Analysis
-
max time kernel
122s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
19-10-2021 14:55
Static task
static1
Behavioral task
behavioral1
Sample
76ce70702f688f2e7b6e05e4e98e15f8.exe
Resource
win7-en-20211014
General
-
Target
76ce70702f688f2e7b6e05e4e98e15f8.exe
-
Size
2.6MB
-
MD5
76ce70702f688f2e7b6e05e4e98e15f8
-
SHA1
75428649e9ab1d422e2272af1e06aa862ebdf520
-
SHA256
557eb9f97fd3819344f4e170a447247ba42e8d6fbe77b0e6dcaf94eedbafd10a
-
SHA512
27296e9805534583a1f35897fe54ea40d8ec2b5989806a972f697a8c3d3fb7fbedcbb32bcf5165c53b67b7509c8361f3fcf78176c7053057e0b4450951917252
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
76ce70702f688f2e7b6e05e4e98e15f8.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 76ce70702f688f2e7b6e05e4e98e15f8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 76ce70702f688f2e7b6e05e4e98e15f8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1764-57-0x0000000001000000-0x0000000001001000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
76ce70702f688f2e7b6e05e4e98e15f8.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 76ce70702f688f2e7b6e05e4e98e15f8.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
76ce70702f688f2e7b6e05e4e98e15f8.exepid process 1764 76ce70702f688f2e7b6e05e4e98e15f8.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
76ce70702f688f2e7b6e05e4e98e15f8.exepid process 1764 76ce70702f688f2e7b6e05e4e98e15f8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
76ce70702f688f2e7b6e05e4e98e15f8.exedescription pid process Token: SeDebugPrivilege 1764 76ce70702f688f2e7b6e05e4e98e15f8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\76ce70702f688f2e7b6e05e4e98e15f8.exe"C:\Users\Admin\AppData\Local\Temp\76ce70702f688f2e7b6e05e4e98e15f8.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764