Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-02-2022 05:33
Static task
static1
Behavioral task
behavioral1
Sample
dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe
Resource
win7-en-20211208
General
-
Target
dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe
-
Size
2.4MB
-
MD5
2ca1fa563d961e96561622edcab5d864
-
SHA1
d9fcd898fe5ddc4a19ae97a6c4ff1f2664a808ac
-
SHA256
dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e
-
SHA512
916443f39a0e14431b369a6b9c8d37ab12689559f39f3bbd0f9988aa17db2a914c01c9e14cbf7be92146427046e81c76e3dc91f1e767428079c60956e1414b7d
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exeflow pid process 13 1536 WScript.exe 14 1536 WScript.exe 15 1536 WScript.exe 16 1536 WScript.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe -
Processes:
resource yara_rule behavioral1/memory/1072-55-0x0000000001280000-0x00000000018EE000-memory.dmp themida behavioral1/memory/1072-56-0x0000000001280000-0x00000000018EE000-memory.dmp themida behavioral1/memory/1072-57-0x0000000001280000-0x00000000018EE000-memory.dmp themida -
Processes:
dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exepid process 1072 dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exepid process 1072 dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exedescription pid process target process PID 1072 wrote to memory of 1812 1072 dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe WScript.exe PID 1072 wrote to memory of 1812 1072 dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe WScript.exe PID 1072 wrote to memory of 1812 1072 dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe WScript.exe PID 1072 wrote to memory of 1812 1072 dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe WScript.exe PID 1072 wrote to memory of 1536 1072 dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe WScript.exe PID 1072 wrote to memory of 1536 1072 dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe WScript.exe PID 1072 wrote to memory of 1536 1072 dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe WScript.exe PID 1072 wrote to memory of 1536 1072 dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe"C:\Users\Admin\AppData\Local\Temp\dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fgfjlwu.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\shhqttdd.vbs"2⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fgfjlwu.vbsMD5
659c37cf26a1cacfdddd3f6825fa4e90
SHA1c78b4d148126ccac0ad3116b356a3170f674c343
SHA2560c2e8d25fe726c9fd77f70ca1c31d051c84f196a276d8419fd9afdcef12b8732
SHA512056ec4eba7ffa96fa50fbcac40f763b79fc567077853d434c4ac3a86980e72299382d62bdc210354652f9c7330cb571a9ac10189d7349b2aea40e2f45498fb09
-
C:\Users\Admin\AppData\Local\Temp\shhqttdd.vbsMD5
f541b7297a1718b237a840ed1d783d7e
SHA14d4d33cf0934c8b67db52f923cdd90d6c6af6fd2
SHA256ff7bd6ddaefa92ef8a4d2c6dcf61421ceddb2ab8d9deb648e5d75994fa52c5d3
SHA5125c758149fd1d0ebbbd87ee4cdb9c930892f0194d7d9ccb0a17b365f820a6da4280b8a5ebc0b228be4ec0ffd02fe5011e0677c517d0429ce8ed4e15224446a0e3
-
memory/1072-53-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/1072-54-0x0000000077850000-0x0000000077852000-memory.dmpFilesize
8KB
-
memory/1072-55-0x0000000001280000-0x00000000018EE000-memory.dmpFilesize
6.4MB
-
memory/1072-56-0x0000000001280000-0x00000000018EE000-memory.dmpFilesize
6.4MB
-
memory/1072-57-0x0000000001280000-0x00000000018EE000-memory.dmpFilesize
6.4MB