Analysis
-
max time kernel
13s -
max time network
15s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 13:49
Static task
static1
Behavioral task
behavioral1
Sample
1dfda4abbd51e74613b3ba1677af903e.exe
Resource
win7v20201028
General
-
Target
1dfda4abbd51e74613b3ba1677af903e.exe
-
Size
2.8MB
-
MD5
1dfda4abbd51e74613b3ba1677af903e
-
SHA1
ad38064749d2fe61cd643ae285a3908bf8f9de57
-
SHA256
e5b6669d36d5bc85497f953c51aac4dfe9d7b5ce1dd9b43e6c26d345eba35948
-
SHA512
0498240682315a996aadba546d64a7036d403fd252f041aac287b60b32a747c0093b0ef5e8d30dad3ac89f12d9ce22b71e8ef676afe5be1b315db3ebe0229687
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1dfda4abbd51e74613b3ba1677af903e.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1dfda4abbd51e74613b3ba1677af903e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1dfda4abbd51e74613b3ba1677af903e.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
1dfda4abbd51e74613b3ba1677af903e.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Wine 1dfda4abbd51e74613b3ba1677af903e.exe -
Processes:
1dfda4abbd51e74613b3ba1677af903e.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1dfda4abbd51e74613b3ba1677af903e.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
1dfda4abbd51e74613b3ba1677af903e.exedescription ioc process File opened for modification \??\PhysicalDrive0 1dfda4abbd51e74613b3ba1677af903e.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1dfda4abbd51e74613b3ba1677af903e.exepid process 1636 1dfda4abbd51e74613b3ba1677af903e.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1052 1636 WerFault.exe 1dfda4abbd51e74613b3ba1677af903e.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
1dfda4abbd51e74613b3ba1677af903e.exeWerFault.exepid process 1636 1dfda4abbd51e74613b3ba1677af903e.exe 1052 WerFault.exe 1052 WerFault.exe 1052 WerFault.exe 1052 WerFault.exe 1052 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1dfda4abbd51e74613b3ba1677af903e.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1636 1dfda4abbd51e74613b3ba1677af903e.exe Token: SeDebugPrivilege 1052 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1dfda4abbd51e74613b3ba1677af903e.exedescription pid process target process PID 1636 wrote to memory of 1052 1636 1dfda4abbd51e74613b3ba1677af903e.exe WerFault.exe PID 1636 wrote to memory of 1052 1636 1dfda4abbd51e74613b3ba1677af903e.exe WerFault.exe PID 1636 wrote to memory of 1052 1636 1dfda4abbd51e74613b3ba1677af903e.exe WerFault.exe PID 1636 wrote to memory of 1052 1636 1dfda4abbd51e74613b3ba1677af903e.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe"C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 19122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1052-7-0x0000000000000000-mapping.dmp
-
memory/1052-8-0x0000000002260000-0x0000000002271000-memory.dmpFilesize
68KB
-
memory/1052-11-0x0000000002730000-0x0000000002741000-memory.dmpFilesize
68KB
-
memory/1636-3-0x0000000004DF0000-0x0000000004E01000-memory.dmpFilesize
68KB
-
memory/1636-2-0x00000000049E0000-0x00000000049F1000-memory.dmpFilesize
68KB
-
memory/1636-4-0x0000000074590000-0x0000000074C7E000-memory.dmpFilesize
6.9MB
-
memory/1636-5-0x0000000000EE0000-0x0000000000EE1000-memory.dmpFilesize
4KB