Analysis
-
max time kernel
137s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
20-10-2021 12:22
Static task
static1
Behavioral task
behavioral1
Sample
7d5d33a41a2e00a719fd1b8e99dbdfcb.exe
Resource
win7-en-20211014
General
-
Target
7d5d33a41a2e00a719fd1b8e99dbdfcb.exe
-
Size
2.2MB
-
MD5
7d5d33a41a2e00a719fd1b8e99dbdfcb
-
SHA1
3eaa0173ff8b7271a38df63c57c833e0119a315f
-
SHA256
d838aec8129b940ee31f463e8264e578ba28e36b2dffe4c3ad89d8d8ed16953d
-
SHA512
512fb3fb212bb168d4ba80d647f312ed39432ca6c0fa1e67aae1835b151b05a466a8854fa061eea5de38265317b82ed9a587611f222df2a981d7197f343f2d52
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
fl.exechromy.exesihost32.exepid process 1056 fl.exe 1200 chromy.exe 1076 sihost32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
7d5d33a41a2e00a719fd1b8e99dbdfcb.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe -
Loads dropped DLL 6 IoCs
Processes:
7d5d33a41a2e00a719fd1b8e99dbdfcb.execmd.execonhost.exepid process 1648 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe 1648 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe 320 cmd.exe 320 cmd.exe 1308 conhost.exe 1308 conhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1648-57-0x0000000000B30000-0x0000000000B31000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
7d5d33a41a2e00a719fd1b8e99dbdfcb.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe -
Drops file in System32 directory 3 IoCs
Processes:
conhost.execonhost.exedescription ioc process File created C:\Windows\system32\chromy.exe conhost.exe File opened for modification C:\Windows\system32\chromy.exe conhost.exe File created C:\Windows\system32\Microsoft\Telemetry\sihost32.exe conhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
7d5d33a41a2e00a719fd1b8e99dbdfcb.exepid process 1648 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
7d5d33a41a2e00a719fd1b8e99dbdfcb.execonhost.execonhost.exepid process 1648 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe 1648 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe 1948 conhost.exe 1308 conhost.exe 1308 conhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
7d5d33a41a2e00a719fd1b8e99dbdfcb.execonhost.execonhost.exedescription pid process Token: SeDebugPrivilege 1648 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe Token: SeDebugPrivilege 1948 conhost.exe Token: SeDebugPrivilege 1308 conhost.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
7d5d33a41a2e00a719fd1b8e99dbdfcb.exefl.execonhost.execmd.execmd.exechromy.execonhost.exesihost32.exedescription pid process target process PID 1648 wrote to memory of 1056 1648 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe fl.exe PID 1648 wrote to memory of 1056 1648 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe fl.exe PID 1648 wrote to memory of 1056 1648 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe fl.exe PID 1648 wrote to memory of 1056 1648 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe fl.exe PID 1056 wrote to memory of 1948 1056 fl.exe conhost.exe PID 1056 wrote to memory of 1948 1056 fl.exe conhost.exe PID 1056 wrote to memory of 1948 1056 fl.exe conhost.exe PID 1056 wrote to memory of 1948 1056 fl.exe conhost.exe PID 1948 wrote to memory of 1224 1948 conhost.exe cmd.exe PID 1948 wrote to memory of 1224 1948 conhost.exe cmd.exe PID 1948 wrote to memory of 1224 1948 conhost.exe cmd.exe PID 1224 wrote to memory of 1720 1224 cmd.exe schtasks.exe PID 1224 wrote to memory of 1720 1224 cmd.exe schtasks.exe PID 1224 wrote to memory of 1720 1224 cmd.exe schtasks.exe PID 1948 wrote to memory of 320 1948 conhost.exe cmd.exe PID 1948 wrote to memory of 320 1948 conhost.exe cmd.exe PID 1948 wrote to memory of 320 1948 conhost.exe cmd.exe PID 320 wrote to memory of 1200 320 cmd.exe chromy.exe PID 320 wrote to memory of 1200 320 cmd.exe chromy.exe PID 320 wrote to memory of 1200 320 cmd.exe chromy.exe PID 1200 wrote to memory of 1308 1200 chromy.exe conhost.exe PID 1200 wrote to memory of 1308 1200 chromy.exe conhost.exe PID 1200 wrote to memory of 1308 1200 chromy.exe conhost.exe PID 1200 wrote to memory of 1308 1200 chromy.exe conhost.exe PID 1308 wrote to memory of 1076 1308 conhost.exe sihost32.exe PID 1308 wrote to memory of 1076 1308 conhost.exe sihost32.exe PID 1308 wrote to memory of 1076 1308 conhost.exe sihost32.exe PID 1076 wrote to memory of 436 1076 sihost32.exe conhost.exe PID 1076 wrote to memory of 436 1076 sihost32.exe conhost.exe PID 1076 wrote to memory of 436 1076 sihost32.exe conhost.exe PID 1076 wrote to memory of 436 1076 sihost32.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d5d33a41a2e00a719fd1b8e99dbdfcb.exe"C:\Users\Admin\AppData\Local\Temp\7d5d33a41a2e00a719fd1b8e99dbdfcb.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fl.exe"C:\Users\Admin\AppData\Local\Temp\fl.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\fl.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chromy" /tr "C:\Windows\system32\chromy.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "chromy" /tr "C:\Windows\system32\chromy.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\chromy.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chromy.exeC:\Windows\system32\chromy.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\chromy.exe"6⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost32"8⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fl.exeMD5
e95e86d659892b5da6feb76ca02c9ead
SHA1667d39845315f8c80887d4659bf5391da79b1fa4
SHA2569b98e63ce78e2bf53d7aa17a5962c78ce191a3ad1029325e614da9a715d1ad93
SHA5128f9046f256c74300c273937be58ca995961f387f5339614247e9e3367793eb701db3a1b65997f9098e36846347b2216934b8f1070a84b27cc145ab1dd3ea863b
-
C:\Users\Admin\AppData\Local\Temp\fl.exeMD5
e95e86d659892b5da6feb76ca02c9ead
SHA1667d39845315f8c80887d4659bf5391da79b1fa4
SHA2569b98e63ce78e2bf53d7aa17a5962c78ce191a3ad1029325e614da9a715d1ad93
SHA5128f9046f256c74300c273937be58ca995961f387f5339614247e9e3367793eb701db3a1b65997f9098e36846347b2216934b8f1070a84b27cc145ab1dd3ea863b
-
C:\Windows\System32\Microsoft\Telemetry\sihost32.exeMD5
6115dc43764a4b6d1f34abd22b07603b
SHA16c2c14f55abbcc7e1ba36bcd2872985aca2e51fc
SHA256322139740c555577b8ce6830cd699ab2a4816ebc500e6241b2a000bc912e4f84
SHA512fca1bf89dd13ba9877b15d4b23c982465d7f7f2f4f86c65a696920be8e61971f4e0792f6444ab6b8c0d4cb9a16d4d398e2356b01f11e8e4196930b644cf02a66
-
C:\Windows\System32\chromy.exeMD5
e95e86d659892b5da6feb76ca02c9ead
SHA1667d39845315f8c80887d4659bf5391da79b1fa4
SHA2569b98e63ce78e2bf53d7aa17a5962c78ce191a3ad1029325e614da9a715d1ad93
SHA5128f9046f256c74300c273937be58ca995961f387f5339614247e9e3367793eb701db3a1b65997f9098e36846347b2216934b8f1070a84b27cc145ab1dd3ea863b
-
C:\Windows\system32\chromy.exeMD5
e95e86d659892b5da6feb76ca02c9ead
SHA1667d39845315f8c80887d4659bf5391da79b1fa4
SHA2569b98e63ce78e2bf53d7aa17a5962c78ce191a3ad1029325e614da9a715d1ad93
SHA5128f9046f256c74300c273937be58ca995961f387f5339614247e9e3367793eb701db3a1b65997f9098e36846347b2216934b8f1070a84b27cc145ab1dd3ea863b
-
\Users\Admin\AppData\Local\Temp\fl.exeMD5
e95e86d659892b5da6feb76ca02c9ead
SHA1667d39845315f8c80887d4659bf5391da79b1fa4
SHA2569b98e63ce78e2bf53d7aa17a5962c78ce191a3ad1029325e614da9a715d1ad93
SHA5128f9046f256c74300c273937be58ca995961f387f5339614247e9e3367793eb701db3a1b65997f9098e36846347b2216934b8f1070a84b27cc145ab1dd3ea863b
-
\Users\Admin\AppData\Local\Temp\fl.exeMD5
e95e86d659892b5da6feb76ca02c9ead
SHA1667d39845315f8c80887d4659bf5391da79b1fa4
SHA2569b98e63ce78e2bf53d7aa17a5962c78ce191a3ad1029325e614da9a715d1ad93
SHA5128f9046f256c74300c273937be58ca995961f387f5339614247e9e3367793eb701db3a1b65997f9098e36846347b2216934b8f1070a84b27cc145ab1dd3ea863b
-
\Windows\System32\Microsoft\Telemetry\sihost32.exeMD5
6115dc43764a4b6d1f34abd22b07603b
SHA16c2c14f55abbcc7e1ba36bcd2872985aca2e51fc
SHA256322139740c555577b8ce6830cd699ab2a4816ebc500e6241b2a000bc912e4f84
SHA512fca1bf89dd13ba9877b15d4b23c982465d7f7f2f4f86c65a696920be8e61971f4e0792f6444ab6b8c0d4cb9a16d4d398e2356b01f11e8e4196930b644cf02a66
-
\Windows\System32\Microsoft\Telemetry\sihost32.exeMD5
6115dc43764a4b6d1f34abd22b07603b
SHA16c2c14f55abbcc7e1ba36bcd2872985aca2e51fc
SHA256322139740c555577b8ce6830cd699ab2a4816ebc500e6241b2a000bc912e4f84
SHA512fca1bf89dd13ba9877b15d4b23c982465d7f7f2f4f86c65a696920be8e61971f4e0792f6444ab6b8c0d4cb9a16d4d398e2356b01f11e8e4196930b644cf02a66
-
\Windows\System32\chromy.exeMD5
e95e86d659892b5da6feb76ca02c9ead
SHA1667d39845315f8c80887d4659bf5391da79b1fa4
SHA2569b98e63ce78e2bf53d7aa17a5962c78ce191a3ad1029325e614da9a715d1ad93
SHA5128f9046f256c74300c273937be58ca995961f387f5339614247e9e3367793eb701db3a1b65997f9098e36846347b2216934b8f1070a84b27cc145ab1dd3ea863b
-
\Windows\System32\chromy.exeMD5
e95e86d659892b5da6feb76ca02c9ead
SHA1667d39845315f8c80887d4659bf5391da79b1fa4
SHA2569b98e63ce78e2bf53d7aa17a5962c78ce191a3ad1029325e614da9a715d1ad93
SHA5128f9046f256c74300c273937be58ca995961f387f5339614247e9e3367793eb701db3a1b65997f9098e36846347b2216934b8f1070a84b27cc145ab1dd3ea863b
-
memory/320-74-0x0000000000000000-mapping.dmp
-
memory/436-94-0x000000001AD94000-0x000000001AD96000-memory.dmpFilesize
8KB
-
memory/436-96-0x000000001AD97000-0x000000001AD98000-memory.dmpFilesize
4KB
-
memory/436-92-0x0000000000060000-0x0000000000066000-memory.dmpFilesize
24KB
-
memory/436-93-0x000000001AD92000-0x000000001AD94000-memory.dmpFilesize
8KB
-
memory/436-95-0x000000001AD96000-0x000000001AD97000-memory.dmpFilesize
4KB
-
memory/436-90-0x0000000000210000-0x0000000000213000-memory.dmpFilesize
12KB
-
memory/1056-62-0x0000000000000000-mapping.dmp
-
memory/1076-84-0x0000000000000000-mapping.dmp
-
memory/1200-78-0x0000000000000000-mapping.dmp
-
memory/1224-68-0x0000000000000000-mapping.dmp
-
memory/1308-86-0x000000001B252000-0x000000001B254000-memory.dmpFilesize
8KB
-
memory/1308-89-0x000000001B257000-0x000000001B258000-memory.dmpFilesize
4KB
-
memory/1308-88-0x000000001B256000-0x000000001B257000-memory.dmpFilesize
4KB
-
memory/1308-87-0x000000001B254000-0x000000001B256000-memory.dmpFilesize
8KB
-
memory/1648-54-0x0000000076431000-0x0000000076433000-memory.dmpFilesize
8KB
-
memory/1648-59-0x0000000002A60000-0x0000000002A61000-memory.dmpFilesize
4KB
-
memory/1648-57-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/1720-72-0x0000000000000000-mapping.dmp
-
memory/1948-71-0x000000001B267000-0x000000001B268000-memory.dmpFilesize
4KB
-
memory/1948-69-0x000000001B264000-0x000000001B266000-memory.dmpFilesize
8KB
-
memory/1948-70-0x000000001B266000-0x000000001B267000-memory.dmpFilesize
4KB
-
memory/1948-67-0x000000001B262000-0x000000001B264000-memory.dmpFilesize
8KB
-
memory/1948-65-0x000000001B4D0000-0x000000001B6BD000-memory.dmpFilesize
1.9MB
-
memory/1948-64-0x00000000000A0000-0x0000000000291000-memory.dmpFilesize
1.9MB