Analysis
-
max time kernel
21s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-02-2021 22:24
Static task
static1
Behavioral task
behavioral1
Sample
6_ico.exe
Resource
win7v20201028
General
-
Target
6_ico.exe
-
Size
1.8MB
-
MD5
f9cbb8637e9c0a5bc3ed7800a364285c
-
SHA1
2e990ec1fdee46b2f8aa6323f428b5b1403f451a
-
SHA256
ccf0e52e21388ebfab406f10061864daf9bca0232a7eb09f1cd5b2a036853dbe
-
SHA512
dc8233afac50dfda009108482b57548d0c5d00462c951745cb44e421c03967bb3c7cae26a464592a7a88f7100fd838b4e2e5c6999395153863c63a4cfa3ce812
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
6_ico.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6_ico.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6_ico.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
6_ico.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine 6_ico.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
6_ico.exepid process 528 6_ico.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 2320 timeout.exe 1508 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6_ico.exepid process 528 6_ico.exe 528 6_ico.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
6_ico.execmd.execmd.exedescription pid process target process PID 528 wrote to memory of 1164 528 6_ico.exe cmd.exe PID 528 wrote to memory of 1164 528 6_ico.exe cmd.exe PID 528 wrote to memory of 1164 528 6_ico.exe cmd.exe PID 1164 wrote to memory of 2320 1164 cmd.exe timeout.exe PID 1164 wrote to memory of 2320 1164 cmd.exe timeout.exe PID 1164 wrote to memory of 2320 1164 cmd.exe timeout.exe PID 528 wrote to memory of 1932 528 6_ico.exe cmd.exe PID 528 wrote to memory of 1932 528 6_ico.exe cmd.exe PID 528 wrote to memory of 1932 528 6_ico.exe cmd.exe PID 1932 wrote to memory of 1508 1932 cmd.exe timeout.exe PID 1932 wrote to memory of 1508 1932 cmd.exe timeout.exe PID 1932 wrote to memory of 1508 1932 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6_ico.exe"C:\Users\Admin\AppData\Local\Temp\6_ico.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\udaglcdgbtfs & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\6_ico.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\udaglcdgbtfs & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\6_ico.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\udaglcdgbtfs\46173476.txtMD5
c0010d4f477b3a1f1655575375d92704
SHA19e0f5cf755aa1674ce8ac276c0acb97f450d6eb2
SHA25633ef8204566e645fa4d882d6f99e3fd4ea79e498617b05c8ff869186c46ba201
SHA512ac6aeeeac948e4e307ebc461c316f65df2e4ea96453a57d5a626ad08fb136310be50ab5277f2a79cfefd6996be97c8de6c62330e362101b85ef21cc5385addd6
-
C:\ProgramData\udaglcdgbtfs\8372422.txtMD5
4a6e899492f64bff18ba4a9c4dfb0fff
SHA13f706240d14584ca6d64f9bda98613819fe39378
SHA2565c101c0e1cae8c8980d501aac750a43233cb617d99b59b3913497790c29b85cf
SHA5120a052e9f6d01f404d92ab2835e76d520a119b3b338411fc2ad7dc1dc58c141b171003f7a3078bca7088310f2830e6d8e1d06b50b2c5053188494761aebaaebe6
-
C:\ProgramData\udaglcdgbtfs\Files\_INFOR~1.TXTMD5
c34a41c9fa74e5952d888b16829aa44f
SHA15cede3294d280f6c3a40eb2f7afc1e7a6abfefdb
SHA256cf47cd2d2be93167ad2efddab042eb171b5373e534c3e7a823abf5d2334cb32f
SHA512720840817c731daf291ea670ba91dca16f9160eb291450c99da4e1fece4fe38324121015c8ad90a3930632f34a9526e47df2cd3c19e6a7c09f11e6aaeace0a14
-
C:\ProgramData\udaglcdgbtfs\NL_202~1.ZIPMD5
9785f9641f8bdf06909d7abb2e5fa6f0
SHA164224caab4a3cc08c2d346757e292f8a34e81a3d
SHA25625bb046f3f447b0e628907e9cfa3ad7789a92e630f3ae713bf563bd8310dbfb0
SHA512ac8d96be0fece51dcd5e7c13760642001de3366f38a3ced44a34d3b4af6b4e047bcef13af0751df3799c3abe1a79554b2aed581f112aac8a4fc573374ffba34a
-
memory/528-5-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/528-8-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/528-7-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/528-9-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB
-
memory/528-10-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB
-
memory/528-3-0x0000000005E10000-0x0000000005E11000-memory.dmpFilesize
4KB
-
memory/528-6-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/528-4-0x0000000077B84000-0x0000000077B85000-memory.dmpFilesize
4KB
-
memory/528-2-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/1164-11-0x0000000000000000-mapping.dmp
-
memory/1508-18-0x0000000000000000-mapping.dmp
-
memory/1932-17-0x0000000000000000-mapping.dmp
-
memory/2320-16-0x0000000000000000-mapping.dmp