0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725

Analysis

max time kernel
129s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
18-11-2020 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe
Size

1.8MB
MD5

bbef6ebebc3e5783028e5d315f359fcf
SHA1

d2bc520851f23d3bdafbf338d8c0619935081862
SHA256

0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725
SHA512

4fccce85d3eec403fc4eac1ec5e1e2830e000fda9d9d4a04dc60c7a45826d06f41eec6fa4ed054060143ae49205822cd80ce56ce9afc965bff95627038dc8184

Score

9^/10

discovery evasion spyware

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blacklisted process makes network request 1 IoCs

Processes:

RUNDLL32.EXE

flow pid process

30 4052 RUNDLL32.EXE
Executes dropped EXE 1 IoCs

Processes:

synrusykmpc.exe

pid process

3332 synrusykmpc.exe

flow	pid	process
30	4052	RUNDLL32.EXE

pid	process
3332	synrusykmpc.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine	0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

200 rundll32.exe
200 rundll32.exe
4052 RUNDLL32.EXE
4052 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe

pid process

912 0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe

pid	process
200	rundll32.exe
200	rundll32.exe
4052	RUNDLL32.EXE
4052	RUNDLL32.EXE

flow	ioc
17	ip-api.com

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exepowershell.exeRUNDLL32.EXEpowershell.exe

pid	process
912	0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe
912	0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe
1076	powershell.exe
1076	powershell.exe
1076	powershell.exe
4052	RUNDLL32.EXE
4052	RUNDLL32.EXE
3748	powershell.exe
3748	powershell.exe
3748	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	200	rundll32.exe
Token: SeDebugPrivilege	4052	RUNDLL32.EXE
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	3748	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

4052 RUNDLL32.EXE

pid	process
4052	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.execmd.exesynrusykmpc.exerundll32.exeRUNDLL32.EXE

description	pid	process	target process
PID 912 wrote to memory of 2688	912	0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe	cmd.exe
PID 912 wrote to memory of 2688	912	0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe	cmd.exe
PID 912 wrote to memory of 2688	912	0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe	cmd.exe
PID 912 wrote to memory of 3780	912	0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe	cmd.exe
PID 912 wrote to memory of 3780	912	0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe	cmd.exe
PID 912 wrote to memory of 3780	912	0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe	cmd.exe
PID 912 wrote to memory of 2404	912	0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe	cmd.exe
PID 912 wrote to memory of 2404	912	0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe	cmd.exe
PID 912 wrote to memory of 2404	912	0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe	cmd.exe
PID 2404 wrote to memory of 3332	2404	cmd.exe	synrusykmpc.exe
PID 2404 wrote to memory of 3332	2404	cmd.exe	synrusykmpc.exe
PID 2404 wrote to memory of 3332	2404	cmd.exe	synrusykmpc.exe
PID 3332 wrote to memory of 200	3332	synrusykmpc.exe	rundll32.exe
PID 3332 wrote to memory of 200	3332	synrusykmpc.exe	rundll32.exe
PID 3332 wrote to memory of 200	3332	synrusykmpc.exe	rundll32.exe
PID 200 wrote to memory of 4052	200	rundll32.exe	RUNDLL32.EXE
PID 200 wrote to memory of 4052	200	rundll32.exe	RUNDLL32.EXE
PID 200 wrote to memory of 4052	200	rundll32.exe	RUNDLL32.EXE
PID 4052 wrote to memory of 1076	4052	RUNDLL32.EXE	powershell.exe
PID 4052 wrote to memory of 1076	4052	RUNDLL32.EXE	powershell.exe
PID 4052 wrote to memory of 1076	4052	RUNDLL32.EXE	powershell.exe
PID 4052 wrote to memory of 3748	4052	RUNDLL32.EXE	powershell.exe
PID 4052 wrote to memory of 3748	4052	RUNDLL32.EXE	powershell.exe
PID 4052 wrote to memory of 3748	4052	RUNDLL32.EXE	powershell.exe

C:\Users\Admin\AppData\Local\Temp\0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe
"C:\Users\Admin\AppData\Local\Temp\0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\njooieqkywl.exe"
2⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\rvjthghq.exe"
2⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\synrusykmpc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Users\Admin\AppData\Local\Temp\synrusykmpc.exe
"C:\Users\Admin\AppData\Local\Temp\synrusykmpc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3B4770~1.DLL,A C:\Users\Admin\AppData\Local\Temp\SYNRUS~1.EXE
4⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:200

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\3B4770~1.DLL,SjYU
5⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpF523.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp504.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1620de4e0618ef061ee4efa6e9f298c2

SHA1
4a12526d91c69142d268756a34601bf9563dee79

SHA256
c99b78b6117d05f602d52c30c038141e53bed7835a557d91ddace9a7b7e225b4

SHA512
59d874085b3538e03e431594d13c5f0b55e99170c86028bd7fe2065cee48dac8b3e24e6d13515dbfab9feca68b974b6c69df6149cf62ae0119bc78c26dda5515

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B4770~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
C:\Users\Admin\AppData\Local\Temp\synrusykmpc.exe
MD5
a33b9ec0c69e7fd92e4cd164525ba80d

SHA1
0bcb9110767e532c126b7a87d5fd575ce2674150

SHA256
e3436e21f5a7e149a574d215edbf85f3853ad0e51db24081698fb891584dfd0e

SHA512
37af035cc916f22bb0ee56c8324e693813b6fc23da9e47d6b5c96811ae9ab7777c31b38f350860037adfb87386b07f4c126c4c7d68e6a454d03d68bd26455cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\synrusykmpc.exe
MD5
a33b9ec0c69e7fd92e4cd164525ba80d

SHA1
0bcb9110767e532c126b7a87d5fd575ce2674150

SHA256
e3436e21f5a7e149a574d215edbf85f3853ad0e51db24081698fb891584dfd0e

SHA512
37af035cc916f22bb0ee56c8324e693813b6fc23da9e47d6b5c96811ae9ab7777c31b38f350860037adfb87386b07f4c126c4c7d68e6a454d03d68bd26455cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp504.tmp.ps1
MD5
965715bed17aa399768fe259d71b8654

SHA1
9bae7e8fc9d28882d5811cd82cc5d8edac4b7d61

SHA256
c80fb2c09c808e1942e89760cb3b3491378c7d5895a2ee093ef2dd7beb147203

SHA512
5a3b37fffdc2aa8a5c0707eaa3ad8aaece550a625c23963aa1884611fe43d9d52d1fe8ca3eea29cfb67e786e98b788104e62dbff4612979a440b902cc12a27ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF523.tmp.ps1
MD5
90548453eb0005c0cfc523066506728e

SHA1
54cfc1e2e32985c245d6ca59e4f44ec4bf5e2f39

SHA256
0ccc5e8b29a691db5216bc87987ca1ca2d86b7ac613bccfc00c3ea6de0a82caa

SHA512
ae832f581200a8be1ed6997d772e067a8103808b47d61611108c90050d8201632b90e9ea59ecc2970125e1d0d68f62aad8aaa5a60896f1ef8b6332c80cb55ef3

Download Submit
\Users\Admin\AppData\Local\Temp\3B4770~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
\Users\Admin\AppData\Local\Temp\3B4770~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
\Users\Admin\AppData\Local\Temp\3B4770~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
\Users\Admin\AppData\Local\Temp\3B4770~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
memory/200-15-0x0000000004C90000-0x00000000052E8000-memory.dmp

Filesize
6.3MB

Download
memory/200-11-0x0000000000000000-mapping.dmp

Download
memory/912-1-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/912-0-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/1076-33-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/1076-38-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/1076-28-0x0000000000000000-mapping.dmp

Download
memory/1076-29-0x0000000070D40000-0x000000007142E000-memory.dmp

Filesize
6.9MB

Download
memory/1076-30-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/1076-31-0x0000000006D00000-0x0000000006D01000-memory.dmp

Filesize
4KB

Download
memory/1076-32-0x0000000006C40000-0x0000000006C41000-memory.dmp

Filesize
4KB

Download
memory/1076-37-0x0000000007F00000-0x0000000007F01000-memory.dmp

Filesize
4KB

Download
memory/1076-34-0x0000000007330000-0x0000000007331000-memory.dmp

Filesize
4KB

Download
memory/1076-35-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/1076-36-0x00000000078D0000-0x00000000078D1000-memory.dmp

Filesize
4KB

Download
memory/2404-4-0x0000000000000000-mapping.dmp

Download
memory/2688-2-0x0000000000000000-mapping.dmp

Download
memory/3332-10-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/3332-5-0x0000000000000000-mapping.dmp

Download
memory/3332-6-0x0000000000000000-mapping.dmp

Download
memory/3748-40-0x0000000000000000-mapping.dmp

Download
memory/3748-42-0x0000000070820000-0x0000000070F0E000-memory.dmp

Filesize
6.9MB

Download
memory/3748-48-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/3748-51-0x0000000008270000-0x0000000008271000-memory.dmp

Filesize
4KB

Download
memory/3780-3-0x0000000000000000-mapping.dmp

Download
memory/4052-24-0x0000000004B00000-0x0000000005158000-memory.dmp

Filesize
6.3MB

Download
memory/4052-21-0x0000000000000000-mapping.dmp

Download