Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 19:40

General

  • Target

    56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c.exe

  • Size

    4.4MB

  • MD5

    5de35bf2a5c775600ee0dda327208977

  • SHA1

    437d33a9b8acfa8c579395e280233f837ac37c32

  • SHA256

    56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c

  • SHA512

    c7b088cd3972a07de92db055b55474a623ed0ab3e7282024da5d82481c201f5c0eaad258d83ac7ae01d90e175cee37aeb64989117e83ee7c7a59ca525723bb9e

  • SSDEEP

    98304:fE/JUhJQj4nKE/oe6im51pRUzXnzc7YArZ4JBAUZLvfi3:M2oOJoVZU7zyYxJV7fi3

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c.exe
    "C:\Users\Admin\AppData\Local\Temp\56d0ec47b14d2222747153f157d113af3966e39b7cc575f0b759594d7756ae0c.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Mm
      C:\Mm
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4692
      • C:\Program Files\Common Files\Microsoft Shared\MSINFO\OQSUYaac.exe
        "C:\Program Files\Common Files\Microsoft Shared\MSINFO\OQSUYaac.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Mm

    Filesize

    1.6MB

    MD5

    7eb15beea11d9f922a4976a05eaaba4e

    SHA1

    0208b5382a07d38c6f6fcbaf2ee153831818976a

    SHA256

    e94c74a889e1930f486d2f9992ccbab9689e40914fc95b1c0d4af71a45f48aa4

    SHA512

    41b2aac85053310f3bf313456cb2ed3c5a025ca3f2222653916022b05893e311cc2a2fced822e205c51e346c580c1a5d6fca36f7c9d9b47a15a604123863565a

  • memory/1040-74-0x0000000000400000-0x0000000000832000-memory.dmp

    Filesize

    4.2MB

  • memory/1040-64-0x0000000000400000-0x0000000000832000-memory.dmp

    Filesize

    4.2MB

  • memory/1040-62-0x0000000000400000-0x0000000000832000-memory.dmp

    Filesize

    4.2MB

  • memory/1040-59-0x0000000000400000-0x0000000000832000-memory.dmp

    Filesize

    4.2MB

  • memory/4692-51-0x0000000000400000-0x0000000000832000-memory.dmp

    Filesize

    4.2MB

  • memory/4692-52-0x0000000077564000-0x0000000077566000-memory.dmp

    Filesize

    8KB

  • memory/4692-60-0x0000000000400000-0x0000000000832000-memory.dmp

    Filesize

    4.2MB

  • memory/4692-53-0x0000000000401000-0x0000000000452000-memory.dmp

    Filesize

    324KB

  • memory/4856-11-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-3-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-31-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-30-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-27-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-25-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-23-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-21-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-19-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-17-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-15-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-44-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-10-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-33-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-2-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-13-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-5-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-1-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-0-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-45-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-37-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-46-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-39-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-61-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-41-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-35-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

  • memory/4856-7-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB