ccf0e52e21388ebfab406f10061864daf9bca0232a7eb09f1cd5b2a036853dbe

General

Target

6_ico.exe
Size

1.8MB
MD5

f9cbb8637e9c0a5bc3ed7800a364285c
SHA1

2e990ec1fdee46b2f8aa6323f428b5b1403f451a
SHA256

ccf0e52e21388ebfab406f10061864daf9bca0232a7eb09f1cd5b2a036853dbe
SHA512

dc8233afac50dfda009108482b57548d0c5d00462c951745cb44e421c03967bb3c7cae26a464592a7a88f7100fd838b4e2e5c6999395153863c63a4cfa3ce812

Score

9^/10

evasion spyware

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6_ico.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6_ico.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

6_ico.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine 6_ico.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

6_ico.exe

pid process

528 6_ico.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2320 timeout.exe
1508 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6_ico.exe

pid process

528 6_ico.exe
528 6_ico.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	6_ico.exe

flow	ioc
11	ip-api.com

pid	process
528	6_ico.exe

pid	process
2320	timeout.exe
1508	timeout.exe

pid	process
528	6_ico.exe
528	6_ico.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6_ico.execmd.execmd.exe

description	pid	process	target process
PID 528 wrote to memory of 1164	528	6_ico.exe	cmd.exe
PID 528 wrote to memory of 1164	528	6_ico.exe	cmd.exe
PID 528 wrote to memory of 1164	528	6_ico.exe	cmd.exe
PID 1164 wrote to memory of 2320	1164	cmd.exe	timeout.exe
PID 1164 wrote to memory of 2320	1164	cmd.exe	timeout.exe
PID 1164 wrote to memory of 2320	1164	cmd.exe	timeout.exe
PID 528 wrote to memory of 1932	528	6_ico.exe	cmd.exe
PID 528 wrote to memory of 1932	528	6_ico.exe	cmd.exe
PID 528 wrote to memory of 1932	528	6_ico.exe	cmd.exe
PID 1932 wrote to memory of 1508	1932	cmd.exe	timeout.exe
PID 1932 wrote to memory of 1508	1932	cmd.exe	timeout.exe
PID 1932 wrote to memory of 1508	1932	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\6_ico.exe
"C:\Users\Admin\AppData\Local\Temp\6_ico.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\udaglcdgbtfs & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\6_ico.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:2320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\udaglcdgbtfs & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\6_ico.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\udaglcdgbtfs\46173476.txt
MD5
c0010d4f477b3a1f1655575375d92704

SHA1
9e0f5cf755aa1674ce8ac276c0acb97f450d6eb2

SHA256
33ef8204566e645fa4d882d6f99e3fd4ea79e498617b05c8ff869186c46ba201

SHA512
ac6aeeeac948e4e307ebc461c316f65df2e4ea96453a57d5a626ad08fb136310be50ab5277f2a79cfefd6996be97c8de6c62330e362101b85ef21cc5385addd6

Download Submit
C:\ProgramData\udaglcdgbtfs\8372422.txt
MD5
4a6e899492f64bff18ba4a9c4dfb0fff

SHA1
3f706240d14584ca6d64f9bda98613819fe39378

SHA256
5c101c0e1cae8c8980d501aac750a43233cb617d99b59b3913497790c29b85cf

SHA512
0a052e9f6d01f404d92ab2835e76d520a119b3b338411fc2ad7dc1dc58c141b171003f7a3078bca7088310f2830e6d8e1d06b50b2c5053188494761aebaaebe6

Download Submit
C:\ProgramData\udaglcdgbtfs\Files\_INFOR~1.TXT
MD5
c34a41c9fa74e5952d888b16829aa44f

SHA1
5cede3294d280f6c3a40eb2f7afc1e7a6abfefdb

SHA256
cf47cd2d2be93167ad2efddab042eb171b5373e534c3e7a823abf5d2334cb32f

SHA512
720840817c731daf291ea670ba91dca16f9160eb291450c99da4e1fece4fe38324121015c8ad90a3930632f34a9526e47df2cd3c19e6a7c09f11e6aaeace0a14

Download Submit
C:\ProgramData\udaglcdgbtfs\NL_202~1.ZIP
MD5
9785f9641f8bdf06909d7abb2e5fa6f0

SHA1
64224caab4a3cc08c2d346757e292f8a34e81a3d

SHA256
25bb046f3f447b0e628907e9cfa3ad7789a92e630f3ae713bf563bd8310dbfb0

SHA512
ac8d96be0fece51dcd5e7c13760642001de3366f38a3ced44a34d3b4af6b4e047bcef13af0751df3799c3abe1a79554b2aed581f112aac8a4fc573374ffba34a

Download Submit
memory/528-5-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/528-8-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/528-7-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/528-9-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/528-10-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/528-3-0x0000000005E10000-0x0000000005E11000-memory.dmp

Filesize
4KB

Download
memory/528-6-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/528-4-0x0000000077B84000-0x0000000077B85000-memory.dmp

Filesize
4KB

Download
memory/528-2-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/1164-11-0x0000000000000000-mapping.dmp

Download
memory/1508-18-0x0000000000000000-mapping.dmp

Download
memory/1932-17-0x0000000000000000-mapping.dmp

Download
memory/2320-16-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing