Overview

overview

10

Static

static

028d53f522...fa.exe

windows7_x64

10

028d53f522...fa.exe

windows11_x64

10

028d53f522...fa.exe

windows10_x64

10

Bot_Checker.exe

windows7_x64

3

Bot_Checker.exe

windows11_x64

10

Bot_Checker.exe

windows10_x64

10

Uninstall.exe

windows7_x64

3

Uninstall.exe

windows11_x64

6

Uninstall.exe

windows10_x64

3

Versium.exe

windows7_x64

9

Versium.exe

windows11_x64

10

Versium.exe

windows10_x64

10

VersiumRes...it.exe

windows7_x64

10

VersiumRes...it.exe

windows11_x64

10

VersiumRes...it.exe

windows10_x64

10

VersiumRes...it.exe

windows7_x64

8

VersiumRes...it.exe

windows11_x64

8

VersiumRes...it.exe

windows10_x64

8

Versiumresearch.exe

windows7_x64

10

Versiumresearch.exe

windows11_x64

Versiumresearch.exe

windows10_x64

10

Resubmissions

12-08-2021 21:22

210812-n6l9952p1a 10

12-08-2021 20:38

210812-sm95c1t59j 10

Analysis

  • max time kernel
    1786s
  • max time network
    373s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    12-08-2021 20:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bot_Checker.exe

  • Size

    56KB

  • MD5

    391ca27e1e5cc0da88d1fcc8df1d0d85

  • SHA1

    25bd7c5b7d88bcd01610226fccb0910b48dc1eee

  • SHA256

    a9ee4862c1e7931ef8366b090ac1f3212e79cc17d7737f537978d9a3fb0c5ef1

  • SHA512

    2dbb84eb664798766a669c7d407be76d5154bd7d0b99f2c2371ad0ae3e1124605df0771b228f7a3406f023fa9cbba3022afb5b48207cf1eb14d94cda7a5117f9

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 18 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
    1⤵
      PID:1884
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
      1⤵
        PID:2532
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Browser
        1⤵
          PID:2936
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s WpnService
          1⤵
          • Modifies registry class
          PID:2696
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
          1⤵
            PID:2688
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
            1⤵
              PID:2484
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s SENS
              1⤵
                PID:1468
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                1⤵
                  PID:1392
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s Themes
                  1⤵
                    PID:1224
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                    1⤵
                      PID:1104
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                      1⤵
                        PID:1028
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                        1⤵
                          PID:60
                        • C:\Users\Admin\AppData\Local\Temp\Bot_Checker.exe
                          "C:\Users\Admin\AppData\Local\Temp\Bot_Checker.exe"
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:744
                          • C:\Users\Admin\AppData\Local\Temp\Bot_Checker.exe
                            "C:\Users\Admin\AppData\Local\Temp\Bot_Checker.exe" -a
                            2⤵
                              PID:2848
                          • \??\c:\windows\system32\svchost.exe
                            c:\windows\system32\svchost.exe -k netsvcs -s BITS
                            1⤵
                            • Suspicious use of SetThreadContext
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:556
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k SystemNetworkService
                              2⤵
                              • Drops file in System32 directory
                              • Checks processor information in registry
                              • Modifies data under HKEY_USERS
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1124
                          • C:\Windows\system32\rundll32.exe
                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                            1⤵
                            • Process spawned unexpected child process
                            • Suspicious use of WriteProcessMemory
                            PID:2136
                            • C:\Windows\SysWOW64\rundll32.exe
                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                              2⤵
                              • Loads dropped DLL
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:3656

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\sqlite.dat
                            MD5

                            3bd3d2e6e90e58ebd3e01f3c8979c5b3

                            SHA1

                            b6dba622f48c64bcc58b1d659a768649be6254b3

                            SHA256

                            5537f65f66ba722ecd774882e18f4063496eedfc3ec079aa244b06dd1249477a

                            SHA512

                            9991b0f1c1397706da9ebcdda217b1cd06f317e9511f79a57058bd912d63260332e8a839eeaf26aa142b12f2609671c5a80059fddcf07b0592b45e5b014751d1

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\sqlite.dll
                            MD5

                            829c4eacad9a7d2a1cb15392007a9a99

                            SHA1

                            e21d4d178c90adadc8cc5d93db3ea9a42d1eaf30

                            SHA256

                            cfa573ccafb459b7281d9183962ad7510e7161ea79ce66bcf4affde1b2b82aec

                            SHA512

                            7ece8e670aa3dc87457c11f12558e789802475325a13c47874c0876d493d4a270cc348ebed7f49f52a6802667eecd92cddb314caf72f77b629c3cb040ccdecea

                            Download Submit
                          • \Users\Admin\AppData\Local\Temp\sqlite.dll
                            MD5

                            829c4eacad9a7d2a1cb15392007a9a99

                            SHA1

                            e21d4d178c90adadc8cc5d93db3ea9a42d1eaf30

                            SHA256

                            cfa573ccafb459b7281d9183962ad7510e7161ea79ce66bcf4affde1b2b82aec

                            SHA512

                            7ece8e670aa3dc87457c11f12558e789802475325a13c47874c0876d493d4a270cc348ebed7f49f52a6802667eecd92cddb314caf72f77b629c3cb040ccdecea

                            Download Submit
                          • memory/60-187-0x00000221E2440000-0x00000221E24B4000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/60-132-0x00000221E1DA0000-0x00000221E1E14000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/556-173-0x000001D36C500000-0x000001D36C504000-memory.dmp
                            Filesize

                            16KB

                            Download
                          • memory/556-171-0x000001D36C510000-0x000001D36C514000-memory.dmp
                            Filesize

                            16KB

                            Download
                          • memory/556-169-0x000001D36C610000-0x000001D36C614000-memory.dmp
                            Filesize

                            16KB

                            Download
                          • memory/556-131-0x000001D36C880000-0x000001D36C8CD000-memory.dmp
                            Filesize

                            308KB

                            Download
                          • memory/556-134-0x000001D36C940000-0x000001D36C9B4000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/556-170-0x000001D36C500000-0x000001D36C501000-memory.dmp
                            Filesize

                            4KB

                            Download
                          • memory/1028-158-0x0000012E5A400000-0x0000012E5A474000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/1028-191-0x0000012E5A4F0000-0x0000012E5A564000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/1104-157-0x000002303E330000-0x000002303E3A4000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/1104-190-0x000002303EF70000-0x000002303EFE4000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/1124-167-0x0000021F28790000-0x0000021F287AB000-memory.dmp
                            Filesize

                            108KB

                            Download
                          • memory/1124-130-0x0000021F26F70000-0x0000021F26FE4000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/1124-121-0x00007FF708674060-mapping.dmp
                            Download
                          • memory/1124-168-0x0000021F29700000-0x0000021F29806000-memory.dmp
                            Filesize

                            1.0MB

                            Download
                          • memory/1224-161-0x0000023396D60000-0x0000023396DD4000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/1224-194-0x00000233977B0000-0x0000023397824000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/1392-162-0x0000027288860000-0x00000272888D4000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/1392-195-0x0000027288980000-0x00000272889F4000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/1468-192-0x0000019D25200000-0x0000019D25274000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/1468-159-0x0000019D24FD0000-0x0000019D25044000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/1884-193-0x000001CDDF240000-0x000001CDDF2B4000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/1884-160-0x000001CDDE810000-0x000001CDDE884000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/2484-188-0x00000297CBBB0000-0x00000297CBC24000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/2484-137-0x00000297CB540000-0x00000297CB5B4000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/2532-156-0x000002BBCA740000-0x000002BBCA7B4000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/2532-189-0x000002BBCA830000-0x000002BBCA8A4000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/2688-196-0x000001A8E4D40000-0x000001A8E4DB4000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/2688-163-0x000001A8E3E60000-0x000001A8E3ED4000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/2696-185-0x0000025BCB2C0000-0x0000025BCB2C2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2696-155-0x0000025BCB2C0000-0x0000025BCB2C2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2696-164-0x0000025BCB8A0000-0x0000025BCB914000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/2696-197-0x0000025BCBE40000-0x0000025BCBEB4000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/2848-114-0x0000000000000000-mapping.dmp
                            Download
                          • memory/2936-186-0x000001EBF4490000-0x000001EBF4504000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/2936-136-0x000001EBF4410000-0x000001EBF4484000-memory.dmp
                            Filesize

                            464KB

                            Download
                          • memory/3656-128-0x0000000004760000-0x00000000047BF000-memory.dmp
                            Filesize

                            380KB

                            Download
                          • memory/3656-125-0x00000000011CC000-0x00000000012CD000-memory.dmp
                            Filesize

                            1.0MB

                            Download
                          • memory/3656-116-0x0000000000000000-mapping.dmp
                            Download