.dmp

Filesize
296KB

Download
memory/2128-23-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-24-0x00000000701B0000-0x000000007020F000-memory.dmp

Filesize
380KB

Download
memory/2128-25-0x0000000076F30000-0x00000000770CD000-memory.dmp

Filesize
1.6MB

Download
memory/2128-27-0x00000000745F0000-0x0000000074670000-memory.dmp

Filesize
512KB

Download
memory/2128-28-0x00000000076A0000-0x00000000076E0000-memory.dmp

Filesize
256KB

Download
memory/2128-29-0x0000000073C20000-0x0000000073C96000-memory.dmp

Filesize
472KB

Download
memory/2128-30-0x00000000076A0000-0x00000000076E0000-memory.dmp

Filesize
256KB

Download
memory/2128-31-0x00000000076A0000-0x00000000076E0000-memory.dmp

Filesize
256KB

Download
memory/2128-34-0x0000000001310000-0x00000000016A0000-memory.dmp

Filesize
3.6MB

Download
memory/2128-35-0x00000000768B0000-0x00000000769A0000-memory.dmp

Filesize
960KB

Download
memory/2128-37-0x00000000750D0000-0x00000000750D9000-memory.dmp

Filesize
36KB

Download
memory/2128-36-0x0000000074EE0000-0x0000000074F2A000-memory.dmp

Filesize
296KB

Download
memory/2128-38-0x0000000075550000-0x000000007561C000-memory.dmp

Filesize
816KB

Download
memory/2128-40-0x0000000076F30000-0x00000000770CD000-memory.dmp

Filesize
1.6MB

Download
memory/2128-47-0x00000000701B0000-0x000000007020F000-memory.dmp

Filesize
380KB

Download
memory/2128-46-0x0000000073EB0000-0x0000000073EBE000-memory.dmp

Filesize
56KB

Download
memory/2128-45-0x0000000073C20000-0x0000000073C96000-memory.dmp

Filesize
472KB

Download
memory/2128-44-0x0000000077120000-0x00000000771A3000-memory.dmp

Filesize
524KB

Download
memory/2128-43-0x0000000073EC0000-0x0000000073ED3000-memory.dmp

Filesize
76KB

Download
memory/2128-42-0x0000000074270000-0x0000000074287000-memory.dmp

Filesize
92KB

Download
memory/2128-41-0x0000000074290000-0x000000007429B000-memory.dmp

Filesize
44KB

Download
memory/2128-39-0x00000000745F0000-0x0000000074670000-memory.dmp

Filesize
512KB

Download
memory/2128-48-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download