Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-11-2020 10:12
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7v20201028
General
-
Target
Setup.exe
-
Size
4.5MB
-
MD5
6c1376ee49b7f498dbb54a22fa0abe55
-
SHA1
cd2e6f21e5bc1b856048f12b137047dfa5ce67f7
-
SHA256
5ac86c67c41dda69959c312d84f64e389314178b7011202987b47dbb31f48a56
-
SHA512
24c23becf36fda4bda041991ecdb23fd69cb6b391d80cdb3d5d009d3a2e4100c7dc1971115a1d88f693a9c5ef5f780b069b74b7c9b76be31a39d39e785ce5209
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 3 IoCs
Processes:
fekli.exeNotepad2.exeprans.exepid process 2712 fekli.exe 2796 Notepad2.exe 2960 prans.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
fekli.exeprans.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fekli.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fekli.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion prans.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion prans.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
fekli.exeprans.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine fekli.exe Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine prans.exe -
Loads dropped DLL 1 IoCs
Processes:
Setup.exepid process 2604 Setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
fekli.exeprans.exepid process 2712 fekli.exe 2960 prans.exe -
Drops file in Program Files directory 3 IoCs
Processes:
Setup.exedescription ioc process File created C:\Program Files (x86)\Sync\Back\plan\Notepad2.exe Setup.exe File created C:\Program Files (x86)\Sync\Back\plan\fekli.exe Setup.exe File created C:\Program Files (x86)\Sync\Back\plan\prans.exe Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
fekli.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fekli.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fekli.exe -
Processes:
prans.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f prans.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C prans.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 prans.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB prans.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
fekli.exeprans.exepid process 2712 fekli.exe 2712 fekli.exe 2960 prans.exe 2960 prans.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
fekli.exepid process 2712 fekli.exe 2712 fekli.exe 2712 fekli.exe 2712 fekli.exe 2712 fekli.exe 2712 fekli.exe 2712 fekli.exe 2712 fekli.exe 2712 fekli.exe 2712 fekli.exe 2712 fekli.exe 2712 fekli.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Setup.exedescription pid process target process PID 2604 wrote to memory of 2712 2604 Setup.exe fekli.exe PID 2604 wrote to memory of 2712 2604 Setup.exe fekli.exe PID 2604 wrote to memory of 2712 2604 Setup.exe fekli.exe PID 2604 wrote to memory of 2796 2604 Setup.exe Notepad2.exe PID 2604 wrote to memory of 2796 2604 Setup.exe Notepad2.exe PID 2604 wrote to memory of 2796 2604 Setup.exe Notepad2.exe PID 2604 wrote to memory of 2960 2604 Setup.exe prans.exe PID 2604 wrote to memory of 2960 2604 Setup.exe prans.exe PID 2604 wrote to memory of 2960 2604 Setup.exe prans.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Sync\Back\plan\fekli.exe"C:\Program Files (x86)\Sync\Back\plan\fekli.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Sync\Back\plan\Notepad2.exe"C:\Program Files (x86)\Sync\Back\plan\Notepad2.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Sync\Back\plan\prans.exe"C:\Program Files (x86)\Sync\Back\plan\prans.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Sync\Back\plan\Notepad2.exeMD5
b60d390ba42c0109ee38de2e0ca56e1a
SHA1735a4eb61fe695c9bd2c9961f5fa41ac5a73d833
SHA2569ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477
SHA51297d17a96a5773f2c8c78a1b985e75314c0ad8a5d9188b6e3d327b1445c04b15b99bd1697b8b12e4f3e56d040e5570f9e7b938e4d67cacca03a947093a082dc24
-
C:\Program Files (x86)\Sync\Back\plan\Notepad2.exeMD5
b60d390ba42c0109ee38de2e0ca56e1a
SHA1735a4eb61fe695c9bd2c9961f5fa41ac5a73d833
SHA2569ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477
SHA51297d17a96a5773f2c8c78a1b985e75314c0ad8a5d9188b6e3d327b1445c04b15b99bd1697b8b12e4f3e56d040e5570f9e7b938e4d67cacca03a947093a082dc24
-
C:\Program Files (x86)\Sync\Back\plan\fekli.exeMD5
d1cb4f929e3550e74225a483b00ccd51
SHA15fbbd071a6372c62f2632e10e5e875ea55796b0a
SHA256e697032121e7de781f045c52db959bf8c8297d556ddf280c51a91e4049abd387
SHA512a8ecc9dfd12c342826dea42caa62c1dc63e5ff0acdce388b3bac4966685cf488bc97ae30bd229e43c2011c582ea15a26c95bf7792786dd87dd639f74d7105b10
-
C:\Program Files (x86)\Sync\Back\plan\fekli.exeMD5
d1cb4f929e3550e74225a483b00ccd51
SHA15fbbd071a6372c62f2632e10e5e875ea55796b0a
SHA256e697032121e7de781f045c52db959bf8c8297d556ddf280c51a91e4049abd387
SHA512a8ecc9dfd12c342826dea42caa62c1dc63e5ff0acdce388b3bac4966685cf488bc97ae30bd229e43c2011c582ea15a26c95bf7792786dd87dd639f74d7105b10
-
C:\Program Files (x86)\Sync\Back\plan\prans.exeMD5
17d56acc844bc4834764292c4c85c80e
SHA16c58331f1f30e1c0562e5523c832a70e631bacd4
SHA2562ccc99d14f57afd604e7872c4bc8ea651cb9e8281c537b055ae4b594507e2155
SHA512888c02f5f2768b051d8f9c30f5426b3df6757fc19146ac3bf2ffee80745ceecfc3856dfd911a305923a383349891c56b684a279287d0577526f62f882028d9c2
-
\Users\Admin\AppData\Local\Temp\nsr3D5E.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/2712-1-0x0000000000000000-mapping.dmp
-
memory/2712-9-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/2712-10-0x00000000051B0000-0x00000000051B1000-memory.dmpFilesize
4KB
-
memory/2796-4-0x0000000000000000-mapping.dmp
-
memory/2960-7-0x0000000000000000-mapping.dmp
-
memory/2960-11-0x00000000098E0000-0x00000000098E1000-memory.dmpFilesize
4KB
-
memory/2960-12-0x000000000A0E0000-0x000000000A0E1000-memory.dmpFilesize
4KB
-
memory/2960-13-0x00000000098E0000-0x00000000098E1000-memory.dmpFilesize
4KB