Analysis Overview
SHA256
80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4
Threat Level: Known bad
The file 80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4 was found to be: Known bad.
Malicious Activity Summary
RisePro
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Identifies Wine through registry keys
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 09:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 09:30
Reported
2024-06-03 09:33
Platform
win11-20240508-en
Max time kernel
140s
Max time network
102s
Command Line
Signatures
RisePro
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4.exe
"C:\Users\Admin\AppData\Local\Temp\80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/2320-0-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-1-0x00000000773B6000-0x00000000773B8000-memory.dmp
memory/2320-2-0x0000000000AE1000-0x0000000000B8D000-memory.dmp
memory/2320-3-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-4-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-5-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-6-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-7-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-8-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-9-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-10-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-11-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-12-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-13-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-14-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-15-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-16-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-17-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-18-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-19-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-20-0x0000000000AE0000-0x00000000010E6000-memory.dmp
memory/2320-21-0x0000000000AE0000-0x00000000010E6000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 09:30
Reported
2024-06-03 09:33
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
92s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4.exe
"C:\Users\Admin\AppData\Local\Temp\80ccab8bdd27277388cd6785c11885169d4561c08dbd70cd184327baff6e83c4.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/1992-0-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-1-0x0000000077A64000-0x0000000077A66000-memory.dmp
memory/1992-2-0x0000000000FB1000-0x000000000105D000-memory.dmp
memory/1992-3-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-4-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-5-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-6-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-7-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-8-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-9-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-10-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-11-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-12-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-13-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-14-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-15-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-16-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-17-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-18-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-19-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-20-0x0000000000FB0000-0x00000000015B6000-memory.dmp
memory/1992-21-0x0000000000FB0000-0x00000000015B6000-memory.dmp