3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Size

6.5MB
MD5

9966d187d83ac328ba50f5136a86b636
SHA1

e94407e4fea23e93ca804a60712218109e2a9654
SHA256

3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f
SHA512

4b00a9d213a87891b2ef41aea9e25de65e7874c0543d437c2c53d6b82778961e512cb14fa7120f1ba6eb5765e821026d9f0927257acbc38d5dcb0195d099eb92
SSDEEP

98304:O29z8VLSyeSOOIhbGdddddddlwxPjBbWDBqxl5rGsyluIGsLKg+DZmSW/9q:4LVeSOOIhS+jMBCQQWg

Score

9^/10

discovery evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe

Loads dropped DLL 5 IoCs

pid	Process
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\RNA20E56AA7517B0F5078CDC0A97790E07E42321D55C80D3F96165B85FA4CABFB91A5140A94ACEC9B399E33587ABC613D13EF781C68E600C7B3690F494B3E8B6B0829CC5767C359FBBA249CE7872B83BD08C17C3B5F0D163BC16142CA0144 = "8747E76F996AE043"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe

Modifies registry class 58 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}\InProcServer32	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\plugin\\SYS.DLL"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.File\CLSID\ = "{57477331-126E-4FC8-B430-1C6143484AA9}"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Sys\ = "QMPlugin.Sys"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}\ProgID\ = "QMPlugin.Sys"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.File\ = "QMPlugin.File"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.File\CLSID	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\ProgID\ = "QMPlugin.File"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}\ProgID	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Sys\CLSID	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.File	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Sys	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\ = "QMPlugin.File"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\plugin\\FILE.DLL"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ThreadingModel = "Apartment"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}\ = "QMPlugin.Sys"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\InProcServer32	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel = "Apartment"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\ProgID	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ThreadingModel = "Apartment"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Sys\CLSID\ = "{33414471-126E-4FC8-B430-1C6143484AA9}"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary"	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
2712	3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe

C:\Users\Admin\AppData\Local\Temp\3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe
"C:\Users\Admin\AppData\Local\Temp\3fb009714328e46c4507efd4c1b5efc49f7bdc7e597db9f49cb5081943c1cd9f.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mac3820.tmp

Filesize
307B

MD5
62b658d423c96760ddfed4bae34a222d

SHA1
e83980def6bb667b89012ef04e646593712ada96

SHA256
8e2cc3e7c6eccc27846bcd8c2d65ba7b6b568fb882a5c386fb141c32d5afa955

SHA512
772888a2289903aca72b8503b753af0127936d41487553da8e3fed3faba9f255b9589bd1df6a193d09927cc863da4c29228a71d7791b802c815011b140c91fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugin\FILE.ini

Filesize
2KB

MD5
e04472109d3e00286933cc1675760427

SHA1
c0c2ed2fda1884b5d00c6d292589a3920907eaa3

SHA256
06e641716fe6ffb936655579a63aca7d16dfc8f24f9ba8498a53c0359dc158a5

SHA512
bf42775f9de3653e583838d8dec718bc8c993a350593e0146159da6869d2edc67d0266d6f7dea8eb3cfa3c8fa8e8ebdf5454144f0a347646df3fa6cf3802fc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugin\SYS.ini

Filesize
1KB

MD5
09c6b26d1e0ff380321f586473d81098

SHA1
261ba0c9c3ddf3c9e8715ead3628212d2859bcba

SHA256
bc8eaa229e13a93be3bef498443182eb5d97551fbc5fcb1208d014b56161588f

SHA512
7700e2ab0c38f7b1a3190843f603b572f7952e4a3567855fbaf2f1085f7e5b4fcdaa97e9195a43299594a5c3b31d15232cb66d9c59a4231cc83487663ded832c

Download Submit
\Users\Admin\AppData\Local\Temp\cfgdll.dll

Filesize
59KB

MD5
929f56b46242fa68a616374a5403689b

SHA1
45b4ade1f0cc2bf13e74d9801eee5c7abee3c3b2

SHA256
767b2e735693a9455a23b19e7a94643fd6095fa1158cbe22f612d657ebbb670d

SHA512
81c69649efff9d320533bcb3256d42c671877e1d48f9df99134c514aa2d888d11ded13b9d3447949881513e376cf4644b41b997cad2a9ffb51f4f45ca3cdc641

Download Submit
\Users\Admin\AppData\Local\Temp\plugin\FILE.DLL

Filesize
64KB

MD5
3114e21f1a7fb572d21ed3b388048f37

SHA1
05b3755e296cc3f90b35475079bb0ac6641570d0

SHA256
83a22120a52ca51e832a299038338f4b6d01ad46fb6ca718e95429c810ccbe84

SHA512
a7cbaf6039f3c8563ae993e88c02e24d77b34268ab3d718fc9b428aefb308624cee39d9c1b60d3fa80b3e77c20c91e7e5730b50cc5a54b40c5af1559c183b235

Download Submit
\Users\Admin\AppData\Local\Temp\plugin\SYS.DLL

Filesize
32KB

MD5
18c393dfa1c0f3d2da0f4acdec5d7639

SHA1
84f666216085f177bccb8fa94900ba625f7552bc

SHA256
3c3599cf74407476a92ce4ee66ed3ce00d0b3ea5326f796c191e6ed0a9a87b3a

SHA512
ba61370b69b239754ff8f4e07f456755422667340c9a27bf2ace272b0e90a0818da595b973e90cd9ca4fc502028caef078e16bc7c87b2a6a8fa465141f54b3b4

Download Submit
\Users\Admin\AppData\Roaming\mymacro\qdisp.dll

Filesize
291KB

MD5
d15b727adfc4d5621b8e3ecba7ffa242

SHA1
19e7e36e94d4a088a3fa7c8421b533d64e10a841

SHA256
2a5949ee93a27a8ed0282b7f8bae27170f9724b76cfe5eb0ac9d6bc17fccb749

SHA512
34ef525ccc3c203481ca6a4ae3b825e79008e6201800a2e60cb784873f843e257ed615df5d32ba05c8690960c8b322b7dc0b1c715838928a1ea68303af09f293

Download Submit
memory/2712-150-0x0000000000400000-0x0000000000A83000-memory.dmp

Filesize
6.5MB

Download
memory/2712-0-0x0000000000400000-0x0000000000A83000-memory.dmp

Filesize
6.5MB

Download
memory/2712-50-0x0000000006460000-0x0000000006471000-memory.dmp

Filesize
68KB

Download
memory/2712-207-0x0000000000400000-0x0000000000A83000-memory.dmp

Filesize
6.5MB

Download
memory/2712-1-0x0000000000401000-0x000000000081A000-memory.dmp

Filesize
4.1MB

Download
memory/2712-217-0x0000000000400000-0x0000000000A83000-memory.dmp

Filesize
6.5MB

Download
memory/2712-218-0x0000000000400000-0x0000000000A83000-memory.dmp

Filesize
6.5MB

Download
memory/2712-225-0x0000000000400000-0x0000000000A83000-memory.dmp

Filesize
6.5MB

Download
memory/2712-226-0x0000000000401000-0x000000000081A000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads