Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 09:51
Static task
static1
Behavioral task
behavioral1
Sample
malware_sfx_v2.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
malware_sfx_v2.exe
Resource
win10v20210410
General
-
Target
malware_sfx_v2.exe
-
Size
11.7MB
-
MD5
19c56bb998234db3b6ebfbe869ec04df
-
SHA1
36c9ddc3204603890ee817c0d0f7fddafe4ed402
-
SHA256
ce70da91a13434b7f62a55ed34607b1319599ebe502b65129d8b25888f68e4cf
-
SHA512
d9dfc7a405fb40d055d8c3028add0ca436ec68aab154afb7ea86ce799266350313778f6d78dc17d6d915cea16d5a5daa56ff5c01814f3ece2922aa28eddb5343
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
sample.exepid process 420 sample.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
sample.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sample.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sample.exe -
Loads dropped DLL 3 IoCs
Processes:
sample.exepid process 420 sample.exe 420 sample.exe 420 sample.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS017807D3\Avira.OE.NativeCore.dll themida \Users\Admin\AppData\Local\Temp\7zS017807D3\Avira.OE.NativeCore.dll themida behavioral2/memory/420-124-0x00000000713E0000-0x0000000073705000-memory.dmp themida -
Processes:
sample.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sample.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ipinfo.io -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
sample.exedescription ioc process File opened for modification \??\PhysicalDrive0 sample.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
sample.exepid process 420 sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 5 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 15 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
sample.exepid process 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe 420 sample.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
sample.exepid process 420 sample.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
sample.exepid process 420 sample.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
malware_sfx_v2.exedescription pid process target process PID 1808 wrote to memory of 420 1808 malware_sfx_v2.exe sample.exe PID 1808 wrote to memory of 420 1808 malware_sfx_v2.exe sample.exe PID 1808 wrote to memory of 420 1808 malware_sfx_v2.exe sample.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\malware_sfx_v2.exe"C:\Users\Admin\AppData\Local\Temp\malware_sfx_v2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS017807D3\sample.exe.\sample.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS017807D3\Avira.OE.NativeCore.dllMD5
698440a52cd5fa51844ec17298538696
SHA146e69add8b69e7e6613218ce8f8c3d56f4a6b47b
SHA256bd0d915e4829658dc3de085ffa2cf7533b2b5335678b106307e55054a84891b3
SHA512cb81110415a4231bac1e61df12cf8e2e8d166161210380980383399d640d2c7635ab512833aada6003ef2cfedad29dc5d52c1853b6eaf4281682361863a798ba
-
C:\Users\Admin\AppData\Local\Temp\7zS017807D3\MSVCP120.dllMD5
46060c35f697281bc5e7337aee3722b1
SHA1d0164c041707f297a73abb9ea854111953e99cf1
SHA2562abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848
SHA5122cf2ed4d45c79a6e6cebfa3d332710a97f5cf0251dc194eec8c54ea0cb85762fd19822610021ccd6a6904e80afae1590a83af1fa45152f28ca56d862a3473f0a
-
C:\Users\Admin\AppData\Local\Temp\7zS017807D3\MSVCR120.dllMD5
9c861c079dd81762b6c54e37597b7712
SHA162cb65a1d79e2c5ada0c7bfc04c18693567c90d0
SHA256ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c
SHA5123aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7
-
C:\Users\Admin\AppData\Local\Temp\7zS017807D3\sample.exeMD5
8cbb75febfb4b0b7c3b6d3613386220c
SHA1ba5493b08354aee85151b7bbd15150a1c3f03d1d
SHA256f495d7c5c98457febc42ec96a959293788f6915e4245899d3bb1808ab84f0d9a
SHA5128cb5f08f9e21fb6648f364869366ad09908be9e0317f95708a9e1931d30855cdfab199464bf5d72675bc1e166e8ce4645e6d0dca0d8d1c78428fbc77d4dd25fd
-
C:\Users\Admin\AppData\Local\Temp\7zS017807D3\sample.exeMD5
8cbb75febfb4b0b7c3b6d3613386220c
SHA1ba5493b08354aee85151b7bbd15150a1c3f03d1d
SHA256f495d7c5c98457febc42ec96a959293788f6915e4245899d3bb1808ab84f0d9a
SHA5128cb5f08f9e21fb6648f364869366ad09908be9e0317f95708a9e1931d30855cdfab199464bf5d72675bc1e166e8ce4645e6d0dca0d8d1c78428fbc77d4dd25fd
-
\Users\Admin\AppData\Local\Temp\7zS017807D3\Avira.OE.NativeCore.dllMD5
698440a52cd5fa51844ec17298538696
SHA146e69add8b69e7e6613218ce8f8c3d56f4a6b47b
SHA256bd0d915e4829658dc3de085ffa2cf7533b2b5335678b106307e55054a84891b3
SHA512cb81110415a4231bac1e61df12cf8e2e8d166161210380980383399d640d2c7635ab512833aada6003ef2cfedad29dc5d52c1853b6eaf4281682361863a798ba
-
\Users\Admin\AppData\Local\Temp\7zS017807D3\msvcp120.dllMD5
46060c35f697281bc5e7337aee3722b1
SHA1d0164c041707f297a73abb9ea854111953e99cf1
SHA2562abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848
SHA5122cf2ed4d45c79a6e6cebfa3d332710a97f5cf0251dc194eec8c54ea0cb85762fd19822610021ccd6a6904e80afae1590a83af1fa45152f28ca56d862a3473f0a
-
\Users\Admin\AppData\Local\Temp\7zS017807D3\msvcr120.dllMD5
9c861c079dd81762b6c54e37597b7712
SHA162cb65a1d79e2c5ada0c7bfc04c18693567c90d0
SHA256ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c
SHA5123aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7
-
memory/420-114-0x0000000000000000-mapping.dmp
-
memory/420-123-0x0000000077300000-0x000000007748E000-memory.dmpFilesize
1.6MB
-
memory/420-124-0x00000000713E0000-0x0000000073705000-memory.dmpFilesize
35.1MB
-
memory/420-125-0x00000000713E1000-0x000000007190A000-memory.dmpFilesize
5.2MB
-
memory/420-126-0x0000000000A20000-0x0000000000B6A000-memory.dmpFilesize
1.3MB