ccf0e52e21388ebfab406f10061864daf9bca0232a7eb09f1cd5b2a036853dbe

General

Target

6_ico.exe
Size

1.8MB
MD5

f9cbb8637e9c0a5bc3ed7800a364285c
SHA1

2e990ec1fdee46b2f8aa6323f428b5b1403f451a
SHA256

ccf0e52e21388ebfab406f10061864daf9bca0232a7eb09f1cd5b2a036853dbe
SHA512

dc8233afac50dfda009108482b57548d0c5d00462c951745cb44e421c03967bb3c7cae26a464592a7a88f7100fd838b4e2e5c6999395153863c63a4cfa3ce812

Score

9^/10

evasion spyware

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6_ico.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6_ico.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

436 cmd.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

6_ico.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine 6_ico.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

6_ico.exe

pid process

1604 6_ico.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

692 timeout.exe
1828 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6_ico.exe

pid process

1604 6_ico.exe

pid	process
436	cmd.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	6_ico.exe

flow	ioc
5	ip-api.com

pid	process
1604	6_ico.exe

pid	process
692	timeout.exe
1828	timeout.exe

pid	process
1604	6_ico.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

6_ico.execmd.execmd.exe

description	pid	process	target process
PID 1604 wrote to memory of 436	1604	6_ico.exe	cmd.exe
PID 1604 wrote to memory of 436	1604	6_ico.exe	cmd.exe
PID 1604 wrote to memory of 436	1604	6_ico.exe	cmd.exe
PID 1604 wrote to memory of 436	1604	6_ico.exe	cmd.exe
PID 436 wrote to memory of 692	436	cmd.exe	timeout.exe
PID 436 wrote to memory of 692	436	cmd.exe	timeout.exe
PID 436 wrote to memory of 692	436	cmd.exe	timeout.exe
PID 436 wrote to memory of 692	436	cmd.exe	timeout.exe
PID 1604 wrote to memory of 1348	1604	6_ico.exe	cmd.exe
PID 1604 wrote to memory of 1348	1604	6_ico.exe	cmd.exe
PID 1604 wrote to memory of 1348	1604	6_ico.exe	cmd.exe
PID 1604 wrote to memory of 1348	1604	6_ico.exe	cmd.exe
PID 1348 wrote to memory of 1828	1348	cmd.exe	timeout.exe
PID 1348 wrote to memory of 1828	1348	cmd.exe	timeout.exe
PID 1348 wrote to memory of 1828	1348	cmd.exe	timeout.exe
PID 1348 wrote to memory of 1828	1348	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\6_ico.exe
"C:\Users\Admin\AppData\Local\Temp\6_ico.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\ijaagtpkvv & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\6_ico.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\ijaagtpkvv & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\6_ico.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ijaagtpkvv\46173476.txt
MD5
1a471c0e46aed063fd02f71e4ce547f0

SHA1
efccdfdf40984c3ddfbee8464e40cb8a4cc61d35

SHA256
92a1ff79c776cd6bcabc97c87f3bf4a74c65c79b76e84ae801ad7a0d6a286244

SHA512
84d16cf4c7af3d6363255b68751fd170953c612f2eb08d25044b2b3b3963e0810dcdac7aa28ec9e3cef257d7fa2c23338e2118da6cc32f7fb7de5cf9184e3748

Download Submit
C:\ProgramData\ijaagtpkvv\8372422.txt
MD5
ae5044b0d999aebf4ebe23cf70e2b915

SHA1
0e5246e7eafbb8011ba75c344a95204a72d505cb

SHA256
3dc9a0d906a8b59bb6cb2bc6caabb1a6fd61e96343a770aac9c97e0981fc140d

SHA512
53b390a2c03fe1d8a2c806035b34ab4efc9ae38790392e00a89c251abc8f56c8ca7f82f088ed8f5c09e8c0dd2df816a46e4ae5c8a09729a41c3c16c7755196d4

Download Submit
C:\ProgramData\ijaagtpkvv\Files\_INFOR~1.TXT
MD5
7897f75e8e149105a12b6729f34a3d74

SHA1
c6cb103bead1f4210a4365b51166524487b85a25

SHA256
2d2f945c8fe0170d68b75ff9ea181775cd5633ec06f5ca934ef3d1c9b88988d6

SHA512
fa26ce3bb150c9ebf20e71152026990a2378ff8f35c991684c9546e48b30d496f1b48697000bbcbe423acf4b9f4b523500810418f5bcb1b5118545848322a46e

Download Submit
C:\ProgramData\ijaagtpkvv\NL_202~1.ZIP
MD5
b76379dfc47a77dc9d8924ce63a4f448

SHA1
523543eb1b500f01928ee3f14732641b283d14e6

SHA256
13c76a1ddce4ab859fa7008b5ab1183bb601ffda26e250a64e7756ec6ecd91d2

SHA512
af5690a1ca3bff9bcd03b0216df3483d03417bd4a73ac9a1273e8803647ea83538a48052e0b99547cd40933fa650fd7893e6728f7ebb66f78b1bff67a6e796e0

Download Submit
memory/436-18-0x0000000000000000-mapping.dmp

Download
memory/692-23-0x0000000000000000-mapping.dmp

Download
memory/964-13-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmp

Filesize
2.5MB

Download
memory/1348-24-0x0000000000000000-mapping.dmp

Download
memory/1604-8-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/1604-14-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1604-12-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1604-10-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/1604-16-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1604-15-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/1604-17-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1604-11-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1604-9-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/1604-3-0x0000000004E00000-0x0000000004E11000-memory.dmp

Filesize
68KB

Download
memory/1604-7-0x0000000000B40000-0x0000000000B42000-memory.dmp

Filesize
8KB

Download
memory/1604-5-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/1604-6-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/1604-4-0x0000000076341000-0x0000000076343000-memory.dmp

Filesize
8KB

Download
memory/1604-2-0x00000000049F0000-0x0000000004A01000-memory.dmp

Filesize
68KB

Download
memory/1828-25-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing