Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-01-2021 22:23
Static task
static1
Behavioral task
behavioral1
Sample
576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
6e80e005df38336538ccb8d85ab2bc29cfa761243a4715a28c437c501170372d.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
6e80e005df38336538ccb8d85ab2bc29cfa761243a4715a28c437c501170372d.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
c18292ba5f1e7081f1afaf5e62e63823ffc1673ea59a9d62cd4ff1b8ec7e1903.exe
Resource
win7v20201028
General
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 3 IoCs
Processes:
Install.exeNotepad2.exeutil.exepid process 1980 Install.exe 1996 Notepad2.exe 1736 util.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exeutil.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion util.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion util.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Install.exeutil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine Install.exe Key opened \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine util.exe -
Loads dropped DLL 10 IoCs
Processes:
576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exeInstall.exeNotepad2.exeutil.exepid process 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe 1980 Install.exe 1980 Install.exe 1996 Notepad2.exe 1996 Notepad2.exe 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe 1736 util.exe 1736 util.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Install.exeutil.exepid process 1980 Install.exe 1736 util.exe -
Drops file in Program Files directory 3 IoCs
Processes:
576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exedescription ioc process File created C:\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exe 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe File created C:\Program Files (x86)\Glary\Utilities\Settings\Install.exe 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe File created C:\Program Files (x86)\Glary\Utilities\Settings\util.exe 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Install.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Install.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Install.exeutil.exepid process 1980 Install.exe 1736 util.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
Install.exepid process 1980 Install.exe 1980 Install.exe 1980 Install.exe 1980 Install.exe 1980 Install.exe 1980 Install.exe 1980 Install.exe 1980 Install.exe 1980 Install.exe 1980 Install.exe 1980 Install.exe 1980 Install.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exedescription pid process target process PID 788 wrote to memory of 1980 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe Install.exe PID 788 wrote to memory of 1980 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe Install.exe PID 788 wrote to memory of 1980 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe Install.exe PID 788 wrote to memory of 1980 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe Install.exe PID 788 wrote to memory of 1980 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe Install.exe PID 788 wrote to memory of 1980 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe Install.exe PID 788 wrote to memory of 1980 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe Install.exe PID 788 wrote to memory of 1996 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe Notepad2.exe PID 788 wrote to memory of 1996 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe Notepad2.exe PID 788 wrote to memory of 1996 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe Notepad2.exe PID 788 wrote to memory of 1996 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe Notepad2.exe PID 788 wrote to memory of 1996 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe Notepad2.exe PID 788 wrote to memory of 1996 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe Notepad2.exe PID 788 wrote to memory of 1996 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe Notepad2.exe PID 788 wrote to memory of 1736 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe util.exe PID 788 wrote to memory of 1736 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe util.exe PID 788 wrote to memory of 1736 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe util.exe PID 788 wrote to memory of 1736 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe util.exe PID 788 wrote to memory of 1736 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe util.exe PID 788 wrote to memory of 1736 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe util.exe PID 788 wrote to memory of 1736 788 576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe util.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe"C:\Users\Admin\AppData\Local\Temp\576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Program Files (x86)\Glary\Utilities\Settings\Install.exe"C:\Program Files (x86)\Glary\Utilities\Settings\Install.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1980 -
C:\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exe"C:\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Program Files (x86)\Glary\Utilities\Settings\util.exe"C:\Program Files (x86)\Glary\Utilities\Settings\util.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1736
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Glary\Utilities\Settings\Install.exeMD5
f59df95a5f1760ed6d213f5ad70c0510
SHA1697dd19671251ed102d92cb730e7854a7611a53f
SHA2562ee4567751ec4fca4a9390b4743625bee298955cc2cb6375341d673ef0003ab5
SHA512f553f4053bae6236fd093be86240883b12b9457860e1249707cc4d6212a2fb953d31836106b3c1e8be3fb23de1c3835fb0aaa2e93d0e39422a03e4fc1e75f194
-
C:\Program Files (x86)\Glary\Utilities\Settings\Install.exeMD5
f59df95a5f1760ed6d213f5ad70c0510
SHA1697dd19671251ed102d92cb730e7854a7611a53f
SHA2562ee4567751ec4fca4a9390b4743625bee298955cc2cb6375341d673ef0003ab5
SHA512f553f4053bae6236fd093be86240883b12b9457860e1249707cc4d6212a2fb953d31836106b3c1e8be3fb23de1c3835fb0aaa2e93d0e39422a03e4fc1e75f194
-
C:\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exeMD5
b60d390ba42c0109ee38de2e0ca56e1a
SHA1735a4eb61fe695c9bd2c9961f5fa41ac5a73d833
SHA2569ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477
SHA51297d17a96a5773f2c8c78a1b985e75314c0ad8a5d9188b6e3d327b1445c04b15b99bd1697b8b12e4f3e56d040e5570f9e7b938e4d67cacca03a947093a082dc24
-
C:\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exeMD5
b60d390ba42c0109ee38de2e0ca56e1a
SHA1735a4eb61fe695c9bd2c9961f5fa41ac5a73d833
SHA2569ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477
SHA51297d17a96a5773f2c8c78a1b985e75314c0ad8a5d9188b6e3d327b1445c04b15b99bd1697b8b12e4f3e56d040e5570f9e7b938e4d67cacca03a947093a082dc24
-
C:\Program Files (x86)\Glary\Utilities\Settings\util.exeMD5
1a399301e1eb1821088776166420c80e
SHA1317bfecd99d6b0d7415173b55781deb4afc428b8
SHA25669344b8a53d189c7640d0ada5f74b5febcd7b06e5aa5c4fc01a7c676ec986b67
SHA512679e7e6c777287303e64d9c3b1d6d23fab2331708a17ba922746db240e25c35a60418f65302c294b851d2cf095cb6b5f174e3b300e74664c54df2349561992fe
-
C:\Program Files (x86)\Glary\Utilities\Settings\util.exeMD5
1a399301e1eb1821088776166420c80e
SHA1317bfecd99d6b0d7415173b55781deb4afc428b8
SHA25669344b8a53d189c7640d0ada5f74b5febcd7b06e5aa5c4fc01a7c676ec986b67
SHA512679e7e6c777287303e64d9c3b1d6d23fab2331708a17ba922746db240e25c35a60418f65302c294b851d2cf095cb6b5f174e3b300e74664c54df2349561992fe
-
\Program Files (x86)\Glary\Utilities\Settings\Install.exeMD5
f59df95a5f1760ed6d213f5ad70c0510
SHA1697dd19671251ed102d92cb730e7854a7611a53f
SHA2562ee4567751ec4fca4a9390b4743625bee298955cc2cb6375341d673ef0003ab5
SHA512f553f4053bae6236fd093be86240883b12b9457860e1249707cc4d6212a2fb953d31836106b3c1e8be3fb23de1c3835fb0aaa2e93d0e39422a03e4fc1e75f194
-
\Program Files (x86)\Glary\Utilities\Settings\Install.exeMD5
f59df95a5f1760ed6d213f5ad70c0510
SHA1697dd19671251ed102d92cb730e7854a7611a53f
SHA2562ee4567751ec4fca4a9390b4743625bee298955cc2cb6375341d673ef0003ab5
SHA512f553f4053bae6236fd093be86240883b12b9457860e1249707cc4d6212a2fb953d31836106b3c1e8be3fb23de1c3835fb0aaa2e93d0e39422a03e4fc1e75f194
-
\Program Files (x86)\Glary\Utilities\Settings\Install.exeMD5
f59df95a5f1760ed6d213f5ad70c0510
SHA1697dd19671251ed102d92cb730e7854a7611a53f
SHA2562ee4567751ec4fca4a9390b4743625bee298955cc2cb6375341d673ef0003ab5
SHA512f553f4053bae6236fd093be86240883b12b9457860e1249707cc4d6212a2fb953d31836106b3c1e8be3fb23de1c3835fb0aaa2e93d0e39422a03e4fc1e75f194
-
\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exeMD5
b60d390ba42c0109ee38de2e0ca56e1a
SHA1735a4eb61fe695c9bd2c9961f5fa41ac5a73d833
SHA2569ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477
SHA51297d17a96a5773f2c8c78a1b985e75314c0ad8a5d9188b6e3d327b1445c04b15b99bd1697b8b12e4f3e56d040e5570f9e7b938e4d67cacca03a947093a082dc24
-
\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exeMD5
b60d390ba42c0109ee38de2e0ca56e1a
SHA1735a4eb61fe695c9bd2c9961f5fa41ac5a73d833
SHA2569ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477
SHA51297d17a96a5773f2c8c78a1b985e75314c0ad8a5d9188b6e3d327b1445c04b15b99bd1697b8b12e4f3e56d040e5570f9e7b938e4d67cacca03a947093a082dc24
-
\Program Files (x86)\Glary\Utilities\Settings\Notepad2.exeMD5
b60d390ba42c0109ee38de2e0ca56e1a
SHA1735a4eb61fe695c9bd2c9961f5fa41ac5a73d833
SHA2569ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477
SHA51297d17a96a5773f2c8c78a1b985e75314c0ad8a5d9188b6e3d327b1445c04b15b99bd1697b8b12e4f3e56d040e5570f9e7b938e4d67cacca03a947093a082dc24
-
\Program Files (x86)\Glary\Utilities\Settings\util.exeMD5
1a399301e1eb1821088776166420c80e
SHA1317bfecd99d6b0d7415173b55781deb4afc428b8
SHA25669344b8a53d189c7640d0ada5f74b5febcd7b06e5aa5c4fc01a7c676ec986b67
SHA512679e7e6c777287303e64d9c3b1d6d23fab2331708a17ba922746db240e25c35a60418f65302c294b851d2cf095cb6b5f174e3b300e74664c54df2349561992fe
-
\Program Files (x86)\Glary\Utilities\Settings\util.exeMD5
1a399301e1eb1821088776166420c80e
SHA1317bfecd99d6b0d7415173b55781deb4afc428b8
SHA25669344b8a53d189c7640d0ada5f74b5febcd7b06e5aa5c4fc01a7c676ec986b67
SHA512679e7e6c777287303e64d9c3b1d6d23fab2331708a17ba922746db240e25c35a60418f65302c294b851d2cf095cb6b5f174e3b300e74664c54df2349561992fe
-
\Program Files (x86)\Glary\Utilities\Settings\util.exeMD5
1a399301e1eb1821088776166420c80e
SHA1317bfecd99d6b0d7415173b55781deb4afc428b8
SHA25669344b8a53d189c7640d0ada5f74b5febcd7b06e5aa5c4fc01a7c676ec986b67
SHA512679e7e6c777287303e64d9c3b1d6d23fab2331708a17ba922746db240e25c35a60418f65302c294b851d2cf095cb6b5f174e3b300e74664c54df2349561992fe
-
\Users\Admin\AppData\Local\Temp\nsnFDA.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/1720-25-0x000007FEF63D0000-0x000007FEF664A000-memory.dmpFilesize
2.5MB
-
memory/1736-16-0x0000000000000000-mapping.dmp
-
memory/1736-24-0x0000000009070000-0x0000000009081000-memory.dmpFilesize
68KB
-
memory/1736-23-0x0000000008C60000-0x0000000008C71000-memory.dmpFilesize
68KB
-
memory/1980-4-0x0000000000000000-mapping.dmp
-
memory/1980-22-0x0000000004EA0000-0x0000000004EB1000-memory.dmpFilesize
68KB
-
memory/1980-21-0x0000000004A90000-0x0000000004AA1000-memory.dmpFilesize
68KB
-
memory/1996-7-0x0000000000000000-mapping.dmp