Analysis Overview
SHA256
e5b6669d36d5bc85497f953c51aac4dfe9d7b5ce1dd9b43e6c26d345eba35948
Threat Level: Known bad
The file 1dfda4abbd51e74613b3ba1677af903e was found to be: Known bad.
Malicious Activity Summary
Echelon
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Reads user/profile data of web browsers
Identifies Wine through registry keys
Writes to the Master Boot Record (MBR)
Checks whether UAC is enabled
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-03-05 09:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-12-14 13:49
Reported
2020-12-14 13:52
Platform
win7v20201028
Max time kernel
13s
Max time network
15s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1636 wrote to memory of 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1636 wrote to memory of 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1636 wrote to memory of 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1636 wrote to memory of 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe
"C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1912
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.220.115:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | www.download.windowsupdate.com | udp |
Files
memory/1636-3-0x0000000004DF0000-0x0000000004E01000-memory.dmp
memory/1636-2-0x00000000049E0000-0x00000000049F1000-memory.dmp
memory/1636-4-0x0000000074590000-0x0000000074C7E000-memory.dmp
memory/1636-5-0x0000000000EE0000-0x0000000000EE1000-memory.dmp
memory/1052-7-0x0000000000000000-mapping.dmp
memory/1052-8-0x0000000002260000-0x0000000002271000-memory.dmp
memory/1052-11-0x0000000002730000-0x0000000002741000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-12-14 13:49
Reported
2020-12-14 13:52
Platform
win10v20201028
Max time kernel
23s
Max time network
116s
Command Line
Signatures
Echelon
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe
"C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 3288
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.42.25:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | www.msftconnecttest.com | udp |
| N/A | 13.107.4.52:80 | www.msftconnecttest.com | tcp |
Files
memory/3936-3-0x0000000005000000-0x0000000005001000-memory.dmp
memory/3936-2-0x0000000004800000-0x0000000004801000-memory.dmp
memory/3936-4-0x00000000731C0000-0x00000000738AE000-memory.dmp
memory/3936-5-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/3936-7-0x0000000006D00000-0x0000000006D01000-memory.dmp
memory/3936-8-0x0000000007D70000-0x0000000007DE0000-memory.dmp
memory/3936-9-0x0000000009050000-0x0000000009051000-memory.dmp
memory/3936-10-0x00000000090F0000-0x00000000090F1000-memory.dmp
memory/3936-11-0x0000000008F40000-0x0000000008F41000-memory.dmp
memory/3512-12-0x0000000004850000-0x0000000004851000-memory.dmp
memory/3512-13-0x0000000004850000-0x0000000004851000-memory.dmp
memory/3512-15-0x0000000005100000-0x0000000005101000-memory.dmp