Analysis
-
max time kernel
146s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-01-2021 19:33
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7v20201028
General
-
Target
1.exe
-
Size
2.2MB
-
MD5
987a9a9e0d4bbad66a9b823b3f939bc1
-
SHA1
b1e733fcf656d37326d12650406676903f10090a
-
SHA256
15f2a0a15572b7e7d229f7c309f3f4599aa7404b18f020b1fdb8518e584a48fe
-
SHA512
791fff5b437ab8ac856cdb70b366897e90695235ca73c06320f638957bf8c007e6aa5eba6fd34a883abcd2f0748822490b7716b301b22a388828731b2bab486d
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine 1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1.exepid process 3992 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4048 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1.exepid process 3992 1.exe 3992 1.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
1.exepid process 3992 1.exe 3992 1.exe 3992 1.exe 3992 1.exe 3992 1.exe 3992 1.exe 3992 1.exe 3992 1.exe 3992 1.exe 3992 1.exe 3992 1.exe 3992 1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1.execmd.exedescription pid process target process PID 3992 wrote to memory of 3492 3992 1.exe cmd.exe PID 3992 wrote to memory of 3492 3992 1.exe cmd.exe PID 3992 wrote to memory of 3492 3992 1.exe cmd.exe PID 3492 wrote to memory of 4048 3492 cmd.exe timeout.exe PID 3492 wrote to memory of 4048 3492 cmd.exe timeout.exe PID 3492 wrote to memory of 4048 3492 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\jPDtSxDzhVsMIR & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
PID:4048
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\jPDtSxDzhVsMIR\47283761.txtMD5
681e86c44d5f65b11eab4613008ac6fb
SHA18b404015c1281d4cf9fc5ad48bbbd6db16ccff4c
SHA2564513bce79a3e5dd52833962e18e28021052ce284504bc201cc7efaf627342d4d
SHA512fdfd791d3fc4150c4ed12792cabac523bfd6d1ab6483138a60fb20f8ecd87d553c37162f4f644ca3860fabc61bbaaeea4dafec0da4367175fe015c979e5d9ba0
-
C:\ProgramData\jPDtSxDzhVsMIR\Files\_Info.txtMD5
9bebae5cc8e04aba954ad3a04db965f6
SHA1c9b0d9bdf1515080546026a68bb49350d288fc1d
SHA256dcc6d9476e5784fadf3b71556f0c34b1ebe0e59fc522de2485c24fcb419fa0b0
SHA512bc59d18779f500a98b7f49c795f9eb6f113c8ca4e0be28777752b72bad1bb1b373143bcee7413aea83bbf16107e30e92f01ded009cafad07f9569ef236b2da3b
-
C:\ProgramData\jPDtSxDzhVsMIR\Files\_Screen.jpgMD5
d7d7c18258f49c52b65bad063fa90532
SHA1a0ad544e34a2ff0cf7a10a0898b57edf12fea5f7
SHA256ac062f621c6b7289d62551b3e808242de1270d8a7527a80788086e2e34f201a9
SHA5125c8f7a3de1a426a67dedda1b93fe65d11bef77c1f50e3efd1381f4380105b177e61feb6624381a17850e3503987830127ea1f10114e9d2f78a1b18ae688e2697
-
C:\ProgramData\jPDtSxDzhVsMIR\J8ALRC~1.ZIPMD5
327c30dad02b09566c0800ba39952978
SHA1988ebd5de37ae630a1b7440310b0b2e9449f570c
SHA256489f7aeae91df18c33c7d2e2a41b2f952ae4d962069ce0d7e8fe42db644daca2
SHA512fb2f33dce7ba14cef8f72152a758aec9470c48192f4c22a6e7d9dd277ae6c4913dd752ddf43a016b78d2f328835aee49a1addbd4f5d5a8fa1dd3158c04ef06d7
-
C:\ProgramData\jPDtSxDzhVsMIR\MOZ_CO~1.DBMD5
89d4b62651fa5c864b12f3ea6b1521cb
SHA1570d48367b6b66ade9900a9f22d67d67a8fb2081
SHA25622f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70
SHA512e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff
-
memory/3492-16-0x0000000000000000-mapping.dmp
-
memory/3992-2-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/3992-3-0x0000000005B90000-0x0000000005B91000-memory.dmpFilesize
4KB
-
memory/4048-22-0x0000000000000000-mapping.dmp