Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
29-12-2021 17:54
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe
Resource
win7-en-20211208
General
-
Target
SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe
-
Size
2.5MB
-
MD5
9176db54f9eec97d7900bb5e5aa97d62
-
SHA1
d58d81ee1e2eb302f8c059e3f02a2c1b3a880889
-
SHA256
192ea5280a05d8d5fb39c4834befe628a396e4cd5a898ebb3967466b4295774f
-
SHA512
aa38e8b75cfcca6fd1989717510d6ce04847fd492c8da236dbb11a4cd9ee14539d5955acd43b98ccbcd2c49dea33b38ffd02d306109cb76861ea2d4c94d55769
Malware Config
Extracted
cryptbot
hevahu32.top
morypd03.top
-
payload_url
http://kyrpbr04.top/download.php?file=orrery.exe
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
File.exeDpEditor.exepid process 1476 File.exe 1100 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
DpEditor.exeSecuriteInfo.com.Variant.Zusy.398819.656.20146.exeFile.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion File.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion File.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/2504-115-0x00000000011E0000-0x000000000186A000-memory.dmp themida behavioral2/memory/2504-116-0x00000000011E0000-0x000000000186A000-memory.dmp themida behavioral2/memory/2504-117-0x00000000011E0000-0x000000000186A000-memory.dmp themida behavioral2/memory/2504-118-0x00000000011E0000-0x000000000186A000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\File.exe themida C:\Users\Admin\AppData\Local\Temp\File.exe themida behavioral2/memory/1476-138-0x0000000001000000-0x00000000016F0000-memory.dmp themida behavioral2/memory/1476-139-0x0000000001000000-0x00000000016F0000-memory.dmp themida behavioral2/memory/1476-141-0x0000000001000000-0x00000000016F0000-memory.dmp themida behavioral2/memory/1476-142-0x0000000001000000-0x00000000016F0000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/1100-147-0x0000000000FB0000-0x00000000016A0000-memory.dmp themida behavioral2/memory/1100-148-0x0000000000FB0000-0x00000000016A0000-memory.dmp themida behavioral2/memory/1100-149-0x0000000000FB0000-0x00000000016A0000-memory.dmp themida behavioral2/memory/1100-151-0x0000000000FB0000-0x00000000016A0000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
SecuriteInfo.com.Variant.Zusy.398819.656.20146.exeFile.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA File.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
SecuriteInfo.com.Variant.Zusy.398819.656.20146.exeFile.exeDpEditor.exepid process 2504 SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe 1476 File.exe 1100 DpEditor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Variant.Zusy.398819.656.20146.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4064 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 1100 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
SecuriteInfo.com.Variant.Zusy.398819.656.20146.exeFile.exeDpEditor.exepid process 2504 SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe 2504 SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe 1476 File.exe 1476 File.exe 1100 DpEditor.exe 1100 DpEditor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
SecuriteInfo.com.Variant.Zusy.398819.656.20146.execmd.exeFile.exedescription pid process target process PID 2504 wrote to memory of 1476 2504 SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe File.exe PID 2504 wrote to memory of 1476 2504 SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe File.exe PID 2504 wrote to memory of 1476 2504 SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe File.exe PID 2504 wrote to memory of 2172 2504 SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe cmd.exe PID 2504 wrote to memory of 2172 2504 SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe cmd.exe PID 2504 wrote to memory of 2172 2504 SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe cmd.exe PID 2172 wrote to memory of 4064 2172 cmd.exe timeout.exe PID 2172 wrote to memory of 4064 2172 cmd.exe timeout.exe PID 2172 wrote to memory of 4064 2172 cmd.exe timeout.exe PID 1476 wrote to memory of 1100 1476 File.exe DpEditor.exe PID 1476 wrote to memory of 1100 1476 File.exe DpEditor.exe PID 1476 wrote to memory of 1100 1476 File.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\TIyYjgiFrdan & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.398819.656.20146.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\File.exeMD5
6f4c94326104917216f67d8511b58e76
SHA12cece96508040c197e778832ff4df1768b87479f
SHA2565d78b8a09809b8d1b9974a27b55c9c71ce2aa8cc6846ba5cb9115b8ce44a14cf
SHA512c51bf945e1435c6aab82544fb80854f00823bbc57d78b045da6ec70a9c44e9269f9080f85465fe6a10f69052c2a17f126dd75efd376c7ee169f5d9af4a9e9969
-
C:\Users\Admin\AppData\Local\Temp\File.exeMD5
6f4c94326104917216f67d8511b58e76
SHA12cece96508040c197e778832ff4df1768b87479f
SHA2565d78b8a09809b8d1b9974a27b55c9c71ce2aa8cc6846ba5cb9115b8ce44a14cf
SHA512c51bf945e1435c6aab82544fb80854f00823bbc57d78b045da6ec70a9c44e9269f9080f85465fe6a10f69052c2a17f126dd75efd376c7ee169f5d9af4a9e9969
-
C:\Users\Admin\AppData\Local\Temp\TIyYjgiFrdan\FTGDQJ~1.ZIPMD5
9797ab642ebda6ef725dbb0a6d5be1ab
SHA1980cd5629ec168988c93030e3034c5277cab94ad
SHA2560a9d9e44d658822c1a870f7e0c68261a3e593a62f19b7a10676d89a3cc15a7bf
SHA512562856587995b98e654ff9c7bb96979a82c1c879530d0c5a4657e59e2f25a21ef3d586ca4bd51b4b628194786709b67f76f1e341d56a7589b19cbcd1a9ad4563
-
C:\Users\Admin\AppData\Local\Temp\TIyYjgiFrdan\WWIJWZ~1.ZIPMD5
6610fd4c291e4472306f28bd13d23742
SHA18a04eb9fcf6ca1efd8a08ab8210659e09068cd76
SHA256f5ad0b082dbee6e183b3f444ad4ee099a688c43c42f8473701c87ed804420ab8
SHA51244092ef80c7188f4f5ece319d30ea4d3ca2a0aacb8b8adc6c6da41ac8ce3cbb24d18ae8e5423f11f4efc6f8968365354bb8d7792a677caf46435abab58a6abaf
-
C:\Users\Admin\AppData\Local\Temp\TIyYjgiFrdan\_Files\_Chrome\DEFAUL~1.BINMD5
f4b8e6e7ca32ed5ab1653cc327475cc0
SHA1e7c30740b8cc28534d398ff4036e0cc6649619ce
SHA25634abcff7dd7e3157dc78b58d9fc7ce57be556a550bcc6a2b2257c9b08107cbe2
SHA512edc72a374b28b984d8d3ced5a27ddb1a91e843ab873f7b700eecea87c0dfea961359f7931ea127ee2b8edc2602968795c6b9f121622dffca23241736c44d8ae2
-
C:\Users\Admin\AppData\Local\Temp\TIyYjgiFrdan\_Files\_Chrome\DEFAUL~1.DBMD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\TIyYjgiFrdan\_Files\_Chrome\DEFAUL~2.DBMD5
055c8c5c47424f3c2e7a6fc2ee904032
SHA15952781d22cff35d94861fac25d89a39af6d0a87
SHA256531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a
-
C:\Users\Admin\AppData\Local\Temp\TIyYjgiFrdan\_Files\_Chrome\DEFAUL~3.DBMD5
8ee018331e95a610680a789192a9d362
SHA1e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA25694354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA5124b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4
-
C:\Users\Admin\AppData\Local\Temp\TIyYjgiFrdan\_Files\_INFOR~1.TXTMD5
79471d2d739b02ef2b2bb9257e86a461
SHA10a6c9bf8c47228aff0b467598e17f45f43e8c7c9
SHA2560799b8b99a34bc040b0e155569a05c78e7f90c80bcc92a6591ec359d929c7150
SHA512b0fdd231236a843efac22e49d4e654a85e04dc8f14c2478b5e40924f561aef988530b45bff239cfad16c9da53d562336fcf176228e9663b3b2be5da18a5af00c
-
C:\Users\Admin\AppData\Local\Temp\TIyYjgiFrdan\_Files\_SCREE~1.JPEMD5
a04f75fc317cec7e8ca804b854bc37c0
SHA1f4b19fafa16bc1669cf12d6010e61041f4afb5aa
SHA256262c01578e103269f424167632c05fec710932f82cddcb325e9a02c3c1a2e084
SHA5126e07285ff2fb733e409a4903359fc4354127a5e90631499c286b66b62302d00d620403bf1ef23ba2bbffe84386edd7182e302636da8fb3044ed14f309e9b9aa4
-
C:\Users\Admin\AppData\Local\Temp\TIyYjgiFrdan\files_\SCREEN~1.JPGMD5
a04f75fc317cec7e8ca804b854bc37c0
SHA1f4b19fafa16bc1669cf12d6010e61041f4afb5aa
SHA256262c01578e103269f424167632c05fec710932f82cddcb325e9a02c3c1a2e084
SHA5126e07285ff2fb733e409a4903359fc4354127a5e90631499c286b66b62302d00d620403bf1ef23ba2bbffe84386edd7182e302636da8fb3044ed14f309e9b9aa4
-
C:\Users\Admin\AppData\Local\Temp\TIyYjgiFrdan\files_\SYSTEM~1.TXTMD5
79471d2d739b02ef2b2bb9257e86a461
SHA10a6c9bf8c47228aff0b467598e17f45f43e8c7c9
SHA2560799b8b99a34bc040b0e155569a05c78e7f90c80bcc92a6591ec359d929c7150
SHA512b0fdd231236a843efac22e49d4e654a85e04dc8f14c2478b5e40924f561aef988530b45bff239cfad16c9da53d562336fcf176228e9663b3b2be5da18a5af00c
-
C:\Users\Admin\AppData\Local\Temp\TIyYjgiFrdan\files_\_Chrome\DEFAUL~1.BINMD5
f4b8e6e7ca32ed5ab1653cc327475cc0
SHA1e7c30740b8cc28534d398ff4036e0cc6649619ce
SHA25634abcff7dd7e3157dc78b58d9fc7ce57be556a550bcc6a2b2257c9b08107cbe2
SHA512edc72a374b28b984d8d3ced5a27ddb1a91e843ab873f7b700eecea87c0dfea961359f7931ea127ee2b8edc2602968795c6b9f121622dffca23241736c44d8ae2
-
C:\Users\Admin\AppData\Local\Temp\TIyYjgiFrdan\files_\_Chrome\DEFAUL~1.DBMD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\TIyYjgiFrdan\files_\_Chrome\DEFAUL~2.DBMD5
055c8c5c47424f3c2e7a6fc2ee904032
SHA15952781d22cff35d94861fac25d89a39af6d0a87
SHA256531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a
-
C:\Users\Admin\AppData\Local\Temp\TIyYjgiFrdan\files_\_Chrome\DEFAUL~3.DBMD5
8ee018331e95a610680a789192a9d362
SHA1e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA25694354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA5124b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
6f4c94326104917216f67d8511b58e76
SHA12cece96508040c197e778832ff4df1768b87479f
SHA2565d78b8a09809b8d1b9974a27b55c9c71ce2aa8cc6846ba5cb9115b8ce44a14cf
SHA512c51bf945e1435c6aab82544fb80854f00823bbc57d78b045da6ec70a9c44e9269f9080f85465fe6a10f69052c2a17f126dd75efd376c7ee169f5d9af4a9e9969
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
6f4c94326104917216f67d8511b58e76
SHA12cece96508040c197e778832ff4df1768b87479f
SHA2565d78b8a09809b8d1b9974a27b55c9c71ce2aa8cc6846ba5cb9115b8ce44a14cf
SHA512c51bf945e1435c6aab82544fb80854f00823bbc57d78b045da6ec70a9c44e9269f9080f85465fe6a10f69052c2a17f126dd75efd376c7ee169f5d9af4a9e9969
-
memory/1100-147-0x0000000000FB0000-0x00000000016A0000-memory.dmpFilesize
6.9MB
-
memory/1100-148-0x0000000000FB0000-0x00000000016A0000-memory.dmpFilesize
6.9MB
-
memory/1100-144-0x0000000000000000-mapping.dmp
-
memory/1100-150-0x0000000077300000-0x000000007748E000-memory.dmpFilesize
1.6MB
-
memory/1100-149-0x0000000000FB0000-0x00000000016A0000-memory.dmpFilesize
6.9MB
-
memory/1100-151-0x0000000000FB0000-0x00000000016A0000-memory.dmpFilesize
6.9MB
-
memory/1476-138-0x0000000001000000-0x00000000016F0000-memory.dmpFilesize
6.9MB
-
memory/1476-141-0x0000000001000000-0x00000000016F0000-memory.dmpFilesize
6.9MB
-
memory/1476-142-0x0000000001000000-0x00000000016F0000-memory.dmpFilesize
6.9MB
-
memory/1476-143-0x0000000077300000-0x000000007748E000-memory.dmpFilesize
1.6MB
-
memory/1476-139-0x0000000001000000-0x00000000016F0000-memory.dmpFilesize
6.9MB
-
memory/1476-120-0x0000000000000000-mapping.dmp
-
memory/2172-123-0x0000000000000000-mapping.dmp
-
memory/2504-115-0x00000000011E0000-0x000000000186A000-memory.dmpFilesize
6.5MB
-
memory/2504-119-0x0000000077300000-0x000000007748E000-memory.dmpFilesize
1.6MB
-
memory/2504-118-0x00000000011E0000-0x000000000186A000-memory.dmpFilesize
6.5MB
-
memory/2504-117-0x00000000011E0000-0x000000000186A000-memory.dmpFilesize
6.5MB
-
memory/2504-116-0x00000000011E0000-0x000000000186A000-memory.dmpFilesize
6.5MB
-
memory/4064-140-0x0000000000000000-mapping.dmp