Analysis
-
max time kernel
118s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-02-2022 04:51
Static task
static1
Behavioral task
behavioral1
Sample
f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe
Resource
win7-en-20211208
General
-
Target
f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe
-
Size
5.8MB
-
MD5
06cf336ef24ea048430e0942112eec57
-
SHA1
2a840ddcffac74700807b9cdfe6069ad9de95b4b
-
SHA256
f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67
-
SHA512
e69388825397acb2f7c470f4dedcd19cf4451b9f8b25660e99d9c926f7f0c1aef0e987fa86bde70890a7999d60f5249a38eea0cdfce95132e6c80fa02a52ef19
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exeflow pid process 13 1920 WScript.exe 14 1920 WScript.exe 15 1920 WScript.exe 16 1920 WScript.exe -
Executes dropped EXE 3 IoCs
Processes:
arlinevp.exenebris.exeIntelRapid.exepid process 1292 arlinevp.exe 1800 nebris.exe 1816 IntelRapid.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
nebris.exearlinevp.exeIntelRapid.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion nebris.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion arlinevp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion arlinevp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IntelRapid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IntelRapid.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion nebris.exe -
Drops startup file 1 IoCs
Processes:
nebris.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk nebris.exe -
Loads dropped DLL 9 IoCs
Processes:
f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exearlinevp.exenebris.exepid process 1480 f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe 1480 f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe 1292 arlinevp.exe 1292 arlinevp.exe 1480 f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe 1480 f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe 1800 nebris.exe 1800 nebris.exe 1800 nebris.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\farleu\arlinevp.exe themida C:\Users\Admin\AppData\Local\Temp\farleu\arlinevp.exe themida C:\Users\Admin\AppData\Local\Temp\farleu\arlinevp.exe themida \Users\Admin\AppData\Local\Temp\farleu\arlinevp.exe themida \Users\Admin\AppData\Local\Temp\farleu\arlinevp.exe themida \Users\Admin\AppData\Local\Temp\farleu\nebris.exe themida \Users\Admin\AppData\Local\Temp\farleu\nebris.exe themida C:\Users\Admin\AppData\Local\Temp\farleu\nebris.exe themida behavioral1/memory/1292-66-0x00000000009F0000-0x000000000105B000-memory.dmp themida behavioral1/memory/1292-65-0x00000000009F0000-0x000000000105B000-memory.dmp themida behavioral1/memory/1800-67-0x000000013F5D0000-0x000000013FE8F000-memory.dmp themida behavioral1/memory/1292-68-0x00000000009F0000-0x000000000105B000-memory.dmp themida behavioral1/memory/1800-69-0x000000013F5D0000-0x000000013FE8F000-memory.dmp themida behavioral1/memory/1292-70-0x00000000009F0000-0x000000000105B000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\farleu\nebris.exe themida \Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida \Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida \Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe themida behavioral1/memory/1816-79-0x000000013FDB0000-0x000000014066F000-memory.dmp themida behavioral1/memory/1816-80-0x000000013FDB0000-0x000000014066F000-memory.dmp themida -
Processes:
arlinevp.exenebris.exeIntelRapid.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA arlinevp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nebris.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IntelRapid.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
arlinevp.exenebris.exeIntelRapid.exepid process 1292 arlinevp.exe 1800 nebris.exe 1816 IntelRapid.exe -
Drops file in Program Files directory 3 IoCs
Processes:
f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe File created C:\Program Files (x86)\foler\olader\acledit.dll f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
arlinevp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 arlinevp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString arlinevp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
IntelRapid.exepid process 1816 IntelRapid.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
arlinevp.exepid process 1292 arlinevp.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exenebris.exearlinevp.exedescription pid process target process PID 1480 wrote to memory of 1292 1480 f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe arlinevp.exe PID 1480 wrote to memory of 1292 1480 f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe arlinevp.exe PID 1480 wrote to memory of 1292 1480 f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe arlinevp.exe PID 1480 wrote to memory of 1292 1480 f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe arlinevp.exe PID 1480 wrote to memory of 1292 1480 f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe arlinevp.exe PID 1480 wrote to memory of 1292 1480 f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe arlinevp.exe PID 1480 wrote to memory of 1292 1480 f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe arlinevp.exe PID 1480 wrote to memory of 1800 1480 f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe nebris.exe PID 1480 wrote to memory of 1800 1480 f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe nebris.exe PID 1480 wrote to memory of 1800 1480 f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe nebris.exe PID 1480 wrote to memory of 1800 1480 f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe nebris.exe PID 1800 wrote to memory of 1816 1800 nebris.exe IntelRapid.exe PID 1800 wrote to memory of 1816 1800 nebris.exe IntelRapid.exe PID 1800 wrote to memory of 1816 1800 nebris.exe IntelRapid.exe PID 1292 wrote to memory of 1172 1292 arlinevp.exe WScript.exe PID 1292 wrote to memory of 1172 1292 arlinevp.exe WScript.exe PID 1292 wrote to memory of 1172 1292 arlinevp.exe WScript.exe PID 1292 wrote to memory of 1172 1292 arlinevp.exe WScript.exe PID 1292 wrote to memory of 1172 1292 arlinevp.exe WScript.exe PID 1292 wrote to memory of 1172 1292 arlinevp.exe WScript.exe PID 1292 wrote to memory of 1172 1292 arlinevp.exe WScript.exe PID 1292 wrote to memory of 1920 1292 arlinevp.exe WScript.exe PID 1292 wrote to memory of 1920 1292 arlinevp.exe WScript.exe PID 1292 wrote to memory of 1920 1292 arlinevp.exe WScript.exe PID 1292 wrote to memory of 1920 1292 arlinevp.exe WScript.exe PID 1292 wrote to memory of 1920 1292 arlinevp.exe WScript.exe PID 1292 wrote to memory of 1920 1292 arlinevp.exe WScript.exe PID 1292 wrote to memory of 1920 1292 arlinevp.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe"C:\Users\Admin\AppData\Local\Temp\f111930e062e49c9147f1fb3c078ca745c19a05c2f72396753ff0bddf521fc67.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\farleu\arlinevp.exe"C:\Users\Admin\AppData\Local\Temp\farleu\arlinevp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mampvpi.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qxspkfskf.vbs"3⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\farleu\nebris.exe"C:\Users\Admin\AppData\Local\Temp\farleu\nebris.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\farleu\arlinevp.exeMD5
a287d97f20d4608c53d2bc5e9d64b94d
SHA1b3a444db0d000a7905987dc445ecfee9bb3990fc
SHA25641a98f1b2ee8d81ec81b8cc9433424a8f7f9f9e513f8bcaab7a7ba1c522313d8
SHA5121a2324eaff128cc6d62686b565bb108b6b4aeab12d662d329ffcc327eac812958b48b8e0b6dc07f1fc3f30597775074db14f6ec556b34a6c8d75810281ac4260
-
C:\Users\Admin\AppData\Local\Temp\farleu\arlinevp.exeMD5
a287d97f20d4608c53d2bc5e9d64b94d
SHA1b3a444db0d000a7905987dc445ecfee9bb3990fc
SHA25641a98f1b2ee8d81ec81b8cc9433424a8f7f9f9e513f8bcaab7a7ba1c522313d8
SHA5121a2324eaff128cc6d62686b565bb108b6b4aeab12d662d329ffcc327eac812958b48b8e0b6dc07f1fc3f30597775074db14f6ec556b34a6c8d75810281ac4260
-
C:\Users\Admin\AppData\Local\Temp\farleu\nebris.exeMD5
43e7b1394b43cc9c8a13dc0676170559
SHA1c4b03f3af66d75607014440ba83a1fcbf985b924
SHA256d601b5b83695cb9fb5b86cfd176a3457376e9d73e252b71429806593a9589de4
SHA512020b59329ddbf35197faae13de00b7e6ef9ef29923f63a538d5b9b74f19125ad4a4ef53dd35349e21783f61557f247919e9a5bc85ae743961827efe2692aadca
-
C:\Users\Admin\AppData\Local\Temp\farleu\nebris.exeMD5
43e7b1394b43cc9c8a13dc0676170559
SHA1c4b03f3af66d75607014440ba83a1fcbf985b924
SHA256d601b5b83695cb9fb5b86cfd176a3457376e9d73e252b71429806593a9589de4
SHA512020b59329ddbf35197faae13de00b7e6ef9ef29923f63a538d5b9b74f19125ad4a4ef53dd35349e21783f61557f247919e9a5bc85ae743961827efe2692aadca
-
C:\Users\Admin\AppData\Local\Temp\mampvpi.vbsMD5
10801c6db3ff4e05c736824e95955905
SHA1ed92c7fc06af0f3c986b65b067e9383d9d809d10
SHA256498d663e7273ade136fad778484a725dec62f2dfbf23bb2dde08d456d0a1829e
SHA512be2e26074152a4106193b3d19082cc03a1bbdc94fa565f7a6f69be133ebfc4f85c2fa74301949626e1eee74a773790eb8f1e2db41cd93b9922afe97db43e8fc5
-
C:\Users\Admin\AppData\Local\Temp\qxspkfskf.vbsMD5
80a395f0433d919b9a769be7129fdb28
SHA1f41aa9f6fc4b59ca71478aad3d06de93787a7a9f
SHA2569de1319adbaad636b7a49ce8e93cb3bc86fd95e472638cee47ca70ca82b7cf9b
SHA51293b7ace5ef2b37ebad9f1a64a5e6d4552c33b4b4938c9b0622ed3b03b935e31147b1e6d253645f8ef879b3e8e3189e5a41ee86102b901ec4db6e03ed075d6374
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
43e7b1394b43cc9c8a13dc0676170559
SHA1c4b03f3af66d75607014440ba83a1fcbf985b924
SHA256d601b5b83695cb9fb5b86cfd176a3457376e9d73e252b71429806593a9589de4
SHA512020b59329ddbf35197faae13de00b7e6ef9ef29923f63a538d5b9b74f19125ad4a4ef53dd35349e21783f61557f247919e9a5bc85ae743961827efe2692aadca
-
\Users\Admin\AppData\Local\Temp\farleu\arlinevp.exeMD5
a287d97f20d4608c53d2bc5e9d64b94d
SHA1b3a444db0d000a7905987dc445ecfee9bb3990fc
SHA25641a98f1b2ee8d81ec81b8cc9433424a8f7f9f9e513f8bcaab7a7ba1c522313d8
SHA5121a2324eaff128cc6d62686b565bb108b6b4aeab12d662d329ffcc327eac812958b48b8e0b6dc07f1fc3f30597775074db14f6ec556b34a6c8d75810281ac4260
-
\Users\Admin\AppData\Local\Temp\farleu\arlinevp.exeMD5
a287d97f20d4608c53d2bc5e9d64b94d
SHA1b3a444db0d000a7905987dc445ecfee9bb3990fc
SHA25641a98f1b2ee8d81ec81b8cc9433424a8f7f9f9e513f8bcaab7a7ba1c522313d8
SHA5121a2324eaff128cc6d62686b565bb108b6b4aeab12d662d329ffcc327eac812958b48b8e0b6dc07f1fc3f30597775074db14f6ec556b34a6c8d75810281ac4260
-
\Users\Admin\AppData\Local\Temp\farleu\arlinevp.exeMD5
a287d97f20d4608c53d2bc5e9d64b94d
SHA1b3a444db0d000a7905987dc445ecfee9bb3990fc
SHA25641a98f1b2ee8d81ec81b8cc9433424a8f7f9f9e513f8bcaab7a7ba1c522313d8
SHA5121a2324eaff128cc6d62686b565bb108b6b4aeab12d662d329ffcc327eac812958b48b8e0b6dc07f1fc3f30597775074db14f6ec556b34a6c8d75810281ac4260
-
\Users\Admin\AppData\Local\Temp\farleu\nebris.exeMD5
43e7b1394b43cc9c8a13dc0676170559
SHA1c4b03f3af66d75607014440ba83a1fcbf985b924
SHA256d601b5b83695cb9fb5b86cfd176a3457376e9d73e252b71429806593a9589de4
SHA512020b59329ddbf35197faae13de00b7e6ef9ef29923f63a538d5b9b74f19125ad4a4ef53dd35349e21783f61557f247919e9a5bc85ae743961827efe2692aadca
-
\Users\Admin\AppData\Local\Temp\farleu\nebris.exeMD5
43e7b1394b43cc9c8a13dc0676170559
SHA1c4b03f3af66d75607014440ba83a1fcbf985b924
SHA256d601b5b83695cb9fb5b86cfd176a3457376e9d73e252b71429806593a9589de4
SHA512020b59329ddbf35197faae13de00b7e6ef9ef29923f63a538d5b9b74f19125ad4a4ef53dd35349e21783f61557f247919e9a5bc85ae743961827efe2692aadca
-
\Users\Admin\AppData\Local\Temp\nstF29A.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
43e7b1394b43cc9c8a13dc0676170559
SHA1c4b03f3af66d75607014440ba83a1fcbf985b924
SHA256d601b5b83695cb9fb5b86cfd176a3457376e9d73e252b71429806593a9589de4
SHA512020b59329ddbf35197faae13de00b7e6ef9ef29923f63a538d5b9b74f19125ad4a4ef53dd35349e21783f61557f247919e9a5bc85ae743961827efe2692aadca
-
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
43e7b1394b43cc9c8a13dc0676170559
SHA1c4b03f3af66d75607014440ba83a1fcbf985b924
SHA256d601b5b83695cb9fb5b86cfd176a3457376e9d73e252b71429806593a9589de4
SHA512020b59329ddbf35197faae13de00b7e6ef9ef29923f63a538d5b9b74f19125ad4a4ef53dd35349e21783f61557f247919e9a5bc85ae743961827efe2692aadca
-
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
43e7b1394b43cc9c8a13dc0676170559
SHA1c4b03f3af66d75607014440ba83a1fcbf985b924
SHA256d601b5b83695cb9fb5b86cfd176a3457376e9d73e252b71429806593a9589de4
SHA512020b59329ddbf35197faae13de00b7e6ef9ef29923f63a538d5b9b74f19125ad4a4ef53dd35349e21783f61557f247919e9a5bc85ae743961827efe2692aadca
-
memory/1292-66-0x00000000009F0000-0x000000000105B000-memory.dmpFilesize
6.4MB
-
memory/1292-65-0x00000000009F0000-0x000000000105B000-memory.dmpFilesize
6.4MB
-
memory/1292-70-0x00000000009F0000-0x000000000105B000-memory.dmpFilesize
6.4MB
-
memory/1292-74-0x0000000077CD0000-0x0000000077CD2000-memory.dmpFilesize
8KB
-
memory/1292-68-0x00000000009F0000-0x000000000105B000-memory.dmpFilesize
6.4MB
-
memory/1480-54-0x0000000075D51000-0x0000000075D53000-memory.dmpFilesize
8KB
-
memory/1800-73-0x0000000077B30000-0x0000000077B32000-memory.dmpFilesize
8KB
-
memory/1800-67-0x000000013F5D0000-0x000000013FE8F000-memory.dmpFilesize
8.7MB
-
memory/1800-69-0x000000013F5D0000-0x000000013FE8F000-memory.dmpFilesize
8.7MB
-
memory/1800-72-0x000007FEFC501000-0x000007FEFC503000-memory.dmpFilesize
8KB
-
memory/1816-79-0x000000013FDB0000-0x000000014066F000-memory.dmpFilesize
8.7MB
-
memory/1816-80-0x000000013FDB0000-0x000000014066F000-memory.dmpFilesize
8.7MB