adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7

Analysis

max time kernel
291s
max time network
297s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29/04/2024, 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe
Size

2.3MB
MD5

eddf1bea720131435cfb67c0b51622c8
SHA1

03fde14e7a9d60c26c4a575d9d29b4d5440215a2
SHA256

adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7
SHA512

23f86fcf116442d2b3e59793651a0e0997fcb239b00222b1b077453d91f3cb1447e2cd3957b5808a966db16cb2dd28f414aaa40835f54ae48ec49b189084a731
SSDEEP

49152:lg69SebPPiKgYy+jKCB+RzlSomYoZQbZkvHKqx9D6+:lg69Sebi4jORzlPmLYZkvK69D6+

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine	adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
164	adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
164	adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe
164	adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe

C:\Users\Admin\AppData\Local\Temp\adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe
"C:\Users\Admin\AppData\Local\Temp\adb594efebfc6c0853642d37be4da822d27c84a2b0b120b67913156308cab6e7.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/164-0-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-1-0x0000000077434000-0x0000000077435000-memory.dmp

Filesize
4KB

Download
memory/164-13-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/164-5-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/164-12-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/164-11-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/164-10-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/164-9-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/164-8-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/164-7-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/164-6-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/164-4-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/164-3-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/164-2-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/164-14-0x00000000059B0000-0x00000000059B2000-memory.dmp

Filesize
8KB

Download
memory/164-15-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-16-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-17-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-18-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-19-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-20-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-21-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-22-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-23-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-24-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-25-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-26-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-27-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-28-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-29-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-30-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-31-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-32-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-33-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-34-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-35-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-36-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-37-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-38-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-39-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-40-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-41-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-42-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-43-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download
memory/164-44-0x0000000001060000-0x0000000001636000-memory.dmp

Filesize
5.8MB

Download