Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-01-2021 17:06
Static task
static1
Behavioral task
behavioral1
Sample
EbookReader2019.exe
Resource
win7v20201028
General
-
Target
EbookReader2019.exe
-
Size
6.3MB
-
MD5
847c79e639fb34c2058728ca2fda7bd4
-
SHA1
7f1612cae512f41aa91fec27fab0dac73f65e4da
-
SHA256
8e866375a8d49db2282a0ef0d38667b38ee10bcb23fd63692c65749fb3217f2d
-
SHA512
05c5f5943a432c7e5080e8403d6ca1fa31ea1f47fb4820fed1ad14cd972caa7bb8f620500fa72fd4f66bba63820f6d1d984b6e370524e2ea71a0bf32688875bc
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
1.exe2.exepid process 3144 1.exe 1680 2.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1.exe2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
1.exe2.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine 1.exe Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine 2.exe -
Loads dropped DLL 1 IoCs
Processes:
EbookReader2019.exepid process 644 EbookReader2019.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
1.exe2.exepid process 3144 1.exe 1680 2.exe -
Drops file in Program Files directory 3 IoCs
Processes:
EbookReader2019.exedescription ioc process File created C:\Program Files (x86)\Margin\Marg\3.exe EbookReader2019.exe File created C:\Program Files (x86)\Margin\Marg\1.exe EbookReader2019.exe File created C:\Program Files (x86)\Margin\Marg\2.exe EbookReader2019.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2012 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
1.exe2.exepid process 3144 1.exe 3144 1.exe 1680 2.exe 1680 2.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
1.exepid process 3144 1.exe 3144 1.exe 3144 1.exe 3144 1.exe 3144 1.exe 3144 1.exe 3144 1.exe 3144 1.exe 3144 1.exe 3144 1.exe 3144 1.exe 3144 1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EbookReader2019.exe1.execmd.exedescription pid process target process PID 644 wrote to memory of 3144 644 EbookReader2019.exe 1.exe PID 644 wrote to memory of 3144 644 EbookReader2019.exe 1.exe PID 644 wrote to memory of 3144 644 EbookReader2019.exe 1.exe PID 3144 wrote to memory of 3964 3144 1.exe cmd.exe PID 3144 wrote to memory of 3964 3144 1.exe cmd.exe PID 3144 wrote to memory of 3964 3144 1.exe cmd.exe PID 644 wrote to memory of 1680 644 EbookReader2019.exe 2.exe PID 644 wrote to memory of 1680 644 EbookReader2019.exe 2.exe PID 644 wrote to memory of 1680 644 EbookReader2019.exe 2.exe PID 3964 wrote to memory of 2012 3964 cmd.exe timeout.exe PID 3964 wrote to memory of 2012 3964 cmd.exe timeout.exe PID 3964 wrote to memory of 2012 3964 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EbookReader2019.exe"C:\Users\Admin\AppData\Local\Temp\EbookReader2019.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Program Files (x86)\Margin\Marg\1.exe"C:\Program Files (x86)\Margin\Marg\1.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\jpUUn1lwv & timeout 2 & del /f /q "C:\Program Files (x86)\Margin\Marg\1.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
PID:2012 -
C:\Program Files (x86)\Margin\Marg\2.exe"C:\Program Files (x86)\Margin\Marg\2.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1680
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Margin\Marg\1.exeMD5
987a9a9e0d4bbad66a9b823b3f939bc1
SHA1b1e733fcf656d37326d12650406676903f10090a
SHA25615f2a0a15572b7e7d229f7c309f3f4599aa7404b18f020b1fdb8518e584a48fe
SHA512791fff5b437ab8ac856cdb70b366897e90695235ca73c06320f638957bf8c007e6aa5eba6fd34a883abcd2f0748822490b7716b301b22a388828731b2bab486d
-
C:\Program Files (x86)\Margin\Marg\1.exeMD5
987a9a9e0d4bbad66a9b823b3f939bc1
SHA1b1e733fcf656d37326d12650406676903f10090a
SHA25615f2a0a15572b7e7d229f7c309f3f4599aa7404b18f020b1fdb8518e584a48fe
SHA512791fff5b437ab8ac856cdb70b366897e90695235ca73c06320f638957bf8c007e6aa5eba6fd34a883abcd2f0748822490b7716b301b22a388828731b2bab486d
-
C:\Program Files (x86)\Margin\Marg\2.exeMD5
c9cd7540515bf1b247b61683e37c6137
SHA17ecdf3f713d77cda0ac4c2589f5bd1d96375999f
SHA256292cd3448949482950fbfbe79117db0758d0d4b45f6dea494f63aecc7a99fedd
SHA512333be7de8c9eab112c8463a8522df65ac02035620d4e3aa604db7323600233c7b6e084f80ebfc0f231662863a6de8efa2a8d22c9d583f54d20159ca16cab3bf6
-
C:\ProgramData\jpUUn1lwv\47283761.txtMD5
550cc6486c1ac1d65c8f1b14517a8294
SHA16f7b60b1f5b90ac815ab56c78cd7a5de05311fe1
SHA256176bf49d4a7f854a30e1fb19acc33650ad5531a95bba23a9b7108b0129d15e9b
SHA512eb29aefebe6d2ce5d06082c9ea8750de5cf5141e51ecc39457362bd4e8c1ec0313801f805b8b7ef6eaaf24d3e6b5d3ed2912216728ed5308165c00b17dc6f726
-
C:\ProgramData\jpUUn1lwv\Files\_Info.txtMD5
0ae4242c23dafa4ebf3bf432243ef321
SHA17dfc93a6a55041eda0ab0b5171762a7db67c27d1
SHA256ed631e4aba5e6a974f12e21595541353e8084e1913f7e07031997ce0535bbf39
SHA51225a0cf171fe4da56f07f23e2adb8d280413fd05b03240dc6c0c5cdd624c6e13955bafb724fef3aa17f2f1e1f38d53c7da784b37f7abbb847f252ff728f845c74
-
C:\ProgramData\jpUUn1lwv\Files\_Screen.jpgMD5
1fe57b3ddd609be2f18279235fc849a5
SHA19971609a141521c4da8809cc89a88e54890b995f
SHA256730cb901aec059f8f8e098edd4922ae1e267ea13606140a1305ccf32e5e74427
SHA5124d439eb0322a389af04431b53ac16d1d7e2276ad791c7046888b5784954ea18208eb64bd65684ad3e7072d5af522b0e7f33d5ad59142253338cbbf3c1f845e2b
-
C:\ProgramData\jpUUn1lwv\JEHOPE~1.ZIPMD5
586333896674aa7372dcbdb4dfbf3f80
SHA19dd916998e073f162c1f8a3fb38a0bb3ba92df07
SHA256b5bfda54a0e9f67a0792a5927128b37494bdca0e6ca3f752078a0ad450aae61b
SHA512d13fa4d527cf9450b193ea79bb47e83cf98e6bf6ce85ec4083e631d0032a73e67ca161e35885becdc32494aad835623f766716d51d1a33fc0cb7925476657a7c
-
C:\ProgramData\jpUUn1lwv\MOZ_CO~1.DBMD5
89d4b62651fa5c864b12f3ea6b1521cb
SHA1570d48367b6b66ade9900a9f22d67d67a8fb2081
SHA25622f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70
SHA512e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff
-
\Users\Admin\AppData\Local\Temp\nsv8738.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/1680-42-0x0000000009D90000-0x0000000009D91000-memory.dmpFilesize
4KB
-
memory/1680-43-0x0000000009F80000-0x0000000009F81000-memory.dmpFilesize
4KB
-
memory/1680-55-0x0000000009FD0000-0x0000000009FD1000-memory.dmpFilesize
4KB
-
memory/1680-54-0x0000000009FF0000-0x0000000009FF1000-memory.dmpFilesize
4KB
-
memory/1680-53-0x000000000A0C0000-0x000000000A0C1000-memory.dmpFilesize
4KB
-
memory/1680-52-0x0000000009FC0000-0x0000000009FC1000-memory.dmpFilesize
4KB
-
memory/1680-51-0x000000000A010000-0x000000000A011000-memory.dmpFilesize
4KB
-
memory/1680-50-0x000000000A090000-0x000000000A091000-memory.dmpFilesize
4KB
-
memory/1680-49-0x000000000A0A0000-0x000000000A0A1000-memory.dmpFilesize
4KB
-
memory/1680-20-0x0000000000000000-mapping.dmp
-
memory/1680-47-0x0000000009F20000-0x0000000009F21000-memory.dmpFilesize
4KB
-
memory/1680-48-0x0000000009F10000-0x0000000009F11000-memory.dmpFilesize
4KB
-
memory/1680-46-0x0000000009EC0000-0x0000000009EC1000-memory.dmpFilesize
4KB
-
memory/1680-45-0x0000000009F30000-0x0000000009F31000-memory.dmpFilesize
4KB
-
memory/1680-44-0x000000000A070000-0x000000000A071000-memory.dmpFilesize
4KB
-
memory/1680-40-0x0000000000401000-0x000000000045D000-memory.dmpFilesize
368KB
-
memory/1680-41-0x0000000009E00000-0x0000000009E01000-memory.dmpFilesize
4KB
-
memory/1680-28-0x00000000098B0000-0x00000000098B1000-memory.dmpFilesize
4KB
-
memory/1680-29-0x000000000A0B0000-0x000000000A0B1000-memory.dmpFilesize
4KB
-
memory/1680-30-0x00000000098B0000-0x00000000098B1000-memory.dmpFilesize
4KB
-
memory/1680-32-0x0000000009DE0000-0x0000000009DE1000-memory.dmpFilesize
4KB
-
memory/1680-34-0x0000000009E10000-0x0000000009E11000-memory.dmpFilesize
4KB
-
memory/1680-33-0x0000000009D80000-0x0000000009D81000-memory.dmpFilesize
4KB
-
memory/1680-35-0x0000000009DC0000-0x0000000009DC1000-memory.dmpFilesize
4KB
-
memory/1680-37-0x0000000009DB0000-0x0000000009DB1000-memory.dmpFilesize
4KB
-
memory/1680-36-0x0000000009DF0000-0x0000000009DF1000-memory.dmpFilesize
4KB
-
memory/1680-39-0x0000000009F60000-0x0000000009F61000-memory.dmpFilesize
4KB
-
memory/1680-38-0x0000000009DD0000-0x0000000009DD1000-memory.dmpFilesize
4KB
-
memory/2012-27-0x0000000000000000-mapping.dmp
-
memory/3144-12-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB
-
memory/3144-17-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/3144-11-0x0000000004DE0000-0x0000000004DE1000-memory.dmpFilesize
4KB
-
memory/3144-7-0x00000000053B0000-0x00000000053B1000-memory.dmpFilesize
4KB
-
memory/3144-8-0x0000000077DB4000-0x0000000077DB5000-memory.dmpFilesize
4KB
-
memory/3144-10-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB
-
memory/3144-3-0x0000000000000000-mapping.dmp
-
memory/3144-13-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/3144-9-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/3144-18-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/3144-6-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB
-
memory/3144-16-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/3144-15-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/3144-14-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/3964-19-0x0000000000000000-mapping.dmp