Analysis
-
max time kernel
118s -
max time network
117s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
16-01-2021 19:22
Static task
static1
Behavioral task
behavioral1
Sample
vruns.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
vruns.exe
Resource
win10v20201028
General
-
Target
vruns.exe
-
Size
2.1MB
-
MD5
1490ea3019282b9fd5825bfd6f73b1cf
-
SHA1
fa2c9a028db4dd83fa80fef8c90ca2bf34dc881d
-
SHA256
8f01777956479851c4c5dd06845ba0d4561b2a085472460447d10b46d4b89487
-
SHA512
bdf82235c3a3b94360c4e2507c6adb07d1731fff16b9d9038f9faed34ee55d60b70d9ca24a2f2baba7fcd4c95716d52590ed62a7802c068a8ae35d5213dfaced
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
vruns.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion vruns.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vruns.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 696 cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
vruns.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine vruns.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
vruns.exepid process 2024 vruns.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
vruns.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vruns.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vruns.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1900 timeout.exe -
Processes:
vruns.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 vruns.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 vruns.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vruns.exepid process 2024 vruns.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vruns.exepid process 2024 vruns.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
vruns.execmd.exedescription pid process target process PID 2024 wrote to memory of 696 2024 vruns.exe cmd.exe PID 2024 wrote to memory of 696 2024 vruns.exe cmd.exe PID 2024 wrote to memory of 696 2024 vruns.exe cmd.exe PID 2024 wrote to memory of 696 2024 vruns.exe cmd.exe PID 696 wrote to memory of 1900 696 cmd.exe timeout.exe PID 696 wrote to memory of 1900 696 cmd.exe timeout.exe PID 696 wrote to memory of 1900 696 cmd.exe timeout.exe PID 696 wrote to memory of 1900 696 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vruns.exe"C:\Users\Admin\AppData\Local\Temp\vruns.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\wmngbaJERnmuU & timeout 1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\vruns.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\wmngbaJERnmuU\172773~1.TXTMD5
681e86c44d5f65b11eab4613008ac6fb
SHA18b404015c1281d4cf9fc5ad48bbbd6db16ccff4c
SHA2564513bce79a3e5dd52833962e18e28021052ce284504bc201cc7efaf627342d4d
SHA512fdfd791d3fc4150c4ed12792cabac523bfd6d1ab6483138a60fb20f8ecd87d553c37162f4f644ca3860fabc61bbaaeea4dafec0da4367175fe015c979e5d9ba0
-
C:\ProgramData\wmngbaJERnmuU\Files\Browsers\Cookies\MOZILL~1.TXTMD5
ecaa88f7fa0bf610a5a26cf545dcd3aa
SHA157218c316b6921e2cd61027a2387edc31a2d9471
SHA256f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5
SHA51237c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5
-
C:\ProgramData\wmngbaJERnmuU\Files\Browsers\_FILEC~1.TXTMD5
ecaa88f7fa0bf610a5a26cf545dcd3aa
SHA157218c316b6921e2cd61027a2387edc31a2d9471
SHA256f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5
SHA51237c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5
-
C:\ProgramData\wmngbaJERnmuU\Files\Browsers\_FILEF~1.TXTMD5
ecaa88f7fa0bf610a5a26cf545dcd3aa
SHA157218c316b6921e2cd61027a2387edc31a2d9471
SHA256f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5
SHA51237c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5
-
C:\ProgramData\wmngbaJERnmuU\Files\Browsers\_FILEP~1.TXTMD5
ecaa88f7fa0bf610a5a26cf545dcd3aa
SHA157218c316b6921e2cd61027a2387edc31a2d9471
SHA256f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5
SHA51237c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5
-
C:\ProgramData\wmngbaJERnmuU\Files\_FILEP~1.TXTMD5
ecaa88f7fa0bf610a5a26cf545dcd3aa
SHA157218c316b6921e2cd61027a2387edc31a2d9471
SHA256f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5
SHA51237c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5
-
C:\ProgramData\wmngbaJERnmuU\Files\_Info.txtMD5
b2ac0b0799e97226f48c5a223921d8d8
SHA1a550a172524e4ade7f9dd9d3d89a51488e288c42
SHA2560a94b3f63e4af703695abc305bc1c3b7034bf5fd98db8b38664e546c847a934b
SHA5125f97c5f462b2cb7858a8b8c7958bfd898dc2734d8e50671299247388d15cdaf6d293622b115eb807ba0a70221c44ff80a54fd23a94731eb0b5481001d6121bd1
-
C:\ProgramData\wmngbaJERnmuU\Files\_Screen.jpgMD5
eaa51de6e1f105ac461d585b25a52e22
SHA17b2d42e812400c65dc69cd2aa8b939c4e0ece2dd
SHA256a54e2d71848e932cd175b971ec079871fe645da081731bec97bdee0adc512804
SHA5127dd85fd1e0cd56285b0708a0714c50ab2e7865fcc7b93030aa38fbfa861685c0956c1d2303708b9f83537050d61bbcd92061110245e0c6be8e8254d38d4ff505
-
C:\ProgramData\wmngbaJERnmuU\JMEXLD~1.ZIPMD5
6beb84e5b3d761029550b45287f81792
SHA139f3f5b99a6349f3ca23a7eea2fe1368a0e39d0c
SHA25635b65cf8715930d000a34ac51bd2d1dd2cb305d4c69651ac5925cac685ed32b5
SHA5121a557768b9e46d7b2c7c92a5f31e83345b9f3d32765df3c76dc1af0a520509455bfdedca6c5a91310310dac63206066e57961e1e240f9afa4ad60068ef9a7a6a
-
C:\ProgramData\wmngbaJERnmuU\mocc.dbMD5
89d4b62651fa5c864b12f3ea6b1521cb
SHA1570d48367b6b66ade9900a9f22d67d67a8fb2081
SHA25622f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70
SHA512e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff
-
memory/696-5-0x0000000000000000-mapping.dmp
-
memory/1900-19-0x0000000000000000-mapping.dmp
-
memory/2008-4-0x000007FEF63F0000-0x000007FEF666A000-memory.dmpFilesize
2.5MB
-
memory/2024-2-0x0000000004230000-0x0000000004241000-memory.dmpFilesize
68KB
-
memory/2024-3-0x0000000004640000-0x0000000004651000-memory.dmpFilesize
68KB