Analysis
-
max time kernel
125s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 04:00
Static task
static1
Behavioral task
behavioral1
Sample
b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb.exe
Resource
win7-20240704-en
General
-
Target
b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb.exe
-
Size
1.7MB
-
MD5
00caeff2ff96754a0a6caaec18afc8d5
-
SHA1
df1cd01e9a08177749609ca57d4af8cab9573510
-
SHA256
b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb
-
SHA512
ca82914b9914f926e91190393b5cd5843d44c9e4006c0d4420e0a9b4f5fc07f7ec290cbfb8ad6e6a927bdb583e3810d2b1849c4cfdf86a2f096a5b894774717e
-
SSDEEP
24576:c1GeWQbWNPeZK3By+OntUM2zG6tMSIYu4PF4IosnzjZqKYJBETLLqIYdpCFj0alX:GVaWZI2tzYUSIYu4N4IowUDSTLLr0MX
Malware Config
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2552 b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2552 b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb.exe 2552 b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb.exe"C:\Users\Admin\AppData\Local\Temp\b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:81⤵PID:3120