Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
17/01/2022, 03:50
Static task
static1
General
-
Target
f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe
-
Size
2.6MB
-
MD5
1d00723292d3b8bda50c59d040c27087
-
SHA1
76aedfcff7e298d862354db00ee2c4575da72b42
-
SHA256
f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801
-
SHA512
03ef6b83ccff99155be15ca8ac83bb2ada8570a1f5dfbf983db7c6fc6220ca8aa1555988dc72fb08a39ac6d73f8c77c75cdd875249912f9db720a2d5bcbad76a
Malware Config
Extracted
cryptbot
zyoyol62.top
morpsy06.top
-
payload_url
http://yapcbx08.top/download.php?file=inrhed.exe
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/3600-115-0x0000000000B30000-0x0000000001218000-memory.dmp themida behavioral1/memory/3600-116-0x0000000000B30000-0x0000000001218000-memory.dmp themida behavioral1/memory/3600-117-0x0000000000B30000-0x0000000001218000-memory.dmp themida behavioral1/memory/3600-118-0x0000000000B30000-0x0000000001218000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3600 f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3600 f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe 3600 f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe"C:\Users\Admin\AppData\Local\Temp\f460acfcc99c9338b3f5fb3793f6cbb15daf76c2a79fd05f7398af5346150801.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3600