General
-
Target
Posiflex.Usb.Cash.Drawer.Funct.serial.maker.zip
-
Size
8.1MB
-
Sample
210307-ef52vwb91a
-
MD5
c9adad29d181ea555f61a775ee2b0685
-
SHA1
2a257debe4b0aa8efb62df5757e1dbaf132f5904
-
SHA256
27bac80b4c56958ea892bfc18db5648674c7870f6d3ff84669186b8cd341ef24
-
SHA512
7550cac20cf1ca87755e0d1a932aba530f34c109b927b8ef313b8ca414b9aa851081dff2c35a84a8acefec21d532867d407121e7997587e89b2330f8ef928b76
Static task
static1
Behavioral task
behavioral1
Sample
Posiflex.Usb.Cash.Drawer.Funct.serial.maker.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Posiflex.Usb.Cash.Drawer.Funct.serial.maker.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Posiflex.Usb.Cash.Drawer.Funct.serial.maker.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Posiflex.Usb.Cash.Drawer.Funct.serial.maker.exe
Resource
win10v20201028
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
metasploit
windows/single_exec
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Targets
-
-
Target
Posiflex.Usb.Cash.Drawer.Funct.serial.maker.exe
-
Size
8.2MB
-
MD5
0c6227ffb549565c7592df14866df335
-
SHA1
35aece1a19f8361e3cefddff8c1a6b39a7a195ab
-
SHA256
a1db3f4ef1f0b13d2754139bcf170e33643482cafe907f0d5278259d15a6b2d3
-
SHA512
a515b4e48b9f535fdfe6c6adc9c64e077bf43d32d87de25f7a1579cf504da311b919f55d6985ef4c0bb821eeb25310dd1b9c01c2c137f99e31b32d619ed3705a
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies boot configuration data using bcdedit
-
Nirsoft
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Modifies Installed Components in the registry
-
Modifies RDP port number used by Windows
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Sets DLL path for service in the registry
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Account Manipulation
1Registry Run Keys / Startup Folder
4Modify Existing Service
1Bootkit
1Scheduled Task
1Defense Evasion
Disabling Security Tools
2Modify Registry
9Virtualization/Sandbox Evasion
2Impair Defenses
1Install Root Certificate
1