Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/04/2024, 12:08
Static task
static1
Behavioral task
behavioral1
Sample
7cc1ba586fee26473559976f3f42c89ad62c43872e65341c156aa1d5f9af811c.exe
Resource
win7-20240221-en
General
-
Target
7cc1ba586fee26473559976f3f42c89ad62c43872e65341c156aa1d5f9af811c.exe
-
Size
2.5MB
-
MD5
8c2274264b2797e30d44411bbd36f942
-
SHA1
31b37127440193b9c8ecabedc214ef51a41b833c
-
SHA256
7cc1ba586fee26473559976f3f42c89ad62c43872e65341c156aa1d5f9af811c
-
SHA512
376c4e25c9edd8984c7eb6585e2ac7aa6a73b4ab9927f6a65c13431bef5c6a956d11ebdc9e6e9c668ad0bf7352679f38a8c68250c82058d9f75c0d9ac6118c61
-
SSDEEP
49152:u9hzVlHgIJa177HiK+FcON6s90UoSE+yRiW/6A0d2pJ2j73+e:urLAW4HMz9+XyP2pEv
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7cc1ba586fee26473559976f3f42c89ad62c43872e65341c156aa1d5f9af811c.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7cc1ba586fee26473559976f3f42c89ad62c43872e65341c156aa1d5f9af811c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7cc1ba586fee26473559976f3f42c89ad62c43872e65341c156aa1d5f9af811c.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine 7cc1ba586fee26473559976f3f42c89ad62c43872e65341c156aa1d5f9af811c.exe -
Unexpected DNS network traffic destination 9 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 103.27.108.197 Destination IP 103.27.108.197 Destination IP 103.27.108.197 Destination IP 103.27.108.197 Destination IP 103.27.108.197 Destination IP 103.27.108.197 Destination IP 103.27.108.197 Destination IP 103.27.108.197 Destination IP 103.27.108.197 -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7cc1ba586fee26473559976f3f42c89ad62c43872e65341c156aa1d5f9af811c.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2984 7cc1ba586fee26473559976f3f42c89ad62c43872e65341c156aa1d5f9af811c.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2984 7cc1ba586fee26473559976f3f42c89ad62c43872e65341c156aa1d5f9af811c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cc1ba586fee26473559976f3f42c89ad62c43872e65341c156aa1d5f9af811c.exe"C:\Users\Admin\AppData\Local\Temp\7cc1ba586fee26473559976f3f42c89ad62c43872e65341c156aa1d5f9af811c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2984