Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-09-2021 16:12
Static task
static1
Behavioral task
behavioral1
Sample
s.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
s.exe
-
Size
4.8MB
-
MD5
c04496520501bc6a3b3f0b7f5f875a32
-
SHA1
49e280e408a6df27295abf3d504003cbceeb00d8
-
SHA256
3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3
-
SHA512
de333be3cd173a96579e95410fe92b8a4e5976b80451601bcf300eb2f3405be91983edb83881dd7f1d02aef6c0a5cadc00850c0536b2254ad710808d5cf183eb
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
s.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion s.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion s.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/2276-117-0x0000000000130000-0x0000000000131000-memory.dmp themida -
Processes:
s.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA s.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
Processes:
s.exepid process 2276 s.exe 2276 s.exe 2276 s.exe 2276 s.exe 2276 s.exe 2276 s.exe 2276 s.exe 2276 s.exe 2276 s.exe 2276 s.exe 2276 s.exe 2276 s.exe 2276 s.exe 2276 s.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 376 2276 WerFault.exe s.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
s.exeWerFault.exepid process 2276 s.exe 2276 s.exe 2276 s.exe 2276 s.exe 2276 s.exe 2276 s.exe 376 WerFault.exe 376 WerFault.exe 376 WerFault.exe 376 WerFault.exe 376 WerFault.exe 376 WerFault.exe 376 WerFault.exe 376 WerFault.exe 376 WerFault.exe 376 WerFault.exe 376 WerFault.exe 376 WerFault.exe 376 WerFault.exe 376 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
s.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2276 s.exe Token: SeRestorePrivilege 376 WerFault.exe Token: SeBackupPrivilege 376 WerFault.exe Token: SeDebugPrivilege 376 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\s.exe"C:\Users\Admin\AppData\Local\Temp\s.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 25242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2276-115-0x0000000077CD0000-0x0000000077E5E000-memory.dmpFilesize
1.6MB
-
memory/2276-117-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/2276-119-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/2276-120-0x00000000059A0000-0x00000000059A1000-memory.dmpFilesize
4KB
-
memory/2276-121-0x0000000006350000-0x0000000006351000-memory.dmpFilesize
4KB
-
memory/2276-122-0x0000000005EC0000-0x0000000005EC1000-memory.dmpFilesize
4KB
-
memory/2276-123-0x0000000006850000-0x0000000006851000-memory.dmpFilesize
4KB
-
memory/2276-124-0x00000000059A3000-0x00000000059A5000-memory.dmpFilesize
8KB
-
memory/2276-125-0x00000000059A5000-0x00000000059A6000-memory.dmpFilesize
4KB