Analysis
-
max time kernel
82s -
max time network
82s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11/05/2021, 10:11
Static task
static1
Behavioral task
behavioral1
Sample
a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe
Resource
win7v20210410
General
-
Target
a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe
-
Size
2.8MB
-
MD5
5acbc07010e56263682b0a59f0005794
-
SHA1
a9bbf6ea962979daebeceab63d27a37a3c32e5ac
-
SHA256
a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c
-
SHA512
c398af2f5e7020f4be17d36c9c2a57090f23ad73c86079df4db414157397ed48fa3195335dec7964fb91a74fa4728c995a4594bb1463ffb18b57b5e6d32a2d31
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe -
Deletes itself 1 IoCs
pid Process 592 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1052-60-0x0000000000400000-0x0000000000AFE000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1052 a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 828 timeout.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1052 a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1052 wrote to memory of 592 1052 a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe 31 PID 1052 wrote to memory of 592 1052 a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe 31 PID 1052 wrote to memory of 592 1052 a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe 31 PID 1052 wrote to memory of 592 1052 a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe 31 PID 592 wrote to memory of 828 592 cmd.exe 33 PID 592 wrote to memory of 828 592 cmd.exe 33 PID 592 wrote to memory of 828 592 cmd.exe 33 PID 592 wrote to memory of 828 592 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe"C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\aRuqKYUHjcVND & timeout 1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:828
-
-