Analysis
-
max time kernel
131s -
max time network
134s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 12:22
Static task
static1
Behavioral task
behavioral1
Sample
7d5d33a41a2e00a719fd1b8e99dbdfcb.exe
Resource
win7-en-20211014
General
-
Target
7d5d33a41a2e00a719fd1b8e99dbdfcb.exe
-
Size
2.2MB
-
MD5
7d5d33a41a2e00a719fd1b8e99dbdfcb
-
SHA1
3eaa0173ff8b7271a38df63c57c833e0119a315f
-
SHA256
d838aec8129b940ee31f463e8264e578ba28e36b2dffe4c3ad89d8d8ed16953d
-
SHA512
512fb3fb212bb168d4ba80d647f312ed39432ca6c0fa1e67aae1835b151b05a466a8854fa061eea5de38265317b82ed9a587611f222df2a981d7197f343f2d52
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
fl.exechromy.exesihost32.exepid process 704 fl.exe 2704 chromy.exe 5008 sihost32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
7d5d33a41a2e00a719fd1b8e99dbdfcb.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/3464-118-0x0000000000ED0000-0x0000000000ED1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
7d5d33a41a2e00a719fd1b8e99dbdfcb.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe -
Drops file in System32 directory 3 IoCs
Processes:
conhost.execonhost.exedescription ioc process File created C:\Windows\system32\chromy.exe conhost.exe File opened for modification C:\Windows\system32\chromy.exe conhost.exe File created C:\Windows\system32\Microsoft\Telemetry\sihost32.exe conhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
7d5d33a41a2e00a719fd1b8e99dbdfcb.exepid process 3464 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
7d5d33a41a2e00a719fd1b8e99dbdfcb.execonhost.execonhost.exepid process 3464 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe 3464 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe 3464 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe 1336 conhost.exe 3164 conhost.exe 3164 conhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
7d5d33a41a2e00a719fd1b8e99dbdfcb.execonhost.execonhost.exedescription pid process Token: SeDebugPrivilege 3464 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe Token: SeDebugPrivilege 1336 conhost.exe Token: SeDebugPrivilege 3164 conhost.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
7d5d33a41a2e00a719fd1b8e99dbdfcb.exefl.execonhost.execmd.execmd.exechromy.execonhost.exesihost32.exedescription pid process target process PID 3464 wrote to memory of 704 3464 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe fl.exe PID 3464 wrote to memory of 704 3464 7d5d33a41a2e00a719fd1b8e99dbdfcb.exe fl.exe PID 704 wrote to memory of 1336 704 fl.exe conhost.exe PID 704 wrote to memory of 1336 704 fl.exe conhost.exe PID 704 wrote to memory of 1336 704 fl.exe conhost.exe PID 1336 wrote to memory of 1904 1336 conhost.exe cmd.exe PID 1336 wrote to memory of 1904 1336 conhost.exe cmd.exe PID 1904 wrote to memory of 2136 1904 cmd.exe schtasks.exe PID 1904 wrote to memory of 2136 1904 cmd.exe schtasks.exe PID 1336 wrote to memory of 2464 1336 conhost.exe cmd.exe PID 1336 wrote to memory of 2464 1336 conhost.exe cmd.exe PID 2464 wrote to memory of 2704 2464 cmd.exe chromy.exe PID 2464 wrote to memory of 2704 2464 cmd.exe chromy.exe PID 2704 wrote to memory of 3164 2704 chromy.exe conhost.exe PID 2704 wrote to memory of 3164 2704 chromy.exe conhost.exe PID 2704 wrote to memory of 3164 2704 chromy.exe conhost.exe PID 3164 wrote to memory of 5008 3164 conhost.exe sihost32.exe PID 3164 wrote to memory of 5008 3164 conhost.exe sihost32.exe PID 5008 wrote to memory of 956 5008 sihost32.exe conhost.exe PID 5008 wrote to memory of 956 5008 sihost32.exe conhost.exe PID 5008 wrote to memory of 956 5008 sihost32.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d5d33a41a2e00a719fd1b8e99dbdfcb.exe"C:\Users\Admin\AppData\Local\Temp\7d5d33a41a2e00a719fd1b8e99dbdfcb.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fl.exe"C:\Users\Admin\AppData\Local\Temp\fl.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\fl.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chromy" /tr "C:\Windows\system32\chromy.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "chromy" /tr "C:\Windows\system32\chromy.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\chromy.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chromy.exeC:\Windows\system32\chromy.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\chromy.exe"6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost32"8⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logMD5
84f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
C:\Users\Admin\AppData\Local\Temp\fl.exeMD5
e95e86d659892b5da6feb76ca02c9ead
SHA1667d39845315f8c80887d4659bf5391da79b1fa4
SHA2569b98e63ce78e2bf53d7aa17a5962c78ce191a3ad1029325e614da9a715d1ad93
SHA5128f9046f256c74300c273937be58ca995961f387f5339614247e9e3367793eb701db3a1b65997f9098e36846347b2216934b8f1070a84b27cc145ab1dd3ea863b
-
C:\Users\Admin\AppData\Local\Temp\fl.exeMD5
e95e86d659892b5da6feb76ca02c9ead
SHA1667d39845315f8c80887d4659bf5391da79b1fa4
SHA2569b98e63ce78e2bf53d7aa17a5962c78ce191a3ad1029325e614da9a715d1ad93
SHA5128f9046f256c74300c273937be58ca995961f387f5339614247e9e3367793eb701db3a1b65997f9098e36846347b2216934b8f1070a84b27cc145ab1dd3ea863b
-
C:\Windows\System32\Microsoft\Telemetry\sihost32.exeMD5
6115dc43764a4b6d1f34abd22b07603b
SHA16c2c14f55abbcc7e1ba36bcd2872985aca2e51fc
SHA256322139740c555577b8ce6830cd699ab2a4816ebc500e6241b2a000bc912e4f84
SHA512fca1bf89dd13ba9877b15d4b23c982465d7f7f2f4f86c65a696920be8e61971f4e0792f6444ab6b8c0d4cb9a16d4d398e2356b01f11e8e4196930b644cf02a66
-
C:\Windows\System32\chromy.exeMD5
e95e86d659892b5da6feb76ca02c9ead
SHA1667d39845315f8c80887d4659bf5391da79b1fa4
SHA2569b98e63ce78e2bf53d7aa17a5962c78ce191a3ad1029325e614da9a715d1ad93
SHA5128f9046f256c74300c273937be58ca995961f387f5339614247e9e3367793eb701db3a1b65997f9098e36846347b2216934b8f1070a84b27cc145ab1dd3ea863b
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exeMD5
6115dc43764a4b6d1f34abd22b07603b
SHA16c2c14f55abbcc7e1ba36bcd2872985aca2e51fc
SHA256322139740c555577b8ce6830cd699ab2a4816ebc500e6241b2a000bc912e4f84
SHA512fca1bf89dd13ba9877b15d4b23c982465d7f7f2f4f86c65a696920be8e61971f4e0792f6444ab6b8c0d4cb9a16d4d398e2356b01f11e8e4196930b644cf02a66
-
C:\Windows\system32\chromy.exeMD5
e95e86d659892b5da6feb76ca02c9ead
SHA1667d39845315f8c80887d4659bf5391da79b1fa4
SHA2569b98e63ce78e2bf53d7aa17a5962c78ce191a3ad1029325e614da9a715d1ad93
SHA5128f9046f256c74300c273937be58ca995961f387f5339614247e9e3367793eb701db3a1b65997f9098e36846347b2216934b8f1070a84b27cc145ab1dd3ea863b
-
memory/704-134-0x0000000000000000-mapping.dmp
-
memory/956-187-0x000002501F4F0000-0x000002501F4F2000-memory.dmpFilesize
8KB
-
memory/956-180-0x000002501DC80000-0x000002501DC82000-memory.dmpFilesize
8KB
-
memory/956-178-0x000002501DC80000-0x000002501DC82000-memory.dmpFilesize
8KB
-
memory/956-179-0x000002501DC80000-0x000002501DC82000-memory.dmpFilesize
8KB
-
memory/956-181-0x000002501DC80000-0x000002501DC82000-memory.dmpFilesize
8KB
-
memory/956-182-0x000002501DCB0000-0x000002501DCB3000-memory.dmpFilesize
12KB
-
memory/956-184-0x000002501DC80000-0x000002501DC82000-memory.dmpFilesize
8KB
-
memory/956-185-0x000002501D9F0000-0x000002501D9F6000-memory.dmpFilesize
24KB
-
memory/956-188-0x000002501F4F3000-0x000002501F4F5000-memory.dmpFilesize
8KB
-
memory/956-186-0x000002501DC80000-0x000002501DC82000-memory.dmpFilesize
8KB
-
memory/956-189-0x000002501F4F6000-0x000002501F4F7000-memory.dmpFilesize
4KB
-
memory/1336-151-0x0000029EA9676000-0x0000029EA9677000-memory.dmpFilesize
4KB
-
memory/1336-137-0x0000029E8F330000-0x0000029E8F332000-memory.dmpFilesize
8KB
-
memory/1336-139-0x0000029E8F330000-0x0000029E8F332000-memory.dmpFilesize
8KB
-
memory/1336-140-0x0000029E8F330000-0x0000029E8F332000-memory.dmpFilesize
8KB
-
memory/1336-141-0x0000029EA9880000-0x0000029EA9A6D000-memory.dmpFilesize
1.9MB
-
memory/1336-143-0x0000029E8F330000-0x0000029E8F332000-memory.dmpFilesize
8KB
-
memory/1336-144-0x0000029EA9630000-0x0000029EA9631000-memory.dmpFilesize
4KB
-
memory/1336-145-0x0000029E8F330000-0x0000029E8F332000-memory.dmpFilesize
8KB
-
memory/1336-153-0x0000029E8F330000-0x0000029E8F332000-memory.dmpFilesize
8KB
-
memory/1336-138-0x0000029E8F330000-0x0000029E8F332000-memory.dmpFilesize
8KB
-
memory/1336-149-0x0000029EA9670000-0x0000029EA9672000-memory.dmpFilesize
8KB
-
memory/1336-148-0x0000029E8EFC0000-0x0000029E8F1B1000-memory.dmpFilesize
1.9MB
-
memory/1336-150-0x0000029EA9673000-0x0000029EA9675000-memory.dmpFilesize
8KB
-
memory/1904-146-0x0000000000000000-mapping.dmp
-
memory/2136-147-0x0000000000000000-mapping.dmp
-
memory/2464-152-0x0000000000000000-mapping.dmp
-
memory/2704-154-0x0000000000000000-mapping.dmp
-
memory/3164-161-0x000002B92C6C0000-0x000002B92C6C2000-memory.dmpFilesize
8KB
-
memory/3164-167-0x000002B946AF0000-0x000002B946AF2000-memory.dmpFilesize
8KB
-
memory/3164-177-0x000002B92C6C0000-0x000002B92C6C2000-memory.dmpFilesize
8KB
-
memory/3164-158-0x000002B92C6C0000-0x000002B92C6C2000-memory.dmpFilesize
8KB
-
memory/3164-159-0x000002B92C6C0000-0x000002B92C6C2000-memory.dmpFilesize
8KB
-
memory/3164-160-0x000002B92C6C0000-0x000002B92C6C2000-memory.dmpFilesize
8KB
-
memory/3164-170-0x000002B92C6C0000-0x000002B92C6C2000-memory.dmpFilesize
8KB
-
memory/3164-164-0x000002B92C6C0000-0x000002B92C6C2000-memory.dmpFilesize
8KB
-
memory/3164-166-0x000002B92C6C0000-0x000002B92C6C2000-memory.dmpFilesize
8KB
-
memory/3164-168-0x000002B946AF3000-0x000002B946AF5000-memory.dmpFilesize
8KB
-
memory/3164-169-0x000002B946AF6000-0x000002B946AF7000-memory.dmpFilesize
4KB
-
memory/3464-131-0x0000000007FA0000-0x0000000007FA1000-memory.dmpFilesize
4KB
-
memory/3464-126-0x0000000007B60000-0x0000000007B61000-memory.dmpFilesize
4KB
-
memory/3464-133-0x0000000008AE0000-0x0000000008AE1000-memory.dmpFilesize
4KB
-
memory/3464-130-0x0000000007E30000-0x0000000007E31000-memory.dmpFilesize
4KB
-
memory/3464-118-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/3464-132-0x0000000007F40000-0x0000000007F41000-memory.dmpFilesize
4KB
-
memory/3464-129-0x0000000008C90000-0x0000000008C91000-memory.dmpFilesize
4KB
-
memory/3464-128-0x0000000007A00000-0x0000000007A01000-memory.dmpFilesize
4KB
-
memory/3464-127-0x0000000008260000-0x0000000008261000-memory.dmpFilesize
4KB
-
memory/3464-117-0x0000000076F80000-0x000000007710E000-memory.dmpFilesize
1.6MB
-
memory/3464-125-0x00000000060C0000-0x00000000060C1000-memory.dmpFilesize
4KB
-
memory/3464-124-0x00000000061B0000-0x00000000061B1000-memory.dmpFilesize
4KB
-
memory/3464-123-0x0000000006170000-0x0000000006171000-memory.dmpFilesize
4KB
-
memory/3464-122-0x0000000006240000-0x0000000006241000-memory.dmpFilesize
4KB
-
memory/3464-121-0x0000000006110000-0x0000000006111000-memory.dmpFilesize
4KB
-
memory/3464-120-0x00000000066E0000-0x00000000066E1000-memory.dmpFilesize
4KB
-
memory/5008-174-0x0000000000000000-mapping.dmp