Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
29-12-2021 14:04
Static task
static1
Behavioral task
behavioral1
Sample
file_2.exe
Resource
win7-en-20211208
General
-
Target
file_2.exe
-
Size
2.5MB
-
MD5
9176db54f9eec97d7900bb5e5aa97d62
-
SHA1
d58d81ee1e2eb302f8c059e3f02a2c1b3a880889
-
SHA256
192ea5280a05d8d5fb39c4834befe628a396e4cd5a898ebb3967466b4295774f
-
SHA512
aa38e8b75cfcca6fd1989717510d6ce04847fd492c8da236dbb11a4cd9ee14539d5955acd43b98ccbcd2c49dea33b38ffd02d306109cb76861ea2d4c94d55769
Malware Config
Extracted
cryptbot
hevahu32.top
morypd03.top
-
payload_url
http://kyrpbr04.top/download.php?file=orrery.exe
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
file_2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file_2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/2564-115-0x00000000001E0000-0x000000000086A000-memory.dmp themida behavioral2/memory/2564-117-0x00000000001E0000-0x000000000086A000-memory.dmp themida behavioral2/memory/2564-118-0x00000000001E0000-0x000000000086A000-memory.dmp themida behavioral2/memory/2564-119-0x00000000001E0000-0x000000000086A000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
file_2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file_2.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
file_2.exepid process 2564 file_2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
file_2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file_2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
file_2.exepid process 2564 file_2.exe 2564 file_2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file_2.exe"C:\Users\Admin\AppData\Local\Temp\file_2.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2564-116-0x00000000773B0000-0x000000007753E000-memory.dmpFilesize
1.6MB
-
memory/2564-115-0x00000000001E0000-0x000000000086A000-memory.dmpFilesize
6.5MB
-
memory/2564-117-0x00000000001E0000-0x000000000086A000-memory.dmpFilesize
6.5MB
-
memory/2564-118-0x00000000001E0000-0x000000000086A000-memory.dmpFilesize
6.5MB
-
memory/2564-119-0x00000000001E0000-0x000000000086A000-memory.dmpFilesize
6.5MB