c9a87d68a65ade147208ac8a6d68297877f145285e3f3f40ec01ea8d562fadc9

Analysis

max time kernel
143s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 18:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$1/1337/2.exe
Size

2.4MB
MD5

bd029ebcf93372264841945ba91d0b26
SHA1

592a3da5fc92f7f92e4b7fd12ca4028f90f05762
SHA256

cf7074081335231a0c3c76a35ae1e6b252ad15e7424f1aa99b48e40835a71391
SHA512

b15e9cd5548c019d6d91fec665d89da2874785778cbdfdfdbf400b19019a3fae9f23f02a7e51a33d39e30fce05b88cc0ebd5221e627e153e04644370d8b09138
SSDEEP

49152:sHCvd7EJt6wfpm4Fw1rXt7rSDOcjeG78hbT3zhf4MMK5XL:nd7wtHpm4y8yG7Ov9fP1L

Score

9^/10

discovery evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Test.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Test.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Test.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	1.exe

Executes dropped EXE 2 IoCs

pid	Process
3792	1.exe
752	Test.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine	Test.exe

Loads dropped DLL 2 IoCs

pid	Process
4988	2.exe
3792	1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
752	Test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Test.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral8/files/0x00070000000235f7-9.dat	nsis_installer_1
behavioral8/files/0x00070000000235f7-9.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
752	Test.exe
752	Test.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 3792	4988	2.exe	93
PID 4988 wrote to memory of 3792	4988	2.exe	93
PID 4988 wrote to memory of 3792	4988	2.exe	93
PID 3792 wrote to memory of 752	3792	1.exe	95
PID 3792 wrote to memory of 752	3792	1.exe	95
PID 3792 wrote to memory of 752	3792	1.exe	95

C:\Users\Admin\AppData\Local\Temp\$1\1337\2.exe
"C:\Users\Admin\AppData\Local\Temp\$1\1337\2.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Roaming\1337\1.exe
  "C:\Users\Admin\AppData\Roaming\1337\1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Users\Admin\AppData\Roaming\1337\Test.exe
    "C:\Users\Admin\AppData\Roaming\1337\Test.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4156,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8
1⤵
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsm55CE.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Users\Admin\AppData\Roaming\1337\1.exe

Filesize
2.0MB

MD5
c6f1b27b6b65413942afeee03f13c12a

SHA1
d0c9b1b4409c0d4808dc30226463caa9da3a877a

SHA256
305ddcd4d976597f0f219c41a49749d87d7f45ff4578408d60921016b6d662ab

SHA512
585df1b3d6f6b95d79e214b88dced62acee6e9b7a547ee05ab1b2dcbcdb8de80dd8d2dd3dd9ef93964183930add2a594c4c664ee38eaed5e41fe57770f1954d0

Download Submit
C:\Users\Admin\AppData\Roaming\1337\Test.exe

Filesize
1.6MB

MD5
a0b96dbbdeb12eff9630a2de7311e4eb

SHA1
4d75fbf0357122e513ec72b0552dd1e3d75119d3

SHA256
42db31d1ff1f8eed5938b3b3a220406267d103cc308ca4a26d7ab1120aa65848

SHA512
a44c8a27ce148585927fce6de67fec407a4081b5b3ed7cd9a69963fd06a2540807de5924683c804fc2086b3ef2ea86df40c7fdfcea71f380bd74ac6fe8dbc21f

Download Submit
memory/752-35-0x0000000000470000-0x000000000083C000-memory.dmp

Filesize
3.8MB

Download
memory/752-36-0x0000000077504000-0x0000000077506000-memory.dmp

Filesize
8KB

Download
memory/752-37-0x0000000000470000-0x000000000083C000-memory.dmp

Filesize
3.8MB

Download