Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 12:27
Static task
static1
Behavioral task
behavioral1
Sample
installer.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
installer.exe
Resource
win7-en-20211014
Behavioral task
behavioral3
Sample
installer.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
installer.exe
Resource
win11
Behavioral task
behavioral5
Sample
installer.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
installer.exe
Resource
win10-en-20211014
General
-
Target
installer.exe
-
Size
2.7MB
-
MD5
a9a3893285e274d60a9bb5b85f4dfcc4
-
SHA1
960237e74a28393b0f906a46acffdb4d6160b763
-
SHA256
51e9ccfd1c8ae13270052947f8dc6e3386c585bf733228a8dc0e028e1c31223f
-
SHA512
b22237255cdcca7c9cdd1dd0664368a967b09ad672f57beb96891ab6abfd6bf4c2d7161f1f9e9bc468539811494c8fc1c6d6417c0b339c22fc90769addfa3bc0
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/556-56-0x0000000000ED0000-0x00000000015BE000-memory.dmp evasion behavioral2/memory/556-57-0x0000000000ED0000-0x00000000015BE000-memory.dmp evasion behavioral2/memory/556-58-0x0000000000ED0000-0x00000000015BE000-memory.dmp evasion behavioral2/memory/556-59-0x0000000000ED0000-0x00000000015BE000-memory.dmp evasion -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
installer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion installer.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1368 cmd.exe -
Processes:
resource yara_rule behavioral2/memory/556-56-0x0000000000ED0000-0x00000000015BE000-memory.dmp themida behavioral2/memory/556-57-0x0000000000ED0000-0x00000000015BE000-memory.dmp themida behavioral2/memory/556-58-0x0000000000ED0000-0x00000000015BE000-memory.dmp themida behavioral2/memory/556-59-0x0000000000ED0000-0x00000000015BE000-memory.dmp themida -
Processes:
installer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA installer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
installer.exepid process 556 installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
installer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString installer.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1372 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
installer.exepid process 556 installer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
installer.execmd.exedescription pid process target process PID 556 wrote to memory of 1368 556 installer.exe cmd.exe PID 556 wrote to memory of 1368 556 installer.exe cmd.exe PID 556 wrote to memory of 1368 556 installer.exe cmd.exe PID 556 wrote to memory of 1368 556 installer.exe cmd.exe PID 1368 wrote to memory of 1372 1368 cmd.exe timeout.exe PID 1368 wrote to memory of 1372 1368 cmd.exe timeout.exe PID 1368 wrote to memory of 1372 1368 cmd.exe timeout.exe PID 1368 wrote to memory of 1372 1368 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\vcLCWcNDn & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\installer.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/556-55-0x0000000076081000-0x0000000076083000-memory.dmpFilesize
8KB
-
memory/556-56-0x0000000000ED0000-0x00000000015BE000-memory.dmpFilesize
6.9MB
-
memory/556-57-0x0000000000ED0000-0x00000000015BE000-memory.dmpFilesize
6.9MB
-
memory/556-58-0x0000000000ED0000-0x00000000015BE000-memory.dmpFilesize
6.9MB
-
memory/556-59-0x0000000000ED0000-0x00000000015BE000-memory.dmpFilesize
6.9MB
-
memory/1368-60-0x0000000000000000-mapping.dmp
-
memory/1372-61-0x0000000000000000-mapping.dmp