Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-01-2021 19:25
Static task
static1
Behavioral task
behavioral1
Sample
EbookReader2019.exe
Resource
win7v20201028
General
-
Target
EbookReader2019.exe
-
Size
6.3MB
-
MD5
847c79e639fb34c2058728ca2fda7bd4
-
SHA1
7f1612cae512f41aa91fec27fab0dac73f65e4da
-
SHA256
8e866375a8d49db2282a0ef0d38667b38ee10bcb23fd63692c65749fb3217f2d
-
SHA512
05c5f5943a432c7e5080e8403d6ca1fa31ea1f47fb4820fed1ad14cd972caa7bb8f620500fa72fd4f66bba63820f6d1d984b6e370524e2ea71a0bf32688875bc
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
1.exepid process 3676 1.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine 1.exe -
Loads dropped DLL 1 IoCs
Processes:
EbookReader2019.exepid process 644 EbookReader2019.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1.exepid process 3676 1.exe -
Drops file in Program Files directory 3 IoCs
Processes:
EbookReader2019.exedescription ioc process File created C:\Program Files (x86)\Margin\Marg\1.exe EbookReader2019.exe File created C:\Program Files (x86)\Margin\Marg\2.exe EbookReader2019.exe File created C:\Program Files (x86)\Margin\Marg\3.exe EbookReader2019.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1.exepid process 3676 1.exe 3676 1.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
1.exepid process 3676 1.exe 3676 1.exe 3676 1.exe 3676 1.exe 3676 1.exe 3676 1.exe 3676 1.exe 3676 1.exe 3676 1.exe 3676 1.exe 3676 1.exe 3676 1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
EbookReader2019.exedescription pid process target process PID 644 wrote to memory of 3676 644 EbookReader2019.exe 1.exe PID 644 wrote to memory of 3676 644 EbookReader2019.exe 1.exe PID 644 wrote to memory of 3676 644 EbookReader2019.exe 1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EbookReader2019.exe"C:\Users\Admin\AppData\Local\Temp\EbookReader2019.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Program Files (x86)\Margin\Marg\1.exe"C:\Program Files (x86)\Margin\Marg\1.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3676
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Margin\Marg\1.exeMD5
987a9a9e0d4bbad66a9b823b3f939bc1
SHA1b1e733fcf656d37326d12650406676903f10090a
SHA25615f2a0a15572b7e7d229f7c309f3f4599aa7404b18f020b1fdb8518e584a48fe
SHA512791fff5b437ab8ac856cdb70b366897e90695235ca73c06320f638957bf8c007e6aa5eba6fd34a883abcd2f0748822490b7716b301b22a388828731b2bab486d
-
C:\Program Files (x86)\Margin\Marg\1.exeMD5
987a9a9e0d4bbad66a9b823b3f939bc1
SHA1b1e733fcf656d37326d12650406676903f10090a
SHA25615f2a0a15572b7e7d229f7c309f3f4599aa7404b18f020b1fdb8518e584a48fe
SHA512791fff5b437ab8ac856cdb70b366897e90695235ca73c06320f638957bf8c007e6aa5eba6fd34a883abcd2f0748822490b7716b301b22a388828731b2bab486d
-
\Users\Admin\AppData\Local\Temp\nsg7083.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/3676-3-0x0000000000000000-mapping.dmp
-
memory/3676-7-0x0000000005540000-0x0000000005541000-memory.dmpFilesize
4KB
-
memory/3676-6-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/3676-8-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/3676-12-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB