Overview

overview

10

Static

static

10

0caa6fb680...c6.exe

windows7_x64

10

0caa6fb680...c6.exe

windows10_x64

10

165ec181ff...71.exe

windows7_x64

9

165ec181ff...71.exe

windows10_x64

9

19f1fcac5e...22.exe

windows7_x64

1

19f1fcac5e...22.exe

windows10_x64

1

1a3642fa7d...de.exe

windows7_x64

9

1a3642fa7d...de.exe

windows10_x64

9

1d6d8960e8...5d.exe

windows7_x64

9

1d6d8960e8...5d.exe

windows10_x64

9

213f46a611...fc.exe

windows7_x64

9

213f46a611...fc.exe

windows10_x64

9

284c9bd06a...47.exe

windows7_x64

9

284c9bd06a...47.exe

windows10_x64

9

2b08cbe646...d4.exe

windows7_x64

9

2b08cbe646...d4.exe

windows10_x64

9

2c44be7232...76.exe

windows7_x64

6

2c44be7232...76.exe

windows10_x64

6

2e1deb95bf...f0.exe

windows7_x64

9

2e1deb95bf...f0.exe

windows10_x64

9

2f7a2890d3...2b.exe

windows7_x64

8

2f7a2890d3...2b.exe

windows10_x64

8

36fc7610e5...6f.exe

windows7_x64

9

36fc7610e5...6f.exe

windows10_x64

9

3842928b05...6a.exe

windows7_x64

8

3842928b05...6a.exe

windows10_x64

8

3af2caadbf...ae.exe

windows7_x64

9

3af2caadbf...ae.exe

windows10_x64

9

416baeb19a...40.exe

windows7_x64

7

416baeb19a...40.exe

windows10_x64

7

448a675cb7...2c.exe

windows7_x64

8

448a675cb7...2c.exe

windows10_x64

8

Resubmissions

17-01-2021 19:18

210117-5hwxlye88x 10

17-01-2021 17:05

210117-6jkt8jz44e 10

17-01-2021 10:25

210117-ncy8vksfgn 10

Analysis

  • max time kernel
    157s
  • max time network
    174s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17-01-2021 10:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe

  • Size

    4.3MB

  • MD5

    7b65065d72848703e2aa7a8788e182f8

  • SHA1

    939281d92b016157bc32a36876a957fa141dcce3

  • SHA256

    1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede

  • SHA512

    cba2b883a103adaf2060138ee58f2e1a98520dca5e55b979584c49e42cf36af5915d5b95c7a00cee04766f9808a9dede3ad31d730f8f9873f44809855e3c30a3

Score
9/10
discoveryevasionspyware

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Blocklisted process makes network request 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe
    "C:\Users\Admin\AppData\Local\Temp\1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\SysWOW64\cscript.exe
      "cscript.exe" s1.vbs //e:vbscript //NOLOGO
      2⤵
      • Blocklisted process makes network request
      • Modifies system certificate store
      PID:2768
    • C:\Users\Admin\AppData\Local\Temp\sib6578.tmp\1\drop_9.exe
      "C:\Users\Admin\AppData\Local\Temp\sib6578.tmp\1\drop_9.exe" /s
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:3156

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2736-11-0x000000001C980000-0x000000001C981000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2736-8-0x0000000010C90000-0x0000000010C91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2736-6-0x0000000010C60000-0x0000000010C61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2736-3-0x00000000732B0000-0x000000007399E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3156-19-0x0000000005250000-0x0000000005251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3156-18-0x0000000004A50000-0x0000000004A51000-memory.dmp

    Filesize

    4KB

    Download