Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:45
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe
-
Size
8.9MB
-
MD5
a76688ac6e0e987395dbf946556b5354
-
SHA1
b43bcf90a79164d553bb2b5cb0b4dfe9032074fa
-
SHA256
68e0c8bcb14bc94813d8c6494966d1f32b60ccca1fb9d80996707abeee3d2db5
-
SHA512
1eba98221d365c7e47a1f016874da214e9944fe4eb6b5d989039ba2dd7f6e7da56df21226a48dd9666e31bb912cdcd6645f5b35746e56ed3d37a0b518468b068
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
ivm21_protected.exeivm22_protected.exepid process 3144 ivm21_protected.exe 2720 ivm22_protected.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ivm22_protected.exeSecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exeivm21_protected.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ivm22_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ivm21_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ivm21_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ivm22_protected.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/984-0-0x0000000000400000-0x000000000117E000-memory.dmp themida C:\ProgramData\Gds\ivm21_protected.exe themida C:\ProgramData\Gds\ivm21_protected.exe themida behavioral2/memory/3144-4-0x0000000000400000-0x0000000000AF6000-memory.dmp themida C:\ProgramData\Gds\ivm22_protected.exe themida C:\ProgramData\Gds\ivm22_protected.exe themida behavioral2/memory/2720-8-0x0000000000A80000-0x0000000001286000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
ivm21_protected.exeivm22_protected.exeSecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ivm21_protected.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ivm22_protected.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exeivm21_protected.exeivm22_protected.exepid process 984 SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe 3144 ivm21_protected.exe 2720 ivm22_protected.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exeivm22_protected.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ivm22_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ivm22_protected.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
ivm22_protected.exepid process 2720 ivm22_protected.exe 2720 ivm22_protected.exe 2720 ivm22_protected.exe 2720 ivm22_protected.exe 2720 ivm22_protected.exe 2720 ivm22_protected.exe 2720 ivm22_protected.exe 2720 ivm22_protected.exe 2720 ivm22_protected.exe 2720 ivm22_protected.exe 2720 ivm22_protected.exe 2720 ivm22_protected.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exedescription pid process target process PID 984 wrote to memory of 3144 984 SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe ivm21_protected.exe PID 984 wrote to memory of 3144 984 SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe ivm21_protected.exe PID 984 wrote to memory of 3144 984 SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe ivm21_protected.exe PID 984 wrote to memory of 2720 984 SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe ivm22_protected.exe PID 984 wrote to memory of 2720 984 SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe ivm22_protected.exe PID 984 wrote to memory of 2720 984 SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe ivm22_protected.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Gds\ivm21_protected.exeC:\ProgramData\Gds\ivm21_protected.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Gds\ivm22_protected.exeC:\ProgramData\Gds\ivm22_protected.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Gds\ivm21_protected.exeMD5
84347d04b3e6e98b141cb2298db3372e
SHA1cb0896f02c03d178bfbe82945f27cbd2adbb4ac0
SHA2560a257754888ca8677ca918fe37e2661f3ea01b3672304066b3aba2d22597166b
SHA5123aba011f37f6e74c4b709ff195a8e27a4bd5176fd2f20a8b93935a02c58f00a7daed699d2870fa21797fb307e5aa0b0e856a6938e288912daaf91fef1df5a43c
-
C:\ProgramData\Gds\ivm21_protected.exeMD5
84347d04b3e6e98b141cb2298db3372e
SHA1cb0896f02c03d178bfbe82945f27cbd2adbb4ac0
SHA2560a257754888ca8677ca918fe37e2661f3ea01b3672304066b3aba2d22597166b
SHA5123aba011f37f6e74c4b709ff195a8e27a4bd5176fd2f20a8b93935a02c58f00a7daed699d2870fa21797fb307e5aa0b0e856a6938e288912daaf91fef1df5a43c
-
C:\ProgramData\Gds\ivm22_protected.exeMD5
15a9614f7734c084e9a95b24b16347d9
SHA1a998de208e92ae8f0cc7e66f86add4572eb9c1d8
SHA25691900443f4af150dfff33936e60a39b0dbf10c49d501b7e3430202e7987eeb9b
SHA5129c29707efced04735f112f3c4a6a94fcdbfc2bb67b398c98b260ef6fa171d3391b419db64447b30e013257048ced49bdae0c00ebdb5c631107a9566155b48b52
-
C:\ProgramData\Gds\ivm22_protected.exeMD5
15a9614f7734c084e9a95b24b16347d9
SHA1a998de208e92ae8f0cc7e66f86add4572eb9c1d8
SHA25691900443f4af150dfff33936e60a39b0dbf10c49d501b7e3430202e7987eeb9b
SHA5129c29707efced04735f112f3c4a6a94fcdbfc2bb67b398c98b260ef6fa171d3391b419db64447b30e013257048ced49bdae0c00ebdb5c631107a9566155b48b52
-
memory/984-0-0x0000000000400000-0x000000000117E000-memory.dmpFilesize
13.5MB
-
memory/2720-5-0x0000000000000000-mapping.dmp
-
memory/2720-8-0x0000000000A80000-0x0000000001286000-memory.dmpFilesize
8.0MB
-
memory/3144-1-0x0000000000000000-mapping.dmp
-
memory/3144-4-0x0000000000400000-0x0000000000AF6000-memory.dmpFilesize
7.0MB