Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
13-01-2022 10:17
Static task
static1
Behavioral task
behavioral1
Sample
Biil_Clinton_1.exe
Resource
win7-en-20211208
General
-
Target
Biil_Clinton_1.exe
-
Size
5.7MB
-
MD5
8e1e2c2714753ce09285b4c418a0a5ab
-
SHA1
7a570ef7bb007f9e28c7c0ec3d1bc3e82f12626f
-
SHA256
13e8c1d2caddf547574089830035c34438b4daebc9e83cb531079eacae5972ca
-
SHA512
68a62e9d65dd75c130ae110428d0723d4ba8f0851dc511bdfc46bb6b5ebc3112e082cfa7d9dcc1f78abd5ac33ba52a01b975889f8b125cc6e4c416845084a36d
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
services.exesihost64.exepid process 2924 services.exe 3344 sihost64.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Biil_Clinton_1.exeservices.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Biil_Clinton_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Biil_Clinton_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion services.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion services.exe -
Processes:
resource yara_rule behavioral2/memory/3964-115-0x0000000000400000-0x0000000000F36000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\services.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\services.exe themida behavioral2/memory/2924-129-0x0000000000400000-0x0000000000F36000-memory.dmp themida -
Processes:
services.exeBiil_Clinton_1.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Biil_Clinton_1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Biil_Clinton_1.exeservices.exepid process 3964 Biil_Clinton_1.exe 2924 services.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Biil_Clinton_1.exeservices.exepid process 3964 Biil_Clinton_1.exe 2924 services.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Biil_Clinton_1.exeservices.exedescription pid process Token: SeDebugPrivilege 3964 Biil_Clinton_1.exe Token: SeDebugPrivilege 2924 services.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Biil_Clinton_1.execmd.execmd.exeservices.exesihost64.exedescription pid process target process PID 3964 wrote to memory of 3000 3964 Biil_Clinton_1.exe cmd.exe PID 3964 wrote to memory of 3000 3964 Biil_Clinton_1.exe cmd.exe PID 3000 wrote to memory of 1520 3000 cmd.exe schtasks.exe PID 3000 wrote to memory of 1520 3000 cmd.exe schtasks.exe PID 3964 wrote to memory of 2064 3964 Biil_Clinton_1.exe cmd.exe PID 3964 wrote to memory of 2064 3964 Biil_Clinton_1.exe cmd.exe PID 2064 wrote to memory of 2924 2064 cmd.exe services.exe PID 2064 wrote to memory of 2924 2064 cmd.exe services.exe PID 2924 wrote to memory of 3344 2924 services.exe sihost64.exe PID 2924 wrote to memory of 3344 2924 services.exe sihost64.exe PID 3344 wrote to memory of 3828 3344 sihost64.exe conhost.exe PID 3344 wrote to memory of 3828 3344 sihost64.exe conhost.exe PID 3344 wrote to memory of 3828 3344 sihost64.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Biil_Clinton_1.exe"C:\Users\Admin\AppData\Local\Temp\Biil_Clinton_1.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\services.exeC:\Users\Admin\AppData\Roaming\Microsoft\services.exe3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "pzqytlcxf"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
cc604fb0471f21f98c7dbf3f49765fbf
SHA17c163779532eca828cc9873ef0bdf56e6f4ea37d
SHA256109aa0f084697ae5223cdbe3bd2c3d0630292517f9ef1bbb0fb6013f5bc10b09
SHA512c7e82a35597d505a96bcee389d53c0a56bf0c81ca65ede8380d2a30484e7cea826a0cc4b5350549e11577d36748c5e5fb34e24bf62507322a786b8d773f1d6e6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
cc604fb0471f21f98c7dbf3f49765fbf
SHA17c163779532eca828cc9873ef0bdf56e6f4ea37d
SHA256109aa0f084697ae5223cdbe3bd2c3d0630292517f9ef1bbb0fb6013f5bc10b09
SHA512c7e82a35597d505a96bcee389d53c0a56bf0c81ca65ede8380d2a30484e7cea826a0cc4b5350549e11577d36748c5e5fb34e24bf62507322a786b8d773f1d6e6
-
C:\Users\Admin\AppData\Roaming\Microsoft\services.exeMD5
8e1e2c2714753ce09285b4c418a0a5ab
SHA17a570ef7bb007f9e28c7c0ec3d1bc3e82f12626f
SHA25613e8c1d2caddf547574089830035c34438b4daebc9e83cb531079eacae5972ca
SHA51268a62e9d65dd75c130ae110428d0723d4ba8f0851dc511bdfc46bb6b5ebc3112e082cfa7d9dcc1f78abd5ac33ba52a01b975889f8b125cc6e4c416845084a36d
-
C:\Users\Admin\AppData\Roaming\Microsoft\services.exeMD5
8e1e2c2714753ce09285b4c418a0a5ab
SHA17a570ef7bb007f9e28c7c0ec3d1bc3e82f12626f
SHA25613e8c1d2caddf547574089830035c34438b4daebc9e83cb531079eacae5972ca
SHA51268a62e9d65dd75c130ae110428d0723d4ba8f0851dc511bdfc46bb6b5ebc3112e082cfa7d9dcc1f78abd5ac33ba52a01b975889f8b125cc6e4c416845084a36d
-
memory/1520-124-0x0000000000000000-mapping.dmp
-
memory/2064-125-0x0000000000000000-mapping.dmp
-
memory/2924-133-0x000000001C702000-0x000000001C703000-memory.dmpFilesize
4KB
-
memory/2924-136-0x000000001C707000-0x000000001C708000-memory.dmpFilesize
4KB
-
memory/2924-135-0x000000001C708000-0x000000001C709000-memory.dmpFilesize
4KB
-
memory/2924-134-0x000000001C704000-0x000000001C706000-memory.dmpFilesize
8KB
-
memory/2924-132-0x00000000033E0000-0x00000000033F2000-memory.dmpFilesize
72KB
-
memory/2924-126-0x0000000000000000-mapping.dmp
-
memory/2924-131-0x000000001CA00000-0x000000001CBF4000-memory.dmpFilesize
2.0MB
-
memory/2924-130-0x000000001CA00000-0x000000001CBF4000-memory.dmpFilesize
2.0MB
-
memory/2924-129-0x0000000000400000-0x0000000000F36000-memory.dmpFilesize
11.2MB
-
memory/3000-123-0x0000000000000000-mapping.dmp
-
memory/3344-137-0x0000000000000000-mapping.dmp
-
memory/3828-140-0x0000020878340000-0x0000020878342000-memory.dmpFilesize
8KB
-
memory/3828-145-0x0000020878370000-0x0000020878376000-memory.dmpFilesize
24KB
-
memory/3828-150-0x000002087A733000-0x000002087A735000-memory.dmpFilesize
8KB
-
memory/3828-151-0x000002087A736000-0x000002087A737000-memory.dmpFilesize
4KB
-
memory/3828-148-0x00000208780C0000-0x00000208780C6000-memory.dmpFilesize
24KB
-
memory/3828-149-0x000002087A730000-0x000002087A732000-memory.dmpFilesize
8KB
-
memory/3828-147-0x0000020878340000-0x0000020878342000-memory.dmpFilesize
8KB
-
memory/3828-146-0x0000020878340000-0x0000020878342000-memory.dmpFilesize
8KB
-
memory/3828-144-0x0000020878370000-0x0000020878376000-memory.dmpFilesize
24KB
-
memory/3828-141-0x0000020878340000-0x0000020878342000-memory.dmpFilesize
8KB
-
memory/3828-142-0x0000020878340000-0x0000020878342000-memory.dmpFilesize
8KB
-
memory/3828-143-0x0000020878340000-0x0000020878342000-memory.dmpFilesize
8KB
-
memory/3964-118-0x000000001C2F0000-0x000000001C4E4000-memory.dmpFilesize
2.0MB
-
memory/3964-115-0x0000000000400000-0x0000000000F36000-memory.dmpFilesize
11.2MB
-
memory/3964-116-0x0000000002F00000-0x00000000030F4000-memory.dmpFilesize
2.0MB
-
memory/3964-117-0x000000001C2F0000-0x000000001C4E4000-memory.dmpFilesize
2.0MB
-
memory/3964-119-0x00000000038B0000-0x00000000038C2000-memory.dmpFilesize
72KB
-
memory/3964-122-0x000000001C0E6000-0x000000001C0E7000-memory.dmpFilesize
4KB
-
memory/3964-121-0x000000001C0E3000-0x000000001C0E5000-memory.dmpFilesize
8KB
-
memory/3964-120-0x000000001C0E0000-0x000000001C0E2000-memory.dmpFilesize
8KB