Analysis
-
max time kernel
110s -
max time network
156s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
16-12-2021 08:58
Static task
static1
Behavioral task
behavioral1
Sample
c436c42e07c1c93c8aeb48b35b51a4a9.exe
Resource
win7-en-20211208
General
-
Target
c436c42e07c1c93c8aeb48b35b51a4a9.exe
-
Size
2.5MB
-
MD5
c436c42e07c1c93c8aeb48b35b51a4a9
-
SHA1
4ecb0d749df3b76e6fd367bb8cf7fdc2b50a8b26
-
SHA256
d24441e5bb3497db8f6c39a3579b1415efa467e18308f1f9dff228d721b0bdde
-
SHA512
8f825fb4799a12908c36fec6ee9c6198a139ef40da7e074df8496cd89cf0bbf1221abfea3c0ad90ca88de7a59931a16250c89490600b0dce351ca574ecd145f0
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 25 600 WScript.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
c436c42e07c1c93c8aeb48b35b51a4a9.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c436c42e07c1c93c8aeb48b35b51a4a9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c436c42e07c1c93c8aeb48b35b51a4a9.exe -
Processes:
resource yara_rule behavioral2/memory/2600-115-0x0000000001350000-0x00000000019CD000-memory.dmp themida behavioral2/memory/2600-116-0x0000000001350000-0x00000000019CD000-memory.dmp themida behavioral2/memory/2600-117-0x0000000001350000-0x00000000019CD000-memory.dmp themida behavioral2/memory/2600-119-0x0000000001350000-0x00000000019CD000-memory.dmp themida -
Processes:
c436c42e07c1c93c8aeb48b35b51a4a9.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c436c42e07c1c93c8aeb48b35b51a4a9.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
c436c42e07c1c93c8aeb48b35b51a4a9.exepid process 2600 c436c42e07c1c93c8aeb48b35b51a4a9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
c436c42e07c1c93c8aeb48b35b51a4a9.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 c436c42e07c1c93c8aeb48b35b51a4a9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString c436c42e07c1c93c8aeb48b35b51a4a9.exe -
Modifies registry class 1 IoCs
Processes:
c436c42e07c1c93c8aeb48b35b51a4a9.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings c436c42e07c1c93c8aeb48b35b51a4a9.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c436c42e07c1c93c8aeb48b35b51a4a9.exepid process 2600 c436c42e07c1c93c8aeb48b35b51a4a9.exe 2600 c436c42e07c1c93c8aeb48b35b51a4a9.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c436c42e07c1c93c8aeb48b35b51a4a9.exedescription pid process target process PID 2600 wrote to memory of 3420 2600 c436c42e07c1c93c8aeb48b35b51a4a9.exe WScript.exe PID 2600 wrote to memory of 3420 2600 c436c42e07c1c93c8aeb48b35b51a4a9.exe WScript.exe PID 2600 wrote to memory of 3420 2600 c436c42e07c1c93c8aeb48b35b51a4a9.exe WScript.exe PID 2600 wrote to memory of 600 2600 c436c42e07c1c93c8aeb48b35b51a4a9.exe WScript.exe PID 2600 wrote to memory of 600 2600 c436c42e07c1c93c8aeb48b35b51a4a9.exe WScript.exe PID 2600 wrote to memory of 600 2600 c436c42e07c1c93c8aeb48b35b51a4a9.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c436c42e07c1c93c8aeb48b35b51a4a9.exe"C:\Users\Admin\AppData\Local\Temp\c436c42e07c1c93c8aeb48b35b51a4a9.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rfndknntro.vbs"2⤵PID:3420
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\imihdkl.vbs"2⤵
- Blocklisted process makes network request
PID:600
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
ef4d27f7f766985edcd314472851cec9
SHA16574dd1e7ffcc517c2b571d666a008a21c949b7a
SHA2568c2ee0a065d57e81c5a7feffe77f5c732f5b7d7ddf82f521dd1887821ffc59f4
SHA5126d53cb934dd0f1187834b01999f4db495db6256e90d0926a9165ab4ab34c7907d6265c6a1f7134bc8ff1ace538e1786ece1339fd01e8a8d9e017acc7e5451e1a
-
C:\Users\Admin\AppData\Local\Temp\imihdkl.vbsMD5
628498cdb3f98fd550262e45d1782ac6
SHA1b1d552c862949fc0615f18c511b7ab2c950c4e97
SHA2566d444fc4409d8875ad323bb559d882a38c0c60732a19e6aff67cd85c9623dad6
SHA5125819f86994a9dff9b62dda6dfec53875e3006705f57655df0958dc36589578ecbaf2df2c5c8c3a2b78310016250ea46b1e37f3a9dfbf7b788e3f18db2db42c72
-
C:\Users\Admin\AppData\Local\Temp\rfndknntro.vbsMD5
d674f55811058c3c4e10bbb232de90c9
SHA1ad8e25233ace21e1bf8aaf7c58d8387b83222a5c
SHA256d4723fa19a526f827985b2ea0768093af0ecae1e8d1c051bd11f150567623d7f
SHA512f0f492f88231321b161ef377dbfb01f9958aa430b24a4bcd6aae9fd6a1b7c9c1c284df6747a1ffde3205c56a372728ccd90bdffa7d8dbfcf9fc319c07a77ebe5
-
memory/600-122-0x0000000000000000-mapping.dmp
-
memory/2600-115-0x0000000001350000-0x00000000019CD000-memory.dmpFilesize
6.5MB
-
memory/2600-116-0x0000000001350000-0x00000000019CD000-memory.dmpFilesize
6.5MB
-
memory/2600-118-0x00000000775A0000-0x000000007772E000-memory.dmpFilesize
1.6MB
-
memory/2600-117-0x0000000001350000-0x00000000019CD000-memory.dmpFilesize
6.5MB
-
memory/2600-119-0x0000000001350000-0x00000000019CD000-memory.dmpFilesize
6.5MB
-
memory/3420-120-0x0000000000000000-mapping.dmp