Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-01-2022 10:17
Static task
static1
Behavioral task
behavioral1
Sample
Biil_Clinton_1.exe
Resource
win7-en-20211208
General
-
Target
Biil_Clinton_1.exe
-
Size
5.7MB
-
MD5
8e1e2c2714753ce09285b4c418a0a5ab
-
SHA1
7a570ef7bb007f9e28c7c0ec3d1bc3e82f12626f
-
SHA256
13e8c1d2caddf547574089830035c34438b4daebc9e83cb531079eacae5972ca
-
SHA512
68a62e9d65dd75c130ae110428d0723d4ba8f0851dc511bdfc46bb6b5ebc3112e082cfa7d9dcc1f78abd5ac33ba52a01b975889f8b125cc6e4c416845084a36d
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
services.exesihost64.exepid process 396 services.exe 1100 sihost64.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Biil_Clinton_1.exeservices.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Biil_Clinton_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Biil_Clinton_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion services.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion services.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeservices.exepid process 1104 cmd.exe 396 services.exe -
Processes:
resource yara_rule behavioral1/memory/1660-55-0x0000000000400000-0x0000000000F36000-memory.dmp themida \Users\Admin\AppData\Roaming\Microsoft\services.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\services.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\services.exe themida behavioral1/memory/396-70-0x0000000000400000-0x0000000000F36000-memory.dmp themida -
Processes:
Biil_Clinton_1.exeservices.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Biil_Clinton_1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Biil_Clinton_1.exeservices.exepid process 1660 Biil_Clinton_1.exe 396 services.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Biil_Clinton_1.exeservices.exepid process 1660 Biil_Clinton_1.exe 396 services.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Biil_Clinton_1.exeservices.exedescription pid process Token: SeDebugPrivilege 1660 Biil_Clinton_1.exe Token: SeDebugPrivilege 396 services.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Biil_Clinton_1.execmd.execmd.exeservices.exesihost64.exedescription pid process target process PID 1660 wrote to memory of 1488 1660 Biil_Clinton_1.exe cmd.exe PID 1660 wrote to memory of 1488 1660 Biil_Clinton_1.exe cmd.exe PID 1660 wrote to memory of 1488 1660 Biil_Clinton_1.exe cmd.exe PID 1488 wrote to memory of 1900 1488 cmd.exe schtasks.exe PID 1488 wrote to memory of 1900 1488 cmd.exe schtasks.exe PID 1488 wrote to memory of 1900 1488 cmd.exe schtasks.exe PID 1660 wrote to memory of 1104 1660 Biil_Clinton_1.exe cmd.exe PID 1660 wrote to memory of 1104 1660 Biil_Clinton_1.exe cmd.exe PID 1660 wrote to memory of 1104 1660 Biil_Clinton_1.exe cmd.exe PID 1104 wrote to memory of 396 1104 cmd.exe services.exe PID 1104 wrote to memory of 396 1104 cmd.exe services.exe PID 1104 wrote to memory of 396 1104 cmd.exe services.exe PID 396 wrote to memory of 1100 396 services.exe sihost64.exe PID 396 wrote to memory of 1100 396 services.exe sihost64.exe PID 396 wrote to memory of 1100 396 services.exe sihost64.exe PID 1100 wrote to memory of 864 1100 sihost64.exe conhost.exe PID 1100 wrote to memory of 864 1100 sihost64.exe conhost.exe PID 1100 wrote to memory of 864 1100 sihost64.exe conhost.exe PID 1100 wrote to memory of 864 1100 sihost64.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Biil_Clinton_1.exe"C:\Users\Admin\AppData\Local\Temp\Biil_Clinton_1.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\services.exeC:\Users\Admin\AppData\Roaming\Microsoft\services.exe3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "pzqytlcxf"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
cc604fb0471f21f98c7dbf3f49765fbf
SHA17c163779532eca828cc9873ef0bdf56e6f4ea37d
SHA256109aa0f084697ae5223cdbe3bd2c3d0630292517f9ef1bbb0fb6013f5bc10b09
SHA512c7e82a35597d505a96bcee389d53c0a56bf0c81ca65ede8380d2a30484e7cea826a0cc4b5350549e11577d36748c5e5fb34e24bf62507322a786b8d773f1d6e6
-
C:\Users\Admin\AppData\Roaming\Microsoft\services.exeMD5
8e1e2c2714753ce09285b4c418a0a5ab
SHA17a570ef7bb007f9e28c7c0ec3d1bc3e82f12626f
SHA25613e8c1d2caddf547574089830035c34438b4daebc9e83cb531079eacae5972ca
SHA51268a62e9d65dd75c130ae110428d0723d4ba8f0851dc511bdfc46bb6b5ebc3112e082cfa7d9dcc1f78abd5ac33ba52a01b975889f8b125cc6e4c416845084a36d
-
C:\Users\Admin\AppData\Roaming\Microsoft\services.exeMD5
8e1e2c2714753ce09285b4c418a0a5ab
SHA17a570ef7bb007f9e28c7c0ec3d1bc3e82f12626f
SHA25613e8c1d2caddf547574089830035c34438b4daebc9e83cb531079eacae5972ca
SHA51268a62e9d65dd75c130ae110428d0723d4ba8f0851dc511bdfc46bb6b5ebc3112e082cfa7d9dcc1f78abd5ac33ba52a01b975889f8b125cc6e4c416845084a36d
-
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
cc604fb0471f21f98c7dbf3f49765fbf
SHA17c163779532eca828cc9873ef0bdf56e6f4ea37d
SHA256109aa0f084697ae5223cdbe3bd2c3d0630292517f9ef1bbb0fb6013f5bc10b09
SHA512c7e82a35597d505a96bcee389d53c0a56bf0c81ca65ede8380d2a30484e7cea826a0cc4b5350549e11577d36748c5e5fb34e24bf62507322a786b8d773f1d6e6
-
\Users\Admin\AppData\Roaming\Microsoft\services.exeMD5
8e1e2c2714753ce09285b4c418a0a5ab
SHA17a570ef7bb007f9e28c7c0ec3d1bc3e82f12626f
SHA25613e8c1d2caddf547574089830035c34438b4daebc9e83cb531079eacae5972ca
SHA51268a62e9d65dd75c130ae110428d0723d4ba8f0851dc511bdfc46bb6b5ebc3112e082cfa7d9dcc1f78abd5ac33ba52a01b975889f8b125cc6e4c416845084a36d
-
memory/396-71-0x000000001C6D0000-0x000000001C8C4000-memory.dmpFilesize
2.0MB
-
memory/396-73-0x000000001C452000-0x000000001C454000-memory.dmpFilesize
8KB
-
memory/396-76-0x000000001C457000-0x000000001C458000-memory.dmpFilesize
4KB
-
memory/396-75-0x000000001C456000-0x000000001C457000-memory.dmpFilesize
4KB
-
memory/396-74-0x000000001C454000-0x000000001C456000-memory.dmpFilesize
8KB
-
memory/396-72-0x000000001C6D0000-0x000000001C8C4000-memory.dmpFilesize
2.0MB
-
memory/396-70-0x0000000000400000-0x0000000000F36000-memory.dmpFilesize
11.2MB
-
memory/396-67-0x0000000000000000-mapping.dmp
-
memory/864-85-0x000000001AD36000-0x000000001AD37000-memory.dmpFilesize
4KB
-
memory/864-86-0x000000001AD37000-0x000000001AD38000-memory.dmpFilesize
4KB
-
memory/864-84-0x000000001AD34000-0x000000001AD36000-memory.dmpFilesize
8KB
-
memory/864-82-0x0000000000060000-0x0000000000066000-memory.dmpFilesize
24KB
-
memory/864-83-0x000000001AD32000-0x000000001AD34000-memory.dmpFilesize
8KB
-
memory/864-81-0x0000000000200000-0x0000000000206000-memory.dmpFilesize
24KB
-
memory/864-80-0x0000000000200000-0x0000000000206000-memory.dmpFilesize
24KB
-
memory/1100-78-0x0000000000000000-mapping.dmp
-
memory/1104-65-0x0000000000000000-mapping.dmp
-
memory/1488-63-0x0000000000000000-mapping.dmp
-
memory/1660-57-0x000000001C3B0000-0x000000001C5A4000-memory.dmpFilesize
2.0MB
-
memory/1660-62-0x0000000003747000-0x0000000003748000-memory.dmpFilesize
4KB
-
memory/1660-56-0x0000000002A90000-0x0000000002C84000-memory.dmpFilesize
2.0MB
-
memory/1660-61-0x0000000003746000-0x0000000003747000-memory.dmpFilesize
4KB
-
memory/1660-60-0x0000000003744000-0x0000000003746000-memory.dmpFilesize
8KB
-
memory/1660-55-0x0000000000400000-0x0000000000F36000-memory.dmpFilesize
11.2MB
-
memory/1660-59-0x0000000003742000-0x0000000003744000-memory.dmpFilesize
8KB
-
memory/1660-58-0x000000001C3B0000-0x000000001C5A4000-memory.dmpFilesize
2.0MB
-
memory/1900-64-0x0000000000000000-mapping.dmp