Overview

overview

9

Static

static

7

2022-02-06...dl.exe

windows7_x64

9

2022-02-06...dl.exe

windows10-2004_x64

9

Analysis

  • max time kernel
    175s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    09-02-2022 00:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2022-02-06 build_dl.exe

  • Size

    3.9MB

  • MD5

    095715a96975ef7b9e17d0a39739e0cc

  • SHA1

    aa090944875fb9bd5b1e8b3775592eea5ceeb186

  • SHA256

    15d06d1741cc8b5495da9c79c6f630e33060e80c73da9666500f6f0bdf5ff259

  • SHA512

    ab76c374c995501ef57c4f46602e0df16188ccb6f69bb4c9c84073e48c664000912353a47ed5758c48735c64ca1167f73b02c41d4cfefea9978e3a219c12ce11

Score
9/10
evasionpersistencespywarestealerthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • GoLang User-Agent 2 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2022-02-06 build_dl.exe
    "C:\Users\Admin\AppData\Local\Temp\2022-02-06 build_dl.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\system32\cmd.exe
      cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1980
    • C:\Windows\system32\cmd.exe
      cmd /Q /C move /Y "C:\Users\Admin\AppData\Local\Temp\2022-02-06 build_dl.exe" C:\Windows\BCU.exe
      2⤵
      • Suspicious behavior: RenamesItself
      PID:1032
    • C:\Windows\system32\cmd.exe
      cmd /C "netsh advfirewall firewall add rule name=\"BCU\" dir=in action=allow program=\"C:\Users\Admin\AppData\Local\Temp\2022-02-06 build_dl.exe\" enable=yes"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\system32\netsh.exe
        netsh advfirewall firewall add rule name=\"BCU\" dir=in action=allow program=\"C:\Users\Admin\AppData\Local\Temp\2022-02-06 build_dl.exe\" enable=yes
        3⤵
          PID:1196
      • C:\Windows\system32\cmd.exe
        cmd /C whoami
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2404
        • C:\Windows\system32\whoami.exe
          whoami
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2960
      • C:\Windows\system32\cmd.exe
        cmd /C whoami
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1140
        • C:\Windows\system32\whoami.exe
          whoami
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3048
      • C:\Windows\system32\cmd.exe
        cmd /C "wmic cpu get name"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic cpu get name
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1712
      • C:\Windows\system32\cmd.exe
        cmd /Q /C reg add "HKCU\Software\Networking Service" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3416
        • C:\Windows\system32\reg.exe
          reg add "HKCU\Software\Networking Service" /f
          3⤵
            PID:3060
        • C:\Windows\system32\cmd.exe
          cmd /C "ipconfig //flushdns"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3540
          • C:\Windows\system32\ipconfig.exe
            ipconfig //flushdns
            3⤵
            • Gathers network information
            PID:3464
        • C:\Windows\system32\cmd.exe
          cmd /C "attrib +S +H C:\Windows\BCU.exe"
          2⤵
            PID:2152
            • C:\Windows\system32\attrib.exe
              attrib +S +H C:\Windows\BCU.exe
              3⤵
              • Drops file in Windows directory
              • Views/modifies file attributes
              PID:4056
          • C:\Windows\system32\cmd.exe
            cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2220
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3724
          • C:\Windows\system32\cmd.exe
            cmd /C "wmic path win32_VideoController get name"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2996
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic path win32_VideoController get name
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:400
          • C:\Windows\system32\cmd.exe
            cmd /C ver
            2⤵
              PID:1616
            • C:\Windows\system32\cmd.exe
              cmd /C "wmic path win32_VideoController get name"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1272
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic path win32_VideoController get name
                3⤵
                  PID:1784
              • C:\Windows\system32\cmd.exe
                cmd /C start C:\Windows\1644371941.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3476
                • C:\Windows\1644371941.exe
                  C:\Windows\1644371941.exe
                  3⤵
                  • Executes dropped EXE
                  PID:3832
              • C:\Windows\system32\cmd.exe
                cmd /C start C:\Windows\1644371963.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:640
                • C:\Windows\1644371963.exe
                  C:\Windows\1644371963.exe
                  3⤵
                  • Executes dropped EXE
                  PID:540
            • C:\Windows\system32\MusNotifyIcon.exe
              %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
              1⤵
              • Checks processor information in registry
              PID:2004
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k NetworkService -p
              1⤵
              • Drops file in Windows directory
              • Modifies data under HKEY_USERS
              PID:1292

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Command-Line Interface

            1
            T1059

            Persistence

            Modify Existing Service

            1
            T1031

            Hidden Files and Directories

            2
            T1158

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Virtualization/Sandbox Evasion

            1
            T1497

            Hidden Files and Directories

            2
            T1158

            Modify Registry

            1
            T1112

            Credential Access

            Credentials in Files

            2
            T1081

            Discovery

            Query Registry

            3
            T1012

            Virtualization/Sandbox Evasion

            1
            T1497

            System Information Discovery

            4
            T1082

            Lateral Movement

            Collection

            Data from Local System

            2
            T1005

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              Download Submit
            • C:\Windows\1644371941.exe
              MD5

              a543da3f43f931ca56bea6ac81eb0815

              SHA1

              44d3794cad034ea8666d8f60e1c3d6e3e8771ae1

              SHA256

              b7ca36e5ef33a32da7e256d4694738df05a52c72098868e9ab0eecf53b1818dc

              SHA512

              c8fa431bd747dad01637cfa3ae1ce562010f027be2b8fe304ba83571f5ad9b0feedabef99b2c98d01a91ad22aa091c85ca98db29b9d2abb95f2314478c8e3ede

              Download Submit
            • C:\Windows\1644371941.exe
              MD5

              a543da3f43f931ca56bea6ac81eb0815

              SHA1

              44d3794cad034ea8666d8f60e1c3d6e3e8771ae1

              SHA256

              b7ca36e5ef33a32da7e256d4694738df05a52c72098868e9ab0eecf53b1818dc

              SHA512

              c8fa431bd747dad01637cfa3ae1ce562010f027be2b8fe304ba83571f5ad9b0feedabef99b2c98d01a91ad22aa091c85ca98db29b9d2abb95f2314478c8e3ede

              Download Submit
            • C:\Windows\1644371963.exe
              MD5

              502e1937c846f43e90a7864c1e7071be

              SHA1

              dc869347d9d98857b63f8c5984f4287ec3a8f161

              SHA256

              125d09a3fb2bca601e2539cb465205fa66b9e6e20a8caa635c1e2f02628a277a

              SHA512

              4bc9695ae618a69196c2111c6ceea95f1a1563afc7fc66c9116aae813d011ed5fd1a3e582c8413720ccd0ef21c9592429471908d32c2e5a2d452537fda960adc

              Download Submit
            • C:\Windows\1644371963.exe
              MD5

              502e1937c846f43e90a7864c1e7071be

              SHA1

              dc869347d9d98857b63f8c5984f4287ec3a8f161

              SHA256

              125d09a3fb2bca601e2539cb465205fa66b9e6e20a8caa635c1e2f02628a277a

              SHA512

              4bc9695ae618a69196c2111c6ceea95f1a1563afc7fc66c9116aae813d011ed5fd1a3e582c8413720ccd0ef21c9592429471908d32c2e5a2d452537fda960adc

              Download Submit
            • memory/540-178-0x0000000000400000-0x000000000043C000-memory.dmp
              Filesize

              240KB

              Download
            • memory/540-169-0x00000000025C0000-0x00000000025F9000-memory.dmp
              Filesize

              228KB

              Download
            • memory/540-168-0x0000000000970000-0x000000000099B000-memory.dmp
              Filesize

              172KB

              Download
            • memory/1980-142-0x00007FFB810D3000-0x00007FFB810D5000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1980-143-0x0000012444650000-0x0000012444652000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1980-144-0x0000012444653000-0x0000012444655000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1980-145-0x000001242C530000-0x000001242C552000-memory.dmp
              Filesize

              136KB

              Download
            • memory/1980-148-0x0000012444656000-0x0000012444658000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1980-159-0x0000012444658000-0x0000012444659000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2280-132-0x00000000004F0000-0x0000000001092000-memory.dmp
              Filesize

              11.6MB

              Download
            • memory/2280-135-0x00000000004F0000-0x0000000001092000-memory.dmp
              Filesize

              11.6MB

              Download
            • memory/2280-133-0x00000000004F0000-0x0000000001092000-memory.dmp
              Filesize

              11.6MB

              Download
            • memory/2280-130-0x00000000004F0000-0x0000000001092000-memory.dmp
              Filesize

              11.6MB

              Download
            • memory/2280-134-0x00000000004F0000-0x0000000001092000-memory.dmp
              Filesize

              11.6MB

              Download
            • memory/2280-131-0x00007FFBA0630000-0x00007FFBA0632000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2280-137-0x00000000004F0000-0x0000000001092000-memory.dmp
              Filesize

              11.6MB

              Download
            • memory/2280-136-0x00000000004F0000-0x0000000001092000-memory.dmp
              Filesize

              11.6MB

              Download
            • memory/3724-156-0x00000215D01D0000-0x00000215D01D2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3724-160-0x00000215D01D8000-0x00000215D01D9000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3724-158-0x00000215D01D6000-0x00000215D01D8000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3724-157-0x00000215D01D3000-0x00000215D01D5000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3724-151-0x00007FFB810D3000-0x00007FFB810D5000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3832-170-0x0000000000010000-0x00000000005C7000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/3832-171-0x0000000002700000-0x0000000002741000-memory.dmp
              Filesize

              260KB

              Download
            • memory/3832-173-0x0000000000045000-0x0000000000060000-memory.dmp
              Filesize

              108KB

              Download
            • memory/3832-172-0x0000000000033000-0x0000000000034000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3832-174-0x0000000000010000-0x00000000005C7000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/3832-175-0x000000000023A000-0x000000000058F000-memory.dmp
              Filesize

              3.3MB

              Download
            • memory/3832-176-0x0000000002750000-0x0000000002751000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3832-177-0x0000000000010000-0x00000000005C7000-memory.dmp
              Filesize

              5.7MB

              Download