Analysis Overview
SHA256
407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f
Threat Level: Known bad
The file 407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f was found to be: Known bad.
Malicious Activity Summary
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Identifies Wine through registry keys
Suspicious use of NtSetInformationThreadHideFromDebugger
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-08 09:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-08 09:31
Reported
2024-09-08 09:34
Platform
win10v2004-20240802-en
Max time kernel
99s
Max time network
112s
Command Line
Signatures
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe
"C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RU | 185.215.113.103:80 | 185.215.113.103 | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
Files
memory/3940-0-0x0000000000880000-0x0000000000F0A000-memory.dmp
memory/3940-1-0x0000000076F34000-0x0000000076F36000-memory.dmp
memory/3940-2-0x0000000000881000-0x0000000000895000-memory.dmp
memory/3940-3-0x0000000000880000-0x0000000000F0A000-memory.dmp
memory/3940-5-0x0000000000880000-0x0000000000F0A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-08 09:31
Reported
2024-09-08 09:34
Platform
win11-20240802-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe
"C:\Users\Admin\AppData\Local\Temp\407c7e945453f8b416b70eb3cab6e575833ea8082edf6f38b6f91325fa756a8f.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.103:80 | 185.215.113.103 | tcp |
| US | 8.8.8.8:53 | 103.113.215.185.in-addr.arpa | udp |
Files
memory/1848-0-0x0000000000A80000-0x000000000110A000-memory.dmp
memory/1848-1-0x0000000077C76000-0x0000000077C78000-memory.dmp
memory/1848-2-0x0000000000A81000-0x0000000000A95000-memory.dmp
memory/1848-3-0x0000000000A80000-0x000000000110A000-memory.dmp
memory/1848-4-0x0000000000A80000-0x000000000110A000-memory.dmp