Analysis
-
max time kernel
80s -
max time network
113s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
30-09-2020 11:19
Static task
static1
Behavioral task
behavioral1
Sample
build.exe
Resource
win7
General
-
Target
build.exe
-
Size
3.7MB
-
MD5
3f6e8330d2fee900c0f62733dd93d9d0
-
SHA1
3ba73e5b26aa98a99c5ed5fc98807e708c259ff9
-
SHA256
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c
-
SHA512
4e219292e3cfaa834fe4a80219096af1d34d49a844bba7777d8b0d3eb0ed2cbb21a9f4cfc9c4cc140d81422595d0dce0fec8066e3303fafb777123709a9e8c4e
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
build.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion build.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Wine build.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
build.exepid process 500 build.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2540 500 WerFault.exe build.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
build.exeWerFault.exepid process 500 build.exe 500 build.exe 500 build.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
build.exeWerFault.exedescription pid process Token: SeDebugPrivilege 500 build.exe Token: SeRestorePrivilege 2540 WerFault.exe Token: SeBackupPrivilege 2540 WerFault.exe Token: SeDebugPrivilege 2540 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 500 -s 14802⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/500-0-0x0000000004970000-0x0000000004971000-memory.dmpFilesize
4KB
-
memory/500-1-0x0000000005170000-0x0000000005171000-memory.dmpFilesize
4KB
-
memory/500-2-0x0000000073B80000-0x000000007426E000-memory.dmpFilesize
6.9MB
-
memory/500-3-0x0000000000A70000-0x0000000000A71000-memory.dmpFilesize
4KB
-
memory/500-5-0x0000000006E90000-0x0000000006E91000-memory.dmpFilesize
4KB
-
memory/500-6-0x00000000077B0000-0x00000000077B1000-memory.dmpFilesize
4KB
-
memory/500-7-0x0000000007B70000-0x0000000007B71000-memory.dmpFilesize
4KB
-
memory/500-8-0x0000000008110000-0x0000000008111000-memory.dmpFilesize
4KB
-
memory/2540-9-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/2540-10-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/2540-12-0x0000000005210000-0x0000000005211000-memory.dmpFilesize
4KB
-
memory/2540-13-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB