Overview

overview

10

Static

static

7

2b54ccc44e...22.exe

windows7_x64

10

2b54ccc44e...22.exe

windows10_x64

9

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    27-07-2021 03:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b54ccc44e89581b1005e8b6f24a7822.exe

  • Size

    4.6MB

  • MD5

    2b54ccc44e89581b1005e8b6f24a7822

  • SHA1

    d7de533078a3d1204e1a0c9440501928e0cf1285

  • SHA256

    aef5c612c2920526ea0ccc636e689417885c2dfb17793de9a259d6ced6fdd7cc

  • SHA512

    c8e1bf41b5dfe40bbf39cc534099c5224851ba8b97f545262eac0790c3cc3bcc7c1d381e6f95c4c2884d3979e1ee8e51b615adc182a726d591c5eeefec5ad120

Score
10/10
evasionsuricatathemidatrojanupx

Malware Config

Signatures

  • suricata: ET MALWARE Generic gate[.].php GET with minimal headers
    suricata
  • suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
    suricata
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 2 IoCs
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b54ccc44e89581b1005e8b6f24a7822.exe
    "C:\Users\Admin\AppData\Local\Temp\2b54ccc44e89581b1005e8b6f24a7822.exe"
    1⤵
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe
      "C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:392
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC56.tmp.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:664
        • C:\Windows\system32\timeout.exe
          timeout 4
          4⤵
          • Delays execution with timeout.exe
          PID:924
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /f /sc MINUTE /mo 1 /tn "MicrosoftApi" /tr "'C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:848
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {CE79554E-3DC8-4DC3-BA1E-35F76C3A9250} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe
      C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:360
      • C:\Users\Admin\AppData\Roaming\ServiceApi\MRBKYMNOAdmine.exe
        "C:\Users\Admin\AppData\Roaming\ServiceApi\MRBKYMNOAdmine.exe" --algo kawpow --server rvn.2miners.com:6060 --user RC1rszoXopQ8E24icWrqSRE8xCdsMXcWzw.Bv2 -w 0
        3⤵
        • Executes dropped EXE
        PID:1084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpAC56.tmp.cmd
    MD5

    63bab368a9ce36f0507fe97329e0ab20

    SHA1

    baccbe6de18b588046cf3001526d3f27a8ca91d7

    SHA256

    2015c77c2b3aa5dc3093e6855c8f882cae9d40e7087e1013a45e4df6dab9e158

    SHA512

    25c726d318ad3e1ce8f8a1d8f898cb8e2b76de3998ec695f2e26b3ded6fbdb29e673d32c35d3d1773cf142e6b9cea425090b4b9af2596ae32ae7424e27334356

    Download Submit
  • C:\Users\Admin\AppData\Roaming\ServiceApi\MRBKYMNOAdmine.exe
    MD5

    48e6d7bd626e9d7c0192eba46918a870

    SHA1

    5327b24d898ea440c404a6384d9dad2de80e74d4

    SHA256

    28484d217bf08c05dba373b6dada80f4a3812b1fc5820ab6ca2f09d5456671ee

    SHA512

    6625aba02ef85a919328d83c3b672ad0328f9529f702a850a9420ccfad48d811e4c73811602c91f375ca66f4e48438d970b3549a7fd94d5a801aba4b6cd91c5a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe
    MD5

    2b54ccc44e89581b1005e8b6f24a7822

    SHA1

    d7de533078a3d1204e1a0c9440501928e0cf1285

    SHA256

    aef5c612c2920526ea0ccc636e689417885c2dfb17793de9a259d6ced6fdd7cc

    SHA512

    c8e1bf41b5dfe40bbf39cc534099c5224851ba8b97f545262eac0790c3cc3bcc7c1d381e6f95c4c2884d3979e1ee8e51b615adc182a726d591c5eeefec5ad120

    Download Submit
  • C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe
    MD5

    2b54ccc44e89581b1005e8b6f24a7822

    SHA1

    d7de533078a3d1204e1a0c9440501928e0cf1285

    SHA256

    aef5c612c2920526ea0ccc636e689417885c2dfb17793de9a259d6ced6fdd7cc

    SHA512

    c8e1bf41b5dfe40bbf39cc534099c5224851ba8b97f545262eac0790c3cc3bcc7c1d381e6f95c4c2884d3979e1ee8e51b615adc182a726d591c5eeefec5ad120

    Download Submit
  • \Users\Admin\AppData\Roaming\ServiceApi\MRBKYMNOAdmine.exe
    MD5

    48e6d7bd626e9d7c0192eba46918a870

    SHA1

    5327b24d898ea440c404a6384d9dad2de80e74d4

    SHA256

    28484d217bf08c05dba373b6dada80f4a3812b1fc5820ab6ca2f09d5456671ee

    SHA512

    6625aba02ef85a919328d83c3b672ad0328f9529f702a850a9420ccfad48d811e4c73811602c91f375ca66f4e48438d970b3549a7fd94d5a801aba4b6cd91c5a

    Download Submit
  • \Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe
    MD5

    2b54ccc44e89581b1005e8b6f24a7822

    SHA1

    d7de533078a3d1204e1a0c9440501928e0cf1285

    SHA256

    aef5c612c2920526ea0ccc636e689417885c2dfb17793de9a259d6ced6fdd7cc

    SHA512

    c8e1bf41b5dfe40bbf39cc534099c5224851ba8b97f545262eac0790c3cc3bcc7c1d381e6f95c4c2884d3979e1ee8e51b615adc182a726d591c5eeefec5ad120

    Download Submit
  • memory/360-85-0x000007FE80010000-0x000007FE80011000-memory.dmp
    Filesize

    4KB

    Download
  • memory/360-86-0x000000001C1A0000-0x000000001C1A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/360-84-0x0000000000070000-0x0000000000071000-memory.dmp
    Filesize

    4KB

    Download
  • memory/360-79-0x0000000000000000-mapping.dmp
    Download
  • memory/360-82-0x000000013FF60000-0x000000013FF61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/392-69-0x00000000005F0000-0x00000000005F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/392-70-0x000007FE80010000-0x000007FE80011000-memory.dmp
    Filesize

    4KB

    Download
  • memory/392-72-0x000000013F080000-0x000000013F081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/392-77-0x0000000000600000-0x0000000000601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/392-66-0x0000000000000000-mapping.dmp
    Download
  • memory/664-74-0x0000000000000000-mapping.dmp
    Download
  • memory/848-78-0x0000000000000000-mapping.dmp
    Download
  • memory/924-76-0x0000000000000000-mapping.dmp
    Download
  • memory/1072-61-0x000000013FEA0000-0x000000013FEA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1072-68-0x0000000000080000-0x0000000000081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1072-64-0x000007FE80010000-0x000007FE80011000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1072-63-0x0000000000070000-0x0000000000071000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1084-88-0x0000000000000000-mapping.dmp
    Download