Analysis
-
max time kernel
117s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-02-2022 04:48
Static task
static1
Behavioral task
behavioral1
Sample
f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe
Resource
win7-en-20211208
General
-
Target
f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe
-
Size
2.6MB
-
MD5
fda089a638a02b64c5175fbed3e4918b
-
SHA1
eef6c75a650b5d1f2f34b988fc88ceb328312c15
-
SHA256
f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f
-
SHA512
7a9d15d37fa40898b49015f457546439a61ba7ba644b082d1c6bd0f10a6a7fded631937e255839beadf966c6577650f30601333bbb852a1a9625d1e561355c96
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exeflow pid process 13 1364 WScript.exe 14 1364 WScript.exe 15 1364 WScript.exe 16 1364 WScript.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe -
Processes:
resource yara_rule behavioral1/memory/1672-56-0x00000000008A0000-0x0000000000F61000-memory.dmp themida behavioral1/memory/1672-57-0x00000000008A0000-0x0000000000F61000-memory.dmp themida behavioral1/memory/1672-58-0x00000000008A0000-0x0000000000F61000-memory.dmp themida -
Processes:
f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exepid process 1672 f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exepid process 1672 f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exedescription pid process target process PID 1672 wrote to memory of 976 1672 f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe WScript.exe PID 1672 wrote to memory of 976 1672 f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe WScript.exe PID 1672 wrote to memory of 976 1672 f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe WScript.exe PID 1672 wrote to memory of 976 1672 f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe WScript.exe PID 1672 wrote to memory of 1364 1672 f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe WScript.exe PID 1672 wrote to memory of 1364 1672 f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe WScript.exe PID 1672 wrote to memory of 1364 1672 f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe WScript.exe PID 1672 wrote to memory of 1364 1672 f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe"C:\Users\Admin\AppData\Local\Temp\f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\euomdaxd.vbs"2⤵PID:976
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aqlolcf.vbs"2⤵
- Blocklisted process makes network request
PID:1364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aqlolcf.vbsMD5
5b4664d8f8e2fc265a4c5125ac1a73c5
SHA1f4f029984a529eb61f256c751ff9f60365c67fe3
SHA256973c174c7b1ecc2459f8744d59d9ddf26a0d36e5344d0965f98be99070d79c8e
SHA51200ff1576ad542bb1a6526634aaa3ff1a02633dad1fb59b634d1305aaf5098bc1a8ea50f723274e042cb3677b639c85b9032ea9c81ba0a010cad3af2afa7f697b
-
C:\Users\Admin\AppData\Local\Temp\euomdaxd.vbsMD5
f3862ac6032672613e2f4bd737b4dec4
SHA149b6089d9aa48a7b8e7e5d172f6e9baab64c9846
SHA256d3e35f9974a26413e2e60d44b06cc908b9a7044777d8df8ad4fb6af7a1b499d6
SHA512a9c00d6406c867830789a926071d0f60ee5f221e46964d187ac91232f27b971d43c40536bfb753ca4f4e680b95f78e4eb059e3923fd83f80fc889b5ad7c7c10e
-
memory/1672-54-0x0000000075341000-0x0000000075343000-memory.dmpFilesize
8KB
-
memory/1672-55-0x0000000077440000-0x0000000077442000-memory.dmpFilesize
8KB
-
memory/1672-56-0x00000000008A0000-0x0000000000F61000-memory.dmpFilesize
6.8MB
-
memory/1672-57-0x00000000008A0000-0x0000000000F61000-memory.dmpFilesize
6.8MB
-
memory/1672-58-0x00000000008A0000-0x0000000000F61000-memory.dmpFilesize
6.8MB