2e402d9779e3b3399479a69016a0912d2b5f705f33c2aa98dd2c819ac0829e28

Analysis

max time kernel
135s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17-10-2024 #20/Barys.exe
Size

88KB
MD5

445eb194754c27879a63d35759596e10
SHA1

ef51ac6434866bbd9f9b3fa41fbf226809526f13
SHA256

a361730e2bff765a6bc2e2c6710678656ea3572c8b9cb1f9eabbc61533fb66b0
SHA512

24e8a785343b3f3cd8c2de41815933411037583c5560d683e81562eca947279dda29f57d439faf0eca9b716e6c744796e92954ab3ee0e7aae110e71da16b1dd5
SSDEEP

768:K6DRUfhSsK5bCUK4gnPuoQlWNIK9tSsXB64cdrtA+ygQ7n+DV7xZxIjVK:5DGY5bfKBPBGWUsE4QrtFQyp6

Score

9^/10

discovery evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Barys.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Barys.exe
Executes dropped EXE 1 IoCs

Processes:

pid process

1204
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Barys.exe

pid process

2508 Barys.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Barys.exe

pid process

2508 Barys.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Barys.exe

pid process

2508 Barys.exe
2508 Barys.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Barys.exe

pid process

2508 Barys.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Barys.exe

pid	process
1204

pid	process
2508	Barys.exe

pid	process
2508	Barys.exe

pid	process
2508	Barys.exe
2508	Barys.exe

pid	process
2508	Barys.exe

C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe
"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\Barys.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\715cd7ac

Filesize
856KB

MD5
d47ad2979d9f7bea7a63d2c7b234c8f6

SHA1
e138a3a6f8f1d7811be5920e6885a49846a0fce2

SHA256
dc2a53c03c8b0bbf66b177fdb758ef239633b0c6da79fd298b60749b1183a0af

SHA512
5223ee6a046c81f7d2ae02d75a416c8c8d721d4d4a6949006dbda8d1d593d12fccdb582db19d14e546b8177eda8188ed8f07ea13f664402fd7c065e1d44cc6f5

Download Submit
memory/2508-22-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2508-6-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2508-3-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2508-0-0x0000000001C40000-0x0000000001CDB000-memory.dmp

Filesize
620KB

Download
memory/2508-5-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2508-4-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2508-7-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2508-9-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2508-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2508-20-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2508-21-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2508-18-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2508-23-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2508-16-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2508-15-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2508-14-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2508-13-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2508-12-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2508-11-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2508-10-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2508-19-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2508-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2508-17-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2508-24-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2508-25-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2508-26-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2508-27-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2508-28-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2508-29-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2508-30-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2508-31-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2508-36-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2508-35-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2508-34-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2508-33-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2508-32-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2508-37-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2508-38-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2508-39-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2508-40-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2508-41-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2508-42-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2508-1-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2508-47-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download