Analysis
-
max time kernel
146s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 15:49
Static task
static1
Behavioral task
behavioral1
Sample
105a7f1e9f623633f1b1439cf15f58be.exe
Resource
win7-en-20211208
General
-
Target
105a7f1e9f623633f1b1439cf15f58be.exe
-
Size
5.7MB
-
MD5
105a7f1e9f623633f1b1439cf15f58be
-
SHA1
0fba1e00864607102f82c7e2cdc14856851da104
-
SHA256
4c20cb035c923c914c129daa6f7dd77c24d3d3ad58f09c89a12d8028405bb5d0
-
SHA512
fb7ceda860b98bf9d4def5c2ba2e2f9ee33743cd2225af19b4bffd31dcb38d6675ff77d39f5ed09bdfb0feb7582645418895c8df37e8f8bffeebac3948340127
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
services.exesihost64.exepid process 808 services.exe 1220 sihost64.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
services.exe105a7f1e9f623633f1b1439cf15f58be.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion services.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion services.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 105a7f1e9f623633f1b1439cf15f58be.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 105a7f1e9f623633f1b1439cf15f58be.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeservices.exepid process 588 cmd.exe 808 services.exe -
Processes:
resource yara_rule behavioral1/memory/2016-54-0x0000000000400000-0x0000000000F42000-memory.dmp themida \Users\Admin\AppData\Roaming\Microsoft\services.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\services.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\services.exe themida behavioral1/memory/808-64-0x0000000000400000-0x0000000000F42000-memory.dmp themida -
Processes:
services.exe105a7f1e9f623633f1b1439cf15f58be.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 105a7f1e9f623633f1b1439cf15f58be.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
105a7f1e9f623633f1b1439cf15f58be.exeservices.exepid process 2016 105a7f1e9f623633f1b1439cf15f58be.exe 808 services.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
105a7f1e9f623633f1b1439cf15f58be.exeservices.exepid process 2016 105a7f1e9f623633f1b1439cf15f58be.exe 808 services.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
105a7f1e9f623633f1b1439cf15f58be.exeservices.exedescription pid process Token: SeDebugPrivilege 2016 105a7f1e9f623633f1b1439cf15f58be.exe Token: SeDebugPrivilege 808 services.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
105a7f1e9f623633f1b1439cf15f58be.execmd.execmd.exeservices.exesihost64.exedescription pid process target process PID 2016 wrote to memory of 960 2016 105a7f1e9f623633f1b1439cf15f58be.exe cmd.exe PID 2016 wrote to memory of 960 2016 105a7f1e9f623633f1b1439cf15f58be.exe cmd.exe PID 2016 wrote to memory of 960 2016 105a7f1e9f623633f1b1439cf15f58be.exe cmd.exe PID 960 wrote to memory of 524 960 cmd.exe schtasks.exe PID 960 wrote to memory of 524 960 cmd.exe schtasks.exe PID 960 wrote to memory of 524 960 cmd.exe schtasks.exe PID 2016 wrote to memory of 588 2016 105a7f1e9f623633f1b1439cf15f58be.exe cmd.exe PID 2016 wrote to memory of 588 2016 105a7f1e9f623633f1b1439cf15f58be.exe cmd.exe PID 2016 wrote to memory of 588 2016 105a7f1e9f623633f1b1439cf15f58be.exe cmd.exe PID 588 wrote to memory of 808 588 cmd.exe services.exe PID 588 wrote to memory of 808 588 cmd.exe services.exe PID 588 wrote to memory of 808 588 cmd.exe services.exe PID 808 wrote to memory of 1220 808 services.exe sihost64.exe PID 808 wrote to memory of 1220 808 services.exe sihost64.exe PID 808 wrote to memory of 1220 808 services.exe sihost64.exe PID 1220 wrote to memory of 1968 1220 sihost64.exe conhost.exe PID 1220 wrote to memory of 1968 1220 sihost64.exe conhost.exe PID 1220 wrote to memory of 1968 1220 sihost64.exe conhost.exe PID 1220 wrote to memory of 1968 1220 sihost64.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\105a7f1e9f623633f1b1439cf15f58be.exe"C:\Users\Admin\AppData\Local\Temp\105a7f1e9f623633f1b1439cf15f58be.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\services.exeC:\Users\Admin\AppData\Roaming\Microsoft\services.exe3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "qcorbjem"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
30c8c4ca447fd860622f594a174fef77
SHA131393d1438a8df8a7ae1e999302bbb1a37bcaeff
SHA256b5092c596be24cf815584a58a20e0d373216d28e3e97d0dd41dc1eb66fbae595
SHA512d8fc3ab0c81f1e334f8de4efe1866de0883f04f07b174aa6a769ceb71a8b9fe71975f3306567d91b5be6a35b481b1221ebc534a293ffecffc60d486032787b59
-
C:\Users\Admin\AppData\Roaming\Microsoft\services.exeMD5
105a7f1e9f623633f1b1439cf15f58be
SHA10fba1e00864607102f82c7e2cdc14856851da104
SHA2564c20cb035c923c914c129daa6f7dd77c24d3d3ad58f09c89a12d8028405bb5d0
SHA512fb7ceda860b98bf9d4def5c2ba2e2f9ee33743cd2225af19b4bffd31dcb38d6675ff77d39f5ed09bdfb0feb7582645418895c8df37e8f8bffeebac3948340127
-
C:\Users\Admin\AppData\Roaming\Microsoft\services.exeMD5
105a7f1e9f623633f1b1439cf15f58be
SHA10fba1e00864607102f82c7e2cdc14856851da104
SHA2564c20cb035c923c914c129daa6f7dd77c24d3d3ad58f09c89a12d8028405bb5d0
SHA512fb7ceda860b98bf9d4def5c2ba2e2f9ee33743cd2225af19b4bffd31dcb38d6675ff77d39f5ed09bdfb0feb7582645418895c8df37e8f8bffeebac3948340127
-
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
30c8c4ca447fd860622f594a174fef77
SHA131393d1438a8df8a7ae1e999302bbb1a37bcaeff
SHA256b5092c596be24cf815584a58a20e0d373216d28e3e97d0dd41dc1eb66fbae595
SHA512d8fc3ab0c81f1e334f8de4efe1866de0883f04f07b174aa6a769ceb71a8b9fe71975f3306567d91b5be6a35b481b1221ebc534a293ffecffc60d486032787b59
-
\Users\Admin\AppData\Roaming\Microsoft\services.exeMD5
105a7f1e9f623633f1b1439cf15f58be
SHA10fba1e00864607102f82c7e2cdc14856851da104
SHA2564c20cb035c923c914c129daa6f7dd77c24d3d3ad58f09c89a12d8028405bb5d0
SHA512fb7ceda860b98bf9d4def5c2ba2e2f9ee33743cd2225af19b4bffd31dcb38d6675ff77d39f5ed09bdfb0feb7582645418895c8df37e8f8bffeebac3948340127
-
memory/808-64-0x0000000000400000-0x0000000000F42000-memory.dmpFilesize
11.3MB
-
memory/808-65-0x0000000003532000-0x0000000003534000-memory.dmpFilesize
8KB
-
memory/808-67-0x0000000003536000-0x0000000003537000-memory.dmpFilesize
4KB
-
memory/808-68-0x0000000003537000-0x0000000003538000-memory.dmpFilesize
4KB
-
memory/808-66-0x0000000003534000-0x0000000003536000-memory.dmpFilesize
8KB
-
memory/1968-72-0x0000000000060000-0x0000000000066000-memory.dmpFilesize
24KB
-
memory/1968-71-0x0000000000340000-0x0000000000346000-memory.dmpFilesize
24KB
-
memory/1968-73-0x0000000001CD0000-0x0000000002150000-memory.dmpFilesize
4.5MB
-
memory/1968-74-0x0000000001CD0000-0x0000000002150000-memory.dmpFilesize
4.5MB
-
memory/1968-75-0x0000000001CD0000-0x0000000002150000-memory.dmpFilesize
4.5MB
-
memory/1968-76-0x0000000001CD0000-0x0000000002150000-memory.dmpFilesize
4.5MB
-
memory/2016-54-0x0000000000400000-0x0000000000F42000-memory.dmpFilesize
11.3MB
-
memory/2016-58-0x000000001C214000-0x000000001C216000-memory.dmpFilesize
8KB
-
memory/2016-57-0x000000001C212000-0x000000001C214000-memory.dmpFilesize
8KB
-
memory/2016-59-0x000000001C216000-0x000000001C217000-memory.dmpFilesize
4KB
-
memory/2016-56-0x000000001C490000-0x000000001C684000-memory.dmpFilesize
2.0MB
-
memory/2016-55-0x0000000002C30000-0x0000000002E24000-memory.dmpFilesize
2.0MB
-
memory/2016-60-0x000000001C217000-0x000000001C218000-memory.dmpFilesize
4KB