81e8aa34984a29b9f5e1e017fcdc76c06a8da2c26edbe4e45ad4a088aac5b327

General

Target

81e8aa34984a29b9f5e1e017fcdc76c06a8da2c26edbe4e45ad4a088aac5b327.exe
Size

4.1MB
MD5

6188d5ecaa97c6835ae4d613b354c796
SHA1

38292568f78035f6514eb4ec32fcf71226904393
SHA256

81e8aa34984a29b9f5e1e017fcdc76c06a8da2c26edbe4e45ad4a088aac5b327
SHA512

fae071f40248873d4170054f5028e854ea67b8cc7e310fbd4102a347ba7fa38b9b59c79c780d5d2db65abbf1518f60c5ef056972488bfe92f6b89cb4fa57f897
SSDEEP

98304:KEc1bNmfyMj4ryXdLdiXx+Rton9QTj53C8f93S8b+m9axAm:KhNmaMj4rOwxwton0jNeGmA

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	81e8aa34984a29b9f5e1e017fcdc76c06a8da2c26edbe4e45ad4a088aac5b327.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	81e8aa34984a29b9f5e1e017fcdc76c06a8da2c26edbe4e45ad4a088aac5b327.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	81e8aa34984a29b9f5e1e017fcdc76c06a8da2c26edbe4e45ad4a088aac5b327.exe

Loads dropped DLL 2 IoCs

pid	Process
3396	81e8aa34984a29b9f5e1e017fcdc76c06a8da2c26edbe4e45ad4a088aac5b327.exe
3396	81e8aa34984a29b9f5e1e017fcdc76c06a8da2c26edbe4e45ad4a088aac5b327.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81e8aa34984a29b9f5e1e017fcdc76c06a8da2c26edbe4e45ad4a088aac5b327.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3396	81e8aa34984a29b9f5e1e017fcdc76c06a8da2c26edbe4e45ad4a088aac5b327.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3396	81e8aa34984a29b9f5e1e017fcdc76c06a8da2c26edbe4e45ad4a088aac5b327.exe
3396	81e8aa34984a29b9f5e1e017fcdc76c06a8da2c26edbe4e45ad4a088aac5b327.exe

C:\Users\Admin\AppData\Local\Temp\81e8aa34984a29b9f5e1e017fcdc76c06a8da2c26edbe4e45ad4a088aac5b327.exe
"C:\Users\Admin\AppData\Local\Temp\81e8aa34984a29b9f5e1e017fcdc76c06a8da2c26edbe4e45ad4a088aac5b327.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
memory/3396-30-0x0000000076790000-0x0000000076880000-memory.dmp

Filesize
960KB

Download
memory/3396-0-0x0000000000FC0000-0x00000000019FC000-memory.dmp

Filesize
10.2MB

Download
memory/3396-5-0x0000000076790000-0x0000000076880000-memory.dmp

Filesize
960KB

Download
memory/3396-32-0x000000000AE90000-0x000000000AE9E000-memory.dmp

Filesize
56KB

Download
memory/3396-8-0x0000000076790000-0x0000000076880000-memory.dmp

Filesize
960KB

Download
memory/3396-2-0x0000000076790000-0x0000000076880000-memory.dmp

Filesize
960KB

Download
memory/3396-1-0x00000000767B0000-0x00000000767B1000-memory.dmp

Filesize
4KB

Download
memory/3396-31-0x000000000AEC0000-0x000000000AEF8000-memory.dmp

Filesize
224KB

Download
memory/3396-9-0x0000000076790000-0x0000000076880000-memory.dmp

Filesize
960KB

Download
memory/3396-19-0x0000000000FC0000-0x00000000019FC000-memory.dmp

Filesize
10.2MB

Download
memory/3396-20-0x0000000000FC0000-0x00000000019FC000-memory.dmp

Filesize
10.2MB

Download
memory/3396-21-0x0000000006240000-0x000000000638A000-memory.dmp

Filesize
1.3MB

Download
memory/3396-22-0x0000000006A30000-0x0000000006FD4000-memory.dmp

Filesize
5.6MB

Download
memory/3396-39-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3396-29-0x000000000AE40000-0x000000000AE48000-memory.dmp

Filesize
32KB

Download
memory/3396-4-0x0000000076790000-0x0000000076880000-memory.dmp

Filesize
960KB

Download
memory/3396-3-0x0000000076790000-0x0000000076880000-memory.dmp

Filesize
960KB

Download
memory/3396-6-0x0000000076790000-0x0000000076880000-memory.dmp

Filesize
960KB

Download
memory/3396-23-0x0000000006550000-0x00000000065E2000-memory.dmp

Filesize
584KB

Download
memory/3396-37-0x000000000AF30000-0x000000000AF3A000-memory.dmp

Filesize
40KB

Download
memory/3396-36-0x000000000BDE0000-0x000000000BE4C000-memory.dmp

Filesize
432KB

Download
memory/3396-40-0x000000000BDA0000-0x000000000BDAA000-memory.dmp

Filesize
40KB

Download
memory/3396-7-0x0000000076790000-0x0000000076880000-memory.dmp

Filesize
960KB

Download
memory/3396-41-0x0000000000FC0000-0x00000000019FC000-memory.dmp

Filesize
10.2MB

Download
memory/3396-43-0x0000000076790000-0x0000000076880000-memory.dmp

Filesize
960KB

Download
memory/3396-44-0x00000000767B0000-0x00000000767B1000-memory.dmp

Filesize
4KB

Download
memory/3396-45-0x0000000076790000-0x0000000076880000-memory.dmp

Filesize
960KB

Download
memory/3396-46-0x0000000076790000-0x0000000076880000-memory.dmp

Filesize
960KB

Download
memory/3396-47-0x0000000076790000-0x0000000076880000-memory.dmp

Filesize
960KB

Download
memory/3396-49-0x0000000076790000-0x0000000076880000-memory.dmp

Filesize
960KB

Download
memory/3396-48-0x0000000076790000-0x0000000076880000-memory.dmp

Filesize
960KB

Download
memory/3396-51-0x0000000076790000-0x0000000076880000-memory.dmp

Filesize
960KB

Download
memory/3396-52-0x0000000076790000-0x0000000076880000-memory.dmp

Filesize
960KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads