Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 01:02
Static task
static1
Behavioral task
behavioral1
Sample
b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe
Resource
win7-en-20211208
General
-
Target
b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe
-
Size
2.6MB
-
MD5
0dc555d4301c1c53ec92326e3f8a8d57
-
SHA1
1b3d5e36dda0e2417f4d0cadd3955c5343154041
-
SHA256
b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9
-
SHA512
9e8ce3992d924715e955fb455c5ad1c455c5d21982f806b9db24833cdc76a0e563bf5bda7b4192a342283eafb0bd8a5f92a3a5602d5d7f8aa95e2010c66f9491
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exeflow pid process 13 1468 WScript.exe 14 1468 WScript.exe 15 1468 WScript.exe 16 1468 WScript.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe -
Processes:
resource yara_rule behavioral1/memory/1772-57-0x00000000013E0000-0x0000000001AA4000-memory.dmp themida behavioral1/memory/1772-58-0x00000000013E0000-0x0000000001AA4000-memory.dmp themida behavioral1/memory/1772-59-0x00000000013E0000-0x0000000001AA4000-memory.dmp themida behavioral1/memory/1772-60-0x00000000013E0000-0x0000000001AA4000-memory.dmp themida -
Processes:
b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exepid process 1772 b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exepid process 1772 b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exedescription pid process target process PID 1772 wrote to memory of 432 1772 b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe WScript.exe PID 1772 wrote to memory of 432 1772 b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe WScript.exe PID 1772 wrote to memory of 432 1772 b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe WScript.exe PID 1772 wrote to memory of 432 1772 b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe WScript.exe PID 1772 wrote to memory of 1468 1772 b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe WScript.exe PID 1772 wrote to memory of 1468 1772 b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe WScript.exe PID 1772 wrote to memory of 1468 1772 b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe WScript.exe PID 1772 wrote to memory of 1468 1772 b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe"C:\Users\Admin\AppData\Local\Temp\b4c2a3b83c21343b81fcecfe1c828126017faed52fb990a4531ba04ad92dddb9.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bblwgpsgbmhw.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ualxpmstspi.vbs"2⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bblwgpsgbmhw.vbsMD5
971a2cdb779104599bedc1579ebc94dc
SHA1c8120b1b077b0395d32bdc1ef0907e0da6ebf0cc
SHA256f40068183c7ec4066d184916649e4f298a13ab8e2b97c7c92a9adcf02fb6d08f
SHA5120dd41292b0cbfca1049b3ac2748823d5edfde22b443bda4b1d84610d5e0385ca5c78795181e6e8c06d68480262b3623d3a359c113856184eccb6c06ab8fc19ce
-
C:\Users\Admin\AppData\Local\Temp\ualxpmstspi.vbsMD5
6eebf0c16fe5c47cc5d61f7f40bdb47e
SHA1d87e0a19b8a1d7be0b01e8fb33390c7e012693bf
SHA256cabd26333151480221e82f55cebda89c7e3f877a5f7932af59215c69d5116d4d
SHA512dc12cca6a066fca6b728fbc578af89d9b42c5015b949f9efc4d9bd50ff2e171e6fd505008e222b5233bbd206ad340ba6d55123d2d12f967601e8d9b83b4606dd
-
memory/1772-55-0x00000000762C1000-0x00000000762C3000-memory.dmpFilesize
8KB
-
memory/1772-57-0x00000000013E0000-0x0000000001AA4000-memory.dmpFilesize
6.8MB
-
memory/1772-56-0x00000000775A0000-0x00000000775A2000-memory.dmpFilesize
8KB
-
memory/1772-58-0x00000000013E0000-0x0000000001AA4000-memory.dmpFilesize
6.8MB
-
memory/1772-59-0x00000000013E0000-0x0000000001AA4000-memory.dmpFilesize
6.8MB
-
memory/1772-60-0x00000000013E0000-0x0000000001AA4000-memory.dmpFilesize
6.8MB