Analysis
-
max time kernel
600s -
max time network
593s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-04-2021 05:54
Static task
static1
General
-
Target
doeihdsjfnajdfuewrywuefhsdkjaf.exe
-
Size
1.7MB
-
MD5
4db5926d31dff252464855326a137e2f
-
SHA1
9cb531b8962467f54264da21426d23445a935ce4
-
SHA256
ef8ba7d931f440b4c611a539349cdef819f9d0def97dbfbdb694209d09cef511
-
SHA512
71bda130ffb78a6bd1615984e599006bf6d8f1c5e182dffcb60a4e6a3ba162f6067c7de702f8e275fd9436ef18ab27b686ce75f254d1f40d3c560e7d3f6dc5c2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
GetX64BTIT.exepid process 4000 GetX64BTIT.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
doeihdsjfnajdfuewrywuefhsdkjaf.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion doeihdsjfnajdfuewrywuefhsdkjaf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate doeihdsjfnajdfuewrywuefhsdkjaf.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 api.ipify.org 19 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
doeihdsjfnajdfuewrywuefhsdkjaf.exedescription pid process target process PID 2256 set thread context of 3616 2256 doeihdsjfnajdfuewrywuefhsdkjaf.exe doeihdsjfnajdfuewrywuefhsdkjaf.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 740 2256 WerFault.exe doeihdsjfnajdfuewrywuefhsdkjaf.exe -
Modifies registry class 6 IoCs
Processes:
doeihdsjfnajdfuewrywuefhsdkjaf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\ = "Microsoft Windows Installer Message RPC" doeihdsjfnajdfuewrywuefhsdkjaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\DllVersion doeihdsjfnajdfuewrywuefhsdkjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\DllVersion\ = "5.0.15063" doeihdsjfnajdfuewrywuefhsdkjaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\ProgId doeihdsjfnajdfuewrywuefhsdkjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538}\ProgId\ = "WindowsInstaller.Message" doeihdsjfnajdfuewrywuefhsdkjaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F81F339A-9723-F9F3-8105-47DFFBB7B538} doeihdsjfnajdfuewrywuefhsdkjaf.exe -
NTFS ADS 2 IoCs
Processes:
doeihdsjfnajdfuewrywuefhsdkjaf.exedescription ioc process File created C:\ProgramData\TEMP:AC6CA6CF doeihdsjfnajdfuewrywuefhsdkjaf.exe File opened for modification C:\ProgramData\TEMP:AC6CA6CF doeihdsjfnajdfuewrywuefhsdkjaf.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
doeihdsjfnajdfuewrywuefhsdkjaf.exeWerFault.exepid process 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 740 WerFault.exe 740 WerFault.exe 740 WerFault.exe 740 WerFault.exe 740 WerFault.exe 740 WerFault.exe 740 WerFault.exe 740 WerFault.exe 740 WerFault.exe 740 WerFault.exe 740 WerFault.exe 740 WerFault.exe 740 WerFault.exe 740 WerFault.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
doeihdsjfnajdfuewrywuefhsdkjaf.exeWerFault.exedescription pid process Token: 33 2256 doeihdsjfnajdfuewrywuefhsdkjaf.exe Token: SeIncBasePriorityPrivilege 2256 doeihdsjfnajdfuewrywuefhsdkjaf.exe Token: SeRestorePrivilege 740 WerFault.exe Token: SeBackupPrivilege 740 WerFault.exe Token: SeDebugPrivilege 740 WerFault.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
doeihdsjfnajdfuewrywuefhsdkjaf.exepid process 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
doeihdsjfnajdfuewrywuefhsdkjaf.exedoeihdsjfnajdfuewrywuefhsdkjaf.exedescription pid process target process PID 2256 wrote to memory of 3616 2256 doeihdsjfnajdfuewrywuefhsdkjaf.exe doeihdsjfnajdfuewrywuefhsdkjaf.exe PID 2256 wrote to memory of 3616 2256 doeihdsjfnajdfuewrywuefhsdkjaf.exe doeihdsjfnajdfuewrywuefhsdkjaf.exe PID 2256 wrote to memory of 3616 2256 doeihdsjfnajdfuewrywuefhsdkjaf.exe doeihdsjfnajdfuewrywuefhsdkjaf.exe PID 2256 wrote to memory of 3616 2256 doeihdsjfnajdfuewrywuefhsdkjaf.exe doeihdsjfnajdfuewrywuefhsdkjaf.exe PID 2256 wrote to memory of 3616 2256 doeihdsjfnajdfuewrywuefhsdkjaf.exe doeihdsjfnajdfuewrywuefhsdkjaf.exe PID 2256 wrote to memory of 3616 2256 doeihdsjfnajdfuewrywuefhsdkjaf.exe doeihdsjfnajdfuewrywuefhsdkjaf.exe PID 2256 wrote to memory of 3616 2256 doeihdsjfnajdfuewrywuefhsdkjaf.exe doeihdsjfnajdfuewrywuefhsdkjaf.exe PID 2256 wrote to memory of 3616 2256 doeihdsjfnajdfuewrywuefhsdkjaf.exe doeihdsjfnajdfuewrywuefhsdkjaf.exe PID 2256 wrote to memory of 3616 2256 doeihdsjfnajdfuewrywuefhsdkjaf.exe doeihdsjfnajdfuewrywuefhsdkjaf.exe PID 3616 wrote to memory of 4000 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe GetX64BTIT.exe PID 3616 wrote to memory of 4000 3616 doeihdsjfnajdfuewrywuefhsdkjaf.exe GetX64BTIT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\doeihdsjfnajdfuewrywuefhsdkjaf.exe"C:\Users\Admin\AppData\Local\Temp\doeihdsjfnajdfuewrywuefhsdkjaf.exe"1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\doeihdsjfnajdfuewrywuefhsdkjaf.exe"C:\Users\Admin\AppData\Local\Temp\doeihdsjfnajdfuewrywuefhsdkjaf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"3⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 10002⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\x64btit.txtMD5
3c73d9862f52d0bfd87b1b5585b9d364
SHA11f54165fcc1bee95a4cbac69ffe5d57164cbd705
SHA2567c2fee000ab933db614e0b9cceb657a5eef44068ea2f6626a087fdb19493e101
SHA51288089adc50aaecb3ae9e33c27814fb5316da82eca5a810f5258646a42d6be29a0651891e061a789ac737fed4b21521b4d04d2803a6495b1c6bcd98f4dea34355
-
memory/2256-118-0x0000000000400000-0x0000000000655000-memory.dmpFilesize
2.3MB
-
memory/3616-120-0x0000000000401698-mapping.dmp
-
memory/3616-119-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/3616-121-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/3616-125-0x00000000006B0000-0x000000000074F000-memory.dmpFilesize
636KB
-
memory/4000-122-0x0000000000000000-mapping.dmp