c7787158a846342071ed9c7de65eeb3ecac245bee424298f61203b35b094eb3d

Analysis

max time kernel
291s
max time network
260s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07/05/2024, 23:57 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7787158a846342071ed9c7de65eeb3ecac245bee424298f61203b35b094eb3d.exe
Size

2.3MB
MD5

73e06e8f6d8117f4119a680223c5a20a
SHA1

96e13be7c6ce657b050e81c8215b7a32b4e25688
SHA256

c7787158a846342071ed9c7de65eeb3ecac245bee424298f61203b35b094eb3d
SHA512

7786ff5e81f669bceeba84ade9ea6adf1466aeca4203a633e145cc463f9183be51c8b1e4f3183758ed3af08c6aa32dc084d9e88828caeb9510c30623bef5b763
SSDEEP

49152:6GY5918NqwTEgTcQ8XMV80K/TuhGyRLtGVzVYnnJ5pGqBGQGD1Ygqb:bhTP8XMV80bZ6VzpY7

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c7787158a846342071ed9c7de65eeb3ecac245bee424298f61203b35b094eb3d.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c7787158a846342071ed9c7de65eeb3ecac245bee424298f61203b35b094eb3d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c7787158a846342071ed9c7de65eeb3ecac245bee424298f61203b35b094eb3d.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	c7787158a846342071ed9c7de65eeb3ecac245bee424298f61203b35b094eb3d.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2584	c7787158a846342071ed9c7de65eeb3ecac245bee424298f61203b35b094eb3d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2584	c7787158a846342071ed9c7de65eeb3ecac245bee424298f61203b35b094eb3d.exe
2584	c7787158a846342071ed9c7de65eeb3ecac245bee424298f61203b35b094eb3d.exe

C:\Users\Admin\AppData\Local\Temp\c7787158a846342071ed9c7de65eeb3ecac245bee424298f61203b35b094eb3d.exe
"C:\Users\Admin\AppData\Local\Temp\c7787158a846342071ed9c7de65eeb3ecac245bee424298f61203b35b094eb3d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2584

Network

DNS

131.72.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.72.42.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

131.72.42.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

131.72.42.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2584-0-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-1-0x0000000077854000-0x0000000077855000-memory.dmp

Filesize
4KB

Download
memory/2584-12-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/2584-11-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/2584-10-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/2584-4-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/2584-9-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/2584-8-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/2584-7-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/2584-6-0x0000000005600000-0x0000000005602000-memory.dmp

Filesize
8KB

Download
memory/2584-5-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/2584-3-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/2584-2-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/2584-13-0x00000000056E0000-0x00000000056E2000-memory.dmp

Filesize
8KB

Download
memory/2584-14-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-15-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-16-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-17-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-18-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-19-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-20-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-21-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-22-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-23-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-24-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-25-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-26-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-27-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-28-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-29-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-30-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-31-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-32-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-33-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-34-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-35-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-36-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-37-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-38-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-39-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-40-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-41-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-42-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download
memory/2584-43-0x0000000000E80000-0x0000000001466000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.