89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b

Analysis

max time kernel
290s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b.exe
Size

2.3MB
MD5

6df079b2ef158596cb5df9d964a69561
SHA1

9a9e9100eae04e840f1cc260b525291d5939459f
SHA256

89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b
SHA512

0ab0629726db0432d965c4736fc96ef5f4b84e24478f0917095091aabaee904afadc4d229ecc256857bdddc5609d6044ead147b02513ed35571a54c1a1c2c874
SSDEEP

49152:/g69SebPPiKgYy0b7gTXNunBngXI+dM7zjUfaZ542Inh8RGdbCME6Om:/g69SebiUSKBngXInjU+TYGQdb7Om

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine	89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b.exe

pid process

2176 89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b.exe

pid process

2176 89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b.exe

pid	process
2176	89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b.exe

pid	process
2176	89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b.exe

C:\Users\Admin\AppData\Local\Temp\89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b.exe
"C:\Users\Admin\AppData\Local\Temp\89a5f8d107ccd6e4f33c46d8f2537ecef2d40ce7ced886abe612d987e083230b.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2176-0-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-1-0x00000000773D0000-0x00000000773D2000-memory.dmp

Filesize
8KB

Download
memory/2176-3-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/2176-2-0x0000000001080000-0x0000000001082000-memory.dmp

Filesize
8KB

Download
memory/2176-4-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/2176-5-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/2176-7-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/2176-6-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/2176-9-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/2176-8-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/2176-10-0x0000000001310000-0x0000000001311000-memory.dmp

Filesize
4KB

Download
memory/2176-11-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/2176-12-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2176-13-0x0000000000420000-0x0000000000422000-memory.dmp

Filesize
8KB

Download
memory/2176-14-0x0000000002D60000-0x0000000002D62000-memory.dmp

Filesize
8KB

Download
memory/2176-15-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-16-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-17-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-18-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-19-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-20-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-21-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-22-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-23-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-24-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-25-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-26-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-27-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-28-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-29-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-30-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-31-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-32-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-33-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-34-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-35-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-36-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-37-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-38-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-39-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-40-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-41-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-42-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-43-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download
memory/2176-44-0x0000000001350000-0x0000000001920000-memory.dmp

Filesize
5.8MB

Download