Overview
overview
10Static
static
7Brute.exe
windows7_x64
10Brute.exe
windows10_x64
10Brute.exe
windows10-2004_x64
10Leaf.xNet.dll
windows7_x64
1Leaf.xNet.dll
windows10_x64
6Leaf.xNet.dll
windows10-2004_x64
10Newtonsoft.Json.dll
windows7_x64
1Newtonsoft.Json.dll
windows10_x64
6Newtonsoft.Json.dll
windows10-2004_x64
10Analysis
-
max time kernel
118s -
max time network
154s -
platform
windows10_x64 -
resource
win10-ja-20211208 -
submitted
11-02-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
Brute.exe
Resource
win7-ja-20211208
Behavioral task
behavioral2
Sample
Brute.exe
Resource
win10-ja-20211208
Behavioral task
behavioral3
Sample
Brute.exe
Resource
win10v2004-ja-20220113
Behavioral task
behavioral4
Sample
Leaf.xNet.dll
Resource
win7-ja-20211208
Behavioral task
behavioral5
Sample
Leaf.xNet.dll
Resource
win10-ja-20211208
Behavioral task
behavioral6
Sample
Leaf.xNet.dll
Resource
win10v2004-ja-20220113
Behavioral task
behavioral7
Sample
Newtonsoft.Json.dll
Resource
win7-ja-20211208
Behavioral task
behavioral8
Sample
Newtonsoft.Json.dll
Resource
win10-ja-20211208
Behavioral task
behavioral9
Sample
Newtonsoft.Json.dll
Resource
win10v2004-ja-20220112
General
-
Target
Brute.exe
-
Size
3.6MB
-
MD5
a96e9cb0519ef7a3ab1fa9c1f52e8cbd
-
SHA1
5e2169ceaf3e28289bc6c5ec4ac1b469d17f5ba8
-
SHA256
c2e3de80d6a602cd08cba211d41af12236fb7faa63ed046eff261bdc4408e63c
-
SHA512
d333cf02075e1f23b54edc0e44112df1fc71519f2b2a3dfad2d27b253e90c80dc265a1e6f2f340fb76395e00307e7bd12f563faeae589331d73918de8c26cde1
Malware Config
Signatures
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
upd_433.exepid process 4708 upd_433.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Brute.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Brute.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Brute.exe -
Processes:
resource yara_rule behavioral2/memory/3916-125-0x0000000000B00000-0x000000000147E000-memory.dmp themida behavioral2/memory/3916-126-0x0000000000B00000-0x000000000147E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
upd_433.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinMgmt = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinKey\\WinMgmt.exe\"" upd_433.exe -
Processes:
Brute.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Brute.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Brute.exepid process 3916 Brute.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Brute.exepid process 3916 Brute.exe 3916 Brute.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Brute.exedescription pid process Token: SeDebugPrivilege 3916 Brute.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Brute.exeupd_433.execmd.exedescription pid process target process PID 3916 wrote to memory of 4708 3916 Brute.exe upd_433.exe PID 3916 wrote to memory of 4708 3916 Brute.exe upd_433.exe PID 3916 wrote to memory of 4708 3916 Brute.exe upd_433.exe PID 4708 wrote to memory of 520 4708 upd_433.exe cmd.exe PID 4708 wrote to memory of 520 4708 upd_433.exe cmd.exe PID 4708 wrote to memory of 520 4708 upd_433.exe cmd.exe PID 520 wrote to memory of 920 520 cmd.exe schtasks.exe PID 520 wrote to memory of 920 520 cmd.exe schtasks.exe PID 520 wrote to memory of 920 520 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Brute.exe"C:\Users\Admin\AppData\Local\Temp\Brute.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\upd_433.exe"C:\Users\Admin\AppData\Local\Temp\upd_433.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc minute /mo 5 /st 09:05 /tn "WinMgmt.exe" /tr '"C:\Users\Admin\AppData\Roaming\WinKey\WinMgmt.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc minute /mo 5 /st 09:05 /tn "WinMgmt.exe" /tr '"C:\Users\Admin\AppData\Roaming\WinKey\WinMgmt.exe"'4⤵
- Creates scheduled task(s)
PID:920
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd_433.exeMD5
fe3f40b77341f9e428c67087f2e6bd92
SHA136a7670d930db2cc1755b5de9461d225e8f2f722
SHA256669cf6310c411f45e2808cfb6beb1b0bb65edb2965fe11205417e81d01ebc5db
SHA512c5ad0e17ef8eebac846513196b5488194bfeba8080821e404a8d3cf64eeecfa86dbb28d6625d960c36b906d65176d2782c26280537e5bc1976d3b04681a97536
-
C:\Users\Admin\AppData\Local\Temp\upd_433.exeMD5
fe3f40b77341f9e428c67087f2e6bd92
SHA136a7670d930db2cc1755b5de9461d225e8f2f722
SHA256669cf6310c411f45e2808cfb6beb1b0bb65edb2965fe11205417e81d01ebc5db
SHA512c5ad0e17ef8eebac846513196b5488194bfeba8080821e404a8d3cf64eeecfa86dbb28d6625d960c36b906d65176d2782c26280537e5bc1976d3b04681a97536
-
memory/3916-124-0x0000000073C3E000-0x0000000073C3F000-memory.dmpFilesize
4KB
-
memory/3916-130-0x0000000005E40000-0x0000000005E4A000-memory.dmpFilesize
40KB
-
memory/3916-122-0x00000000749F6000-0x00000000749F7000-memory.dmpFilesize
4KB
-
memory/3916-126-0x0000000000B00000-0x000000000147E000-memory.dmpFilesize
9.5MB
-
memory/3916-127-0x00000000062E0000-0x00000000067DE000-memory.dmpFilesize
5.0MB
-
memory/3916-128-0x0000000005E80000-0x0000000005F12000-memory.dmpFilesize
584KB
-
memory/3916-129-0x0000000006060000-0x0000000006061000-memory.dmpFilesize
4KB
-
memory/3916-125-0x0000000000B00000-0x000000000147E000-memory.dmpFilesize
9.5MB
-
memory/3916-131-0x0000000006063000-0x0000000006065000-memory.dmpFilesize
8KB
-
memory/3916-123-0x0000000077A64000-0x0000000077A65000-memory.dmpFilesize
4KB
-
memory/3916-121-0x0000000074AE6000-0x0000000074AE7000-memory.dmpFilesize
4KB
-
memory/3916-138-0x000000000AC20000-0x000000000AD2E000-memory.dmpFilesize
1.1MB
-
memory/4708-134-0x0000000073C3E000-0x0000000073C3F000-memory.dmpFilesize
4KB
-
memory/4708-136-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/4708-137-0x00000000055E0000-0x000000000567C000-memory.dmpFilesize
624KB
-
memory/4708-135-0x00000000009F0000-0x0000000000BAC000-memory.dmpFilesize
1.7MB