Resubmissions
14-07-2021 20:31
210714-dsddjt2b6n 914-07-2021 11:13
210714-432webem26 1014-07-2021 10:51
210714-h797jtnf2e 1014-07-2021 10:13
210714-cjzg2qd8dn 10Analysis
-
max time kernel
1198s -
max time network
1242s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
14-07-2021 10:51
Static task
static1
Behavioral task
behavioral1
Sample
Sirus.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
Sirus.exe
-
Size
5.4MB
-
MD5
5e4a3d8845f4f31e4d737877f0689b97
-
SHA1
69bdc176295e7899c4be7125a37bed5e94df051e
-
SHA256
60f649f6d971c44b959f6fef2bf1d08c3dbe00edeac7a889e81adc761ba5ddba
-
SHA512
7853f295f1167bf76ae2b207814c010be30f537909552c580782c2c45fbf7f954c32d39ffd2b4629c315b520fccffb264ad21e93384c94886ff9fa42d06b9e92
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Sirus.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Sirus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Sirus.exe -
Processes:
resource yara_rule behavioral1/memory/2044-60-0x00000000011F0000-0x0000000001D18000-memory.dmp themida -
Processes:
Sirus.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Sirus.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Sirus.exepid process 2044 Sirus.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2044-59-0x0000000075B31000-0x0000000075B33000-memory.dmpFilesize
8KB
-
memory/2044-60-0x00000000011F0000-0x0000000001D18000-memory.dmpFilesize
11.2MB
-
memory/2044-61-0x00000000011F1000-0x000000000125D000-memory.dmpFilesize
432KB
-
memory/2044-62-0x00000000011F1000-0x000000000125D000-memory.dmpFilesize
432KB