Analysis
-
max time kernel
141s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
14-05-2024 14:05
General
-
Target
$1/Outbreak/Pigeon_39.exe
-
Size
6.8MB
-
MD5
f7958823d5a3c0a2df7974adde4028d0
-
SHA1
bb4e28ce33d1d1346c9916593d2760596eec0cc2
-
SHA256
72a310904f5c29c586eceff7a2442dc50e82c5a0673ac62e07c793333803f0e5
-
SHA512
5d65bf146d76f0d24599e95d6b222125d717bf6a94c58034cb09a96380b92b6a672a54987acebca83ba1f9dc78ab1947fa3c9cc5856f08a0042673b78fcf9171
-
SSDEEP
196608:g/xq66y1wQplnbnZVztYtArKIF20GsbYr9vyKHRo:wx1i29bnZYtAWmeyqo
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\$1\Outbreak\Pigeon_39.exe"C:\Users\Admin\AppData\Local\Temp\$1\Outbreak\Pigeon_39.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe"C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exeFilesize
6.8MB
MD5f7958823d5a3c0a2df7974adde4028d0
SHA1bb4e28ce33d1d1346c9916593d2760596eec0cc2
SHA25672a310904f5c29c586eceff7a2442dc50e82c5a0673ac62e07c793333803f0e5
SHA5125d65bf146d76f0d24599e95d6b222125d717bf6a94c58034cb09a96380b92b6a672a54987acebca83ba1f9dc78ab1947fa3c9cc5856f08a0042673b78fcf9171
-
memory/1512-0-0x0000000000170000-0x0000000000DB6000-memory.dmpFilesize
12.3MB
-
memory/1512-1-0x0000000077E74000-0x0000000077E76000-memory.dmpFilesize
8KB
-
memory/1512-2-0x0000000000171000-0x0000000000180000-memory.dmpFilesize
60KB
-
memory/1512-4-0x0000000000170000-0x0000000000DB6000-memory.dmpFilesize
12.3MB
-
memory/1512-11-0x0000000000170000-0x0000000000DB6000-memory.dmpFilesize
12.3MB
-
memory/4916-12-0x0000000000B80000-0x00000000017C6000-memory.dmpFilesize
12.3MB
-
memory/4916-13-0x0000000000B81000-0x0000000000B90000-memory.dmpFilesize
60KB
-
memory/4916-14-0x0000000000B80000-0x00000000017C6000-memory.dmpFilesize
12.3MB