3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00

General

Target

3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe
Size

2.6MB
MD5

038aa802fb1c12dd2a4339293bc27001
SHA1

f37bd1352bd1f7e6163007e7d2db44c7d57e140c
SHA256

3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00
SHA512

5304180164bfc796c0a5dee4dfec8ad914066fbe2803cc181504d99744d6e806b454b68185495547283447ec3f90dcd8afd62959c279232c549e4fecc73fecbe
SSDEEP

49152:Ujk6UiKb+dwBObjO4UXdqGpyIA8tJc6vA1vvxv2s:skVZc/vtINLZvAZ2s

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine	3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1220	3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1220 set thread context of 2608	1220	3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe	28

Executes dropped EXE 1 IoCs

pid	Process
2608	3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.xgd

Loads dropped DLL 2 IoCs

pid	Process
1220	3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe
1220	3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1220	3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1220	3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe
1220	3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2608	1220	3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe	28
PID 1220 wrote to memory of 2608	1220	3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe	28
PID 1220 wrote to memory of 2608	1220	3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe	28
PID 1220 wrote to memory of 2608	1220	3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe	28
PID 1220 wrote to memory of 2608	1220	3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe	28
PID 1220 wrote to memory of 2608	1220	3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe	28

C:\Users\Admin\AppData\Local\Temp\3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe
"C:\Users\Admin\AppData\Local\Temp\3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.xgd
  C:\Users\Admin\AppData\Local\Temp\3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.xgd
  2⤵
  - Executes dropped EXE
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3d725e022e17a7824d1826d5e111fa7e671fea9d510f0f8c5506c1dfcad53e00.xgd

Filesize
672KB

MD5
6b24fa8f1bd7141bfdc91778b41cfc67

SHA1
e09ea5f084581a7f343fe94e1d4efc00a489bbeb

SHA256
700d5bf9b98ebce18625a8a1b582428be3125d6825689c3392d7b264780876ac

SHA512
917852e0cda1d313fdad27e1e5c507f8b1b37a68141568c9a89f0032f05abb0e941200a780d68d258e06c42cb61425e40f497206f945c7e255994839533659a6

Download Submit
memory/1220-0-0x0000000000400000-0x00000000008C9000-memory.dmp

Filesize
4.8MB

Download
memory/1220-1-0x0000000077380000-0x0000000077382000-memory.dmp

Filesize
8KB

Download
memory/1220-2-0x0000000000401000-0x0000000000420000-memory.dmp

Filesize
124KB

Download
memory/1220-6-0x0000000000400000-0x00000000008C9000-memory.dmp

Filesize
4.8MB

Download
memory/1220-15-0x0000000000400000-0x00000000008C9000-memory.dmp

Filesize
4.8MB

Download
memory/1220-14-0x0000000000400000-0x00000000008C9000-memory.dmp

Filesize
4.8MB

Download
memory/1220-17-0x0000000000400000-0x00000000008C9000-memory.dmp

Filesize
4.8MB

Download
memory/2608-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads