41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DowloadX.exe
Size

2.0MB
MD5

c24b993d6ac519ab2ddf590710ddbb13
SHA1

8e0629da1cbaf775b28682732bea82458c3f4e1c
SHA256

0da0ce6849d2c36b47b6d2977926eeeed2175738e81efafd0e741119dfc40e69
SHA512

124abad84c76795a516b3c5dca47d65bae45fff8a0e3a9401d2d4ee394f79ff5cc2897a7ff2305bcb87a90f2c609cc0a982467edb30b22adc4d2e2e5bc702ecd
SSDEEP

49152:C3KvQkszfZZg2+ey/BZoz4AbR+quBeWaNHhot3iFxQ:C6sNl+pBZWVyBeWapm+xQ

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

DowloadX.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DowloadX.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DowloadX.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DowloadX.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DowloadX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DowloadX.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

DowloadX.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation DowloadX.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

DowloadX.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine DowloadX.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

35 bitbucket.org
36 bitbucket.org
68 bitbucket.org
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

DowloadX.exe

pid process

2676 DowloadX.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DowloadX.exe

pid process

2676 DowloadX.exe
2676 DowloadX.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	DowloadX.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	DowloadX.exe

flow	ioc
35	bitbucket.org
36	bitbucket.org
68	bitbucket.org

pid	process
2676	DowloadX.exe

pid	process
2676	DowloadX.exe
2676	DowloadX.exe

C:\Users\Admin\AppData\Local\Temp\DowloadX.exe
"C:\Users\Admin\AppData\Local\Temp\DowloadX.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4268,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
1⤵
PID:456

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rbtewfvr.exe
Filesize
13KB

MD5
9be1a62473957b81339974b975689c93

SHA1
f8aa3105d3e332ff97dae8fffdd5cb5df0e6d455

SHA256
96e1f25ee8ccae23d8e63d98b4702f41d75aab870cc57182ac7320e48fc48d63

SHA512
cb2836d29ddd62c28d634d35340f1af925768402b39291e843e51d181031763936e9065169207b77ff7cc3c046f127e6f0e30d0ad324b7932d59aef75c8ae093

Download Submit
C:\Users\Admin\AppData\Roaming\rtgrefedewd.exe
Filesize
13KB

MD5
5a98ce9af4820312096fbbd1d07189e3

SHA1
d8eab6b04b5ce06d4f9f16368138669874f2ca5c

SHA256
1781cb8a9ca576315e629b60ff98d5e2ca30525a2fdd0c9beb6f8869be7fffaa

SHA512
da94a93f7d8bdb44d10dafd14284109e1a221491a8033067a36f2d48e250b74691e399191a297f5d6a71b6d8d48a9b6aa090c73884afdeed2a66db67a5995b73

Download Submit
memory/2676-18-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-7-0x0000000009E00000-0x0000000009E01000-memory.dmp

Filesize
4KB

Download
memory/2676-0-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-19-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-6-0x0000000009E30000-0x0000000009E31000-memory.dmp

Filesize
4KB

Download
memory/2676-4-0x0000000009E50000-0x0000000009E51000-memory.dmp

Filesize
4KB

Download
memory/2676-3-0x0000000009DB0000-0x0000000009DB1000-memory.dmp

Filesize
4KB

Download
memory/2676-2-0x0000000009E20000-0x0000000009E21000-memory.dmp

Filesize
4KB

Download
memory/2676-10-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-11-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-12-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-13-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-14-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-15-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-16-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-17-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-8-0x0000000009F70000-0x0000000009F71000-memory.dmp

Filesize
4KB

Download
memory/2676-20-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-9-0x0000000000401000-0x000000000045D000-memory.dmp

Filesize
368KB

Download
memory/2676-25-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-26-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-27-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-28-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-29-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-30-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-31-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-32-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-5-0x0000000009E10000-0x0000000009E11000-memory.dmp

Filesize
4KB

Download
memory/2676-43-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-44-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-45-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-46-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-1-0x0000000077B14000-0x0000000077B16000-memory.dmp

Filesize
8KB

Download
memory/2676-58-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-59-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/2676-60-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download