Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:46
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe
-
Size
8.8MB
-
MD5
d447c6e8df8fd3b79d1d7e1ec8ad5411
-
SHA1
5226c9f0e797c8fdbf9a7394de7d17052a42ed3f
-
SHA256
5df9d385da1be061f071795513d09110756f4d08f9dc0ed9699206906309f3ba
-
SHA512
9ef34474b53d1dabf3413ea05a7ea02d6c90cb18b3412e2a450dc169fc615df4de13bcfe564d3c86e6881e8f51b22e08fdc96747d20dfdd0f9e1ea0dcc8f3e5a
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
ivm31_protected.exeivm32_protected.exepid process 1352 ivm31_protected.exe 468 ivm32_protected.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ivm31_protected.exeivm32_protected.exeSecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ivm31_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ivm31_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ivm32_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ivm32_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe -
Loads dropped DLL 2 IoCs
Processes:
SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exepid process 1684 SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe 1684 SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1684-0-0x0000000000400000-0x0000000001154000-memory.dmp themida \ProgramData\Gds\ivm31_protected.exe themida C:\ProgramData\Gds\ivm31_protected.exe themida behavioral1/memory/1352-4-0x0000000000400000-0x0000000000B13000-memory.dmp themida \ProgramData\Gds\ivm32_protected.exe themida C:\ProgramData\Gds\ivm32_protected.exe themida behavioral1/memory/468-8-0x0000000000990000-0x0000000001107000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exeivm31_protected.exeivm32_protected.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ivm31_protected.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ivm32_protected.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exeivm31_protected.exeivm32_protected.exepid process 1684 SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe 1352 ivm31_protected.exe 468 ivm32_protected.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ivm31_protected.exeivm32_protected.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ivm31_protected.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ivm32_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ivm32_protected.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ivm31_protected.exe -
Suspicious use of FindShellTrayWindow 13 IoCs
Processes:
ivm32_protected.exeivm31_protected.exepid process 468 ivm32_protected.exe 1352 ivm31_protected.exe 468 ivm32_protected.exe 468 ivm32_protected.exe 468 ivm32_protected.exe 468 ivm32_protected.exe 468 ivm32_protected.exe 468 ivm32_protected.exe 468 ivm32_protected.exe 468 ivm32_protected.exe 468 ivm32_protected.exe 468 ivm32_protected.exe 468 ivm32_protected.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exedescription pid process target process PID 1684 wrote to memory of 1352 1684 SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe ivm31_protected.exe PID 1684 wrote to memory of 1352 1684 SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe ivm31_protected.exe PID 1684 wrote to memory of 1352 1684 SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe ivm31_protected.exe PID 1684 wrote to memory of 1352 1684 SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe ivm31_protected.exe PID 1684 wrote to memory of 468 1684 SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe ivm32_protected.exe PID 1684 wrote to memory of 468 1684 SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe ivm32_protected.exe PID 1684 wrote to memory of 468 1684 SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe ivm32_protected.exe PID 1684 wrote to memory of 468 1684 SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe ivm32_protected.exe PID 1684 wrote to memory of 468 1684 SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe ivm32_protected.exe PID 1684 wrote to memory of 468 1684 SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe ivm32_protected.exe PID 1684 wrote to memory of 468 1684 SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe ivm32_protected.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Heur.GM.0000436180.3443.31797.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Gds\ivm31_protected.exeC:\ProgramData\Gds\ivm31_protected.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
-
C:\ProgramData\Gds\ivm32_protected.exeC:\ProgramData\Gds\ivm32_protected.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Gds\ivm31_protected.exeMD5
2dda3a2654245e44f5d8cd4be80a04fd
SHA17bb9adec21c408a725a076ceb8ffb81ba8c55f48
SHA2565709305078a574dbf0af0d3505c150eea0f038230cc40f0bec70cc6a2a8f600a
SHA512f70861e932104ec2b3bf6453c563b24f6f4ccd4007fbc58497f1028be32ebcf8cdb4f48d37d709abb69a97ee159a42866c2f0a25bdaa7da9e1691b2890d8e68e
-
C:\ProgramData\Gds\ivm32_protected.exeMD5
678176f2f866cdfad539a184265389bb
SHA1f553b7ef1bd99f4f6bf9c54b0a62dc6f8193adfc
SHA2561460ebe8854d59d961931c68438254d372d04ca0bafef096d4d630644e0600fc
SHA51279cd297c8ea8a37e232db2e6aeea0bda4153b92f75e33488cc6db99f8ca31c6614cac84b95ef40edeab79edc48a35e0adfa990c412a806ace67cab4cd344834e
-
\ProgramData\Gds\ivm31_protected.exeMD5
2dda3a2654245e44f5d8cd4be80a04fd
SHA17bb9adec21c408a725a076ceb8ffb81ba8c55f48
SHA2565709305078a574dbf0af0d3505c150eea0f038230cc40f0bec70cc6a2a8f600a
SHA512f70861e932104ec2b3bf6453c563b24f6f4ccd4007fbc58497f1028be32ebcf8cdb4f48d37d709abb69a97ee159a42866c2f0a25bdaa7da9e1691b2890d8e68e
-
\ProgramData\Gds\ivm32_protected.exeMD5
678176f2f866cdfad539a184265389bb
SHA1f553b7ef1bd99f4f6bf9c54b0a62dc6f8193adfc
SHA2561460ebe8854d59d961931c68438254d372d04ca0bafef096d4d630644e0600fc
SHA51279cd297c8ea8a37e232db2e6aeea0bda4153b92f75e33488cc6db99f8ca31c6614cac84b95ef40edeab79edc48a35e0adfa990c412a806ace67cab4cd344834e
-
memory/468-6-0x0000000000000000-mapping.dmp
-
memory/468-8-0x0000000000990000-0x0000000001107000-memory.dmpFilesize
7.5MB
-
memory/1352-2-0x0000000000000000-mapping.dmp
-
memory/1352-4-0x0000000000400000-0x0000000000B13000-memory.dmpFilesize
7.1MB
-
memory/1484-9-0x000007FEF81B0000-0x000007FEF842A000-memory.dmpFilesize
2.5MB
-
memory/1684-0-0x0000000000400000-0x0000000001154000-memory.dmpFilesize
13.3MB