Overview

overview

10

Static

static

3

d60e2509cf...4N.exe

windows7-x64

10

d60e2509cf...4N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    110s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-09-2024 20:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d60e2509cf456d14518593598eac63df87a8d4b9136c89b3acb50662d8bce204N.exe

  • Size

    5.9MB

  • MD5

    f22cd2b659b2e1e9e8dd646da4a20dc0

  • SHA1

    3bbccb9a66ef386f47a10b83c479ec0d26d62856

  • SHA256

    d60e2509cf456d14518593598eac63df87a8d4b9136c89b3acb50662d8bce204

  • SHA512

    74ba74d9de0c06109df0abb3d162e8b5bdc7e78f880db520cdb5b77c0a3c968331d6cbb4761fb90f714366248d2976ad90c89bd82ab2d780fd481c4546cf1423

  • SSDEEP

    98304:qbHDEOlj0/s3IU4SeSO48CZcU+4zcmKOHFcx+YrR/+lkZ4mpgUAX+nq4ViZwaev7:qDFl/6SeDwZq4A3OeD/XpgJO5iKae3

Score
10/10
discoveryevasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d60e2509cf456d14518593598eac63df87a8d4b9136c89b3acb50662d8bce204N.exe
    "C:\Users\Admin\AppData\Local\Temp\d60e2509cf456d14518593598eac63df87a8d4b9136c89b3acb50662d8bce204N.exe"
    1⤵
    • UAC bypass
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Identifies Wine through registry keys
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2908
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k del "C:\Arquivos de programas\GbPlugin\." /q
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4780
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k rd "%ProgramFiles%\GbPlugin"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4136
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k del "C:\Program Files (x86)\GbPlugin\." /q
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4644
    • C:\Windows\SysWOW64\cmd.exe
      cmd /k rd "C:\Program Files (x86)\GbPlugin"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2908-0-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-1-0x0000000077C24000-0x0000000077C26000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2908-2-0x0000000000401000-0x000000000046A000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2908-3-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-5-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-6-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-7-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-8-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-9-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-10-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-11-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-12-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-13-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-14-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-15-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-16-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-23-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-24-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-25-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-26-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-27-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-28-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-29-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-30-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download

  • memory/2908-31-0x0000000000400000-0x0000000001B24000-memory.dmp

    Filesize

    23.1MB

    Download