Analysis
-
max time kernel
61s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 11:50
Static task
static1
Behavioral task
behavioral1
Sample
57909398651a91b29a8227c1f9a20cf5.exe
Resource
win7v20201028
General
-
Target
57909398651a91b29a8227c1f9a20cf5.exe
-
Size
1.8MB
-
MD5
a8e3681f598a5774afc6486938b47197
-
SHA1
7f203353ee72f272d0ddf26d8ba246c4b5087f6e
-
SHA256
a8429eb5101ed8670ac61de438e40f73f9b0ce86d643d3184c89c15a866595fd
-
SHA512
6d7a54800159e50f621bcf0114833d8c338a98a7dccc08b05dac49403a129811ac416eb22fac271095b8cf7348658ae6b97d7d9782d875ba2667974e113bdaf6
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
57909398651a91b29a8227c1f9a20cf5.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 57909398651a91b29a8227c1f9a20cf5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 57909398651a91b29a8227c1f9a20cf5.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
57909398651a91b29a8227c1f9a20cf5.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine 57909398651a91b29a8227c1f9a20cf5.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
57909398651a91b29a8227c1f9a20cf5.exepid process 4068 57909398651a91b29a8227c1f9a20cf5.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
57909398651a91b29a8227c1f9a20cf5.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 57909398651a91b29a8227c1f9a20cf5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 57909398651a91b29a8227c1f9a20cf5.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
57909398651a91b29a8227c1f9a20cf5.exepid process 4068 57909398651a91b29a8227c1f9a20cf5.exe 4068 57909398651a91b29a8227c1f9a20cf5.exe 4068 57909398651a91b29a8227c1f9a20cf5.exe 4068 57909398651a91b29a8227c1f9a20cf5.exe 4068 57909398651a91b29a8227c1f9a20cf5.exe 4068 57909398651a91b29a8227c1f9a20cf5.exe 4068 57909398651a91b29a8227c1f9a20cf5.exe 4068 57909398651a91b29a8227c1f9a20cf5.exe 4068 57909398651a91b29a8227c1f9a20cf5.exe 4068 57909398651a91b29a8227c1f9a20cf5.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
57909398651a91b29a8227c1f9a20cf5.exedescription pid process target process PID 4068 wrote to memory of 3860 4068 57909398651a91b29a8227c1f9a20cf5.exe cmd.exe PID 4068 wrote to memory of 3860 4068 57909398651a91b29a8227c1f9a20cf5.exe cmd.exe PID 4068 wrote to memory of 3860 4068 57909398651a91b29a8227c1f9a20cf5.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57909398651a91b29a8227c1f9a20cf5.exe"C:\Users\Admin\AppData\Local\Temp\57909398651a91b29a8227c1f9a20cf5.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" rd /s /q C:\ProgramData\6KZJV9HK34P7FW2⤵