b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1 | Triage

Analysis

max time kernel
118s
max time network
155s
platform
windows7_x64
resource
win7
submitted
14/07/2020, 06:02 UTC

Sharing

Report Analysis Logs

General

Target

b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe
Size

247KB
MD5

8f735d36e0240f220f8bedcfc4adcdf7
SHA1

a589c8010e4ac4c22b94e9bde1f8cac3f9603aaf
SHA256

b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1
SHA512

35361fe229dac4e96e526b033a3e0f2ca90a8f13130a2635b15ebaeb345f9d717cc5c42994eac7c986901456e820caefcc9bd50cdbec83e7e06da68d16f4174c

Score

9^/10

spyware evasion trojan

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1500	1496	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe	25
PID 1496 wrote to memory of 1500	1496	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe	25
PID 1496 wrote to memory of 1500	1496	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe	25
PID 1496 wrote to memory of 1500	1496	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe	25
PID 1496 wrote to memory of 1500	1496	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe	25
PID 1496 wrote to memory of 1500	1496	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe	25
PID 1496 wrote to memory of 1500	1496	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe	25
PID 1496 wrote to memory of 1500	1496	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe	25
PID 1496 wrote to memory of 1500	1496	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe	25

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1500	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1496 set thread context of 1500	1496	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe	25

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

C:\Users\Admin\AppData\Local\Temp\b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe
"C:\Users\Admin\AppData\Local\Temp\b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
PID:1496
- C:\Users\Admin\AppData\Local\Temp\b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:1500

Network

DNS

checkip.dyndns.org

Remote address:

8.8.8.8:53

Request

checkip.dyndns.org

IN A

Response

checkip.dyndns.org

IN CNAME

checkip.dyndns.com

checkip.dyndns.com

IN A

131.186.113.70

checkip.dyndns.com

IN A

162.88.193.70

checkip.dyndns.com

IN A

131.186.161.70

checkip.dyndns.com

IN A

216.146.43.71

checkip.dyndns.com

IN A

216.146.43.70
GET

http://checkip.dyndns.org/

b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

Remote address:

131.186.113.70:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Type: text/html
Server: DynDNS-CheckIP/1.2.0
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 104
GET

http://checkip.dyndns.org/

b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

Remote address:

131.186.113.70:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Content-Type: text/html
Server: DynDNS-CheckIP/1.0.1
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 104
DNS

freegeoip.app

Remote address:

8.8.8.8:53

Request

freegeoip.app

IN A

Response

freegeoip.app

IN A

172.67.188.154

freegeoip.app

IN A

104.28.5.151

freegeoip.app

IN A

104.28.4.151
GET

https://freegeoip.app/xml/154.61.71.51

b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

Remote address:

172.67.188.154:443

Request

GET /xml/154.61.71.51 HTTP/1.1
Host: freegeoip.app
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jul 2020 06:02:57 GMT
Content-Type: application/xml
Content-Length: 334
Connection: keep-alive
Set-Cookie: __cfduid=dcae77768eca3dab66cdaa46c7a0fcaac1594706577; expires=Thu, 13-Aug-20 06:02:57 GMT; path=/; domain=.freegeoip.app; HttpOnly; SameSite=Lax; Secure
Vary: Origin
X-Database-Date: Thu, 09 Jul 2020 05:24:20 GMT
X-Ratelimit-Limit: 15000
X-Ratelimit-Remaining: 14999
X-Ratelimit-Reset: 3600
CF-Cache-Status: DYNAMIC
cf-request-id: 03ed8461740000d91184320200000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 5b2909af2b09d911-AMS
GET

https://freegeoip.app/xml/154.61.71.51

b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

Remote address:

172.67.188.154:443

Request

GET /xml/154.61.71.51 HTTP/1.1
Host: freegeoip.app

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jul 2020 06:03:00 GMT
Content-Type: application/xml
Content-Length: 334
Connection: keep-alive
Set-Cookie: __cfduid=d8649c478c3301c5932d3f7b444b3072a1594706580; expires=Thu, 13-Aug-20 06:03:00 GMT; path=/; domain=.freegeoip.app; HttpOnly; SameSite=Lax; Secure
Vary: Origin
X-Database-Date: Thu, 09 Jul 2020 05:24:20 GMT
X-Ratelimit-Limit: 15000
X-Ratelimit-Remaining: 14998
X-Ratelimit-Reset: 3597
CF-Cache-Status: DYNAMIC
cf-request-id: 03ed846bce0000d9118436f200000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 5b2909bfbe19d911-AMS
GET

https://freegeoip.app/xml/154.61.71.51

b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

Remote address:

172.67.188.154:443

Request

GET /xml/154.61.71.51 HTTP/1.1
Host: freegeoip.app

Response

HTTP/1.1 200 OK

Date: Tue, 14 Jul 2020 06:03:03 GMT
Content-Type: application/xml
Content-Length: 334
Connection: keep-alive
Set-Cookie: __cfduid=d311187b7970a28a078c72fe861d3202f1594706583; expires=Thu, 13-Aug-20 06:03:03 GMT; path=/; domain=.freegeoip.app; HttpOnly; SameSite=Lax; Secure
Vary: Origin
X-Database-Date: Thu, 09 Jul 2020 05:24:20 GMT
X-Ratelimit-Limit: 15000
X-Ratelimit-Remaining: 14997
X-Ratelimit-Reset: 3595
CF-Cache-Status: DYNAMIC
cf-request-id: 03ed8476350000d911843ac200000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 5b2909d05968d911-AMS
GET

http://checkip.dyndns.org/

b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

Remote address:

131.186.113.70:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Content-Type: text/html
Server: DynDNS-CheckIP/1.2.0
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 104
GET

http://checkip.dyndns.org/

b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

Remote address:

131.186.113.70:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Content-Type: text/html
Server: DynDNS-CheckIP/1.0.1
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 104
GET

http://checkip.dyndns.org/

b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

Remote address:

131.186.113.70:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org

Response

HTTP/1.1 200 OK

Content-Type: text/html
Server: DynDNS-CheckIP/1.0.1
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 104
DNS

mail.salujaford.in

Remote address:

8.8.8.8:53

Request

mail.salujaford.in

IN A

Response

mail.salujaford.in

IN A

199.101.134.84

131.186.113.70:80

http://checkip.dyndns.org/

http

b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

381 B
465 B
5
5

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200
131.186.113.70:80

http://checkip.dyndns.org/

http

b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

357 B
465 B
5
5

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200
172.67.188.154:443

https://freegeoip.app/xml/154.61.71.51

tls, http

b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

1.1kB
7.1kB
13
12

HTTP Request

GET https://freegeoip.app/xml/154.61.71.51

HTTP Response

200

HTTP Request

GET https://freegeoip.app/xml/154.61.71.51

HTTP Response

200

HTTP Request

GET https://freegeoip.app/xml/154.61.71.51

HTTP Response

200
131.186.113.70:80

http://checkip.dyndns.org/

http

b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

357 B
473 B
5
5

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200
131.186.113.70:80

http://checkip.dyndns.org/

http

b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

357 B
465 B
5
5

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200
131.186.113.70:80

http://checkip.dyndns.org/

http

b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

357 B
465 B
5
5

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200
199.101.134.84:587

mail.salujaford.in

smtp-submission

b2a788fd71a0f4b05dca86d0b8d44abd718261d0fe9cb2f6a947b87987d11cd1.exe

3.5kB
4.8kB
22
22

10.7.0.255:137

netbios-ns

1.5kB
19
10.7.0.255:138

netbios-dgm

458 B
2
224.0.0.252:5355

100 B
2
8.8.8.8:53

checkip.dyndns.org

dns

64 B
176 B
1
1

DNS Request

checkip.dyndns.org

DNS Response

131.186.113.70

162.88.193.70

131.186.161.70

216.146.43.71

216.146.43.70
224.0.0.252:5355

100 B
2
224.0.0.252:5355

100 B
2
8.8.8.8:53

freegeoip.app

dns

59 B
107 B
1
1

DNS Request

freegeoip.app

DNS Response

172.67.188.154

104.28.5.151

104.28.4.151
224.0.0.252:5355

100 B
2
224.0.0.252:5355

100 B
2
224.0.0.252:5355

100 B
2
8.8.8.8:53

mail.salujaford.in

dns

64 B
80 B
1
1

DNS Request

mail.salujaford.in

DNS Response

199.101.134.84
239.255.255.250:1900

966 B
6
239.255.255.250:1900

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1500-2-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1500-4-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1500-5-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download