Analysis
-
max time kernel
23s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 13:49
Static task
static1
Behavioral task
behavioral1
Sample
1dfda4abbd51e74613b3ba1677af903e.exe
Resource
win7v20201028
General
-
Target
1dfda4abbd51e74613b3ba1677af903e.exe
-
Size
2.8MB
-
MD5
1dfda4abbd51e74613b3ba1677af903e
-
SHA1
ad38064749d2fe61cd643ae285a3908bf8f9de57
-
SHA256
e5b6669d36d5bc85497f953c51aac4dfe9d7b5ce1dd9b43e6c26d345eba35948
-
SHA512
0498240682315a996aadba546d64a7036d403fd252f041aac287b60b32a747c0093b0ef5e8d30dad3ac89f12d9ce22b71e8ef676afe5be1b315db3ebe0229687
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1dfda4abbd51e74613b3ba1677af903e.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1dfda4abbd51e74613b3ba1677af903e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1dfda4abbd51e74613b3ba1677af903e.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
1dfda4abbd51e74613b3ba1677af903e.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine 1dfda4abbd51e74613b3ba1677af903e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
1dfda4abbd51e74613b3ba1677af903e.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1dfda4abbd51e74613b3ba1677af903e.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.ipify.org 17 ip-api.com 8 api.ipify.org -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
1dfda4abbd51e74613b3ba1677af903e.exedescription ioc process File opened for modification \??\PhysicalDrive0 1dfda4abbd51e74613b3ba1677af903e.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1dfda4abbd51e74613b3ba1677af903e.exepid process 3936 1dfda4abbd51e74613b3ba1677af903e.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3512 3936 WerFault.exe 1dfda4abbd51e74613b3ba1677af903e.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
1dfda4abbd51e74613b3ba1677af903e.exeWerFault.exepid process 3936 1dfda4abbd51e74613b3ba1677af903e.exe 3936 1dfda4abbd51e74613b3ba1677af903e.exe 3936 1dfda4abbd51e74613b3ba1677af903e.exe 3936 1dfda4abbd51e74613b3ba1677af903e.exe 3512 WerFault.exe 3512 WerFault.exe 3512 WerFault.exe 3512 WerFault.exe 3512 WerFault.exe 3512 WerFault.exe 3512 WerFault.exe 3512 WerFault.exe 3512 WerFault.exe 3512 WerFault.exe 3512 WerFault.exe 3512 WerFault.exe 3512 WerFault.exe 3512 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
1dfda4abbd51e74613b3ba1677af903e.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3936 1dfda4abbd51e74613b3ba1677af903e.exe Token: SeRestorePrivilege 3512 WerFault.exe Token: SeBackupPrivilege 3512 WerFault.exe Token: SeDebugPrivilege 3512 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe"C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 32882⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3512-12-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/3512-13-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/3512-15-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/3936-3-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/3936-2-0x0000000004800000-0x0000000004801000-memory.dmpFilesize
4KB
-
memory/3936-4-0x00000000731C0000-0x00000000738AE000-memory.dmpFilesize
6.9MB
-
memory/3936-5-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/3936-7-0x0000000006D00000-0x0000000006D01000-memory.dmpFilesize
4KB
-
memory/3936-8-0x0000000007D70000-0x0000000007DE0000-memory.dmpFilesize
448KB
-
memory/3936-9-0x0000000009050000-0x0000000009051000-memory.dmpFilesize
4KB
-
memory/3936-10-0x00000000090F0000-0x00000000090F1000-memory.dmpFilesize
4KB
-
memory/3936-11-0x0000000008F40000-0x0000000008F41000-memory.dmpFilesize
4KB