Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-02-2022 07:16
Static task
static1
Behavioral task
behavioral1
Sample
a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe
Resource
win7-en-20211208
General
-
Target
a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe
-
Size
3.1MB
-
MD5
a04867c5f9d320599b65764601f975e2
-
SHA1
6a8377a8b63d8dbaa32c8595c899694a86c4a527
-
SHA256
a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196
-
SHA512
c908c0436a6d50a41f26e701f96d3e85fc23ae44c98ef747d6e21d50239c8d41930fea7aefd9178a07bd5372f180a0db0261252f4f7625660a158d207fc0c2f4
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exeflow pid process 13 1588 WScript.exe 14 1588 WScript.exe 15 1588 WScript.exe 16 1588 WScript.exe -
Executes dropped EXE 2 IoCs
Processes:
clayer.exeforbarvp.exepid process 1916 clayer.exe 268 forbarvp.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
forbarvp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion forbarvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion forbarvp.exe -
Loads dropped DLL 9 IoCs
Processes:
a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.execlayer.exeforbarvp.exepid process 1600 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe 1600 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe 1600 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe 1600 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 268 forbarvp.exe 268 forbarvp.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe themida C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe themida \Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe themida C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe themida \Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe themida behavioral1/memory/268-70-0x0000000000BE0000-0x00000000012AB000-memory.dmp themida behavioral1/memory/268-71-0x0000000000BE0000-0x00000000012AB000-memory.dmp themida behavioral1/memory/268-73-0x0000000000BE0000-0x00000000012AB000-memory.dmp themida -
Processes:
forbarvp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA forbarvp.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
forbarvp.exepid process 268 forbarvp.exe -
Drops file in Program Files directory 3 IoCs
Processes:
a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe File created C:\Program Files (x86)\foler\olader\acledit.dll a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
forbarvp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 forbarvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString forbarvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
clayer.exepid process 1916 clayer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
forbarvp.exepid process 268 forbarvp.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
clayer.exepid process 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
clayer.exepid process 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe 1916 clayer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exeforbarvp.exedescription pid process target process PID 1600 wrote to memory of 1916 1600 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe clayer.exe PID 1600 wrote to memory of 1916 1600 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe clayer.exe PID 1600 wrote to memory of 1916 1600 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe clayer.exe PID 1600 wrote to memory of 1916 1600 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe clayer.exe PID 1600 wrote to memory of 1916 1600 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe clayer.exe PID 1600 wrote to memory of 1916 1600 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe clayer.exe PID 1600 wrote to memory of 1916 1600 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe clayer.exe PID 1600 wrote to memory of 268 1600 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe forbarvp.exe PID 1600 wrote to memory of 268 1600 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe forbarvp.exe PID 1600 wrote to memory of 268 1600 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe forbarvp.exe PID 1600 wrote to memory of 268 1600 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe forbarvp.exe PID 1600 wrote to memory of 268 1600 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe forbarvp.exe PID 1600 wrote to memory of 268 1600 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe forbarvp.exe PID 1600 wrote to memory of 268 1600 a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe forbarvp.exe PID 268 wrote to memory of 1784 268 forbarvp.exe WScript.exe PID 268 wrote to memory of 1784 268 forbarvp.exe WScript.exe PID 268 wrote to memory of 1784 268 forbarvp.exe WScript.exe PID 268 wrote to memory of 1784 268 forbarvp.exe WScript.exe PID 268 wrote to memory of 1784 268 forbarvp.exe WScript.exe PID 268 wrote to memory of 1784 268 forbarvp.exe WScript.exe PID 268 wrote to memory of 1784 268 forbarvp.exe WScript.exe PID 268 wrote to memory of 1588 268 forbarvp.exe WScript.exe PID 268 wrote to memory of 1588 268 forbarvp.exe WScript.exe PID 268 wrote to memory of 1588 268 forbarvp.exe WScript.exe PID 268 wrote to memory of 1588 268 forbarvp.exe WScript.exe PID 268 wrote to memory of 1588 268 forbarvp.exe WScript.exe PID 268 wrote to memory of 1588 268 forbarvp.exe WScript.exe PID 268 wrote to memory of 1588 268 forbarvp.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe"C:\Users\Admin\AppData\Local\Temp\a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hempen\clayer.exe"C:\Users\Admin\AppData\Local\Temp\hempen\clayer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe"C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cpyaxsd.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pooajhl.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cpyaxsd.vbsMD5
efae82caeffabeeba25e327d1ade9b43
SHA1e23becfea9a76ecbbce5819e8caa962e15c2036b
SHA2566fc79d8e720d3461931d289d38a638dcc1b25f5d10ff73f146cdf8526a78510e
SHA512497cbeb95c212c682c3a2602615d30145ad51898f1aae92b06a6d79616ab9b8f26aef4215df284d8be787aef242d49950386fd425eff76cd7da8c58bf81ad9ce
-
C:\Users\Admin\AppData\Local\Temp\hempen\clayer.exeMD5
a9b07ab88765c14f3a37ddaa3548bbea
SHA164e57975e760302e17ef0821e208d178035d0d1c
SHA2568f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17
SHA512eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33
-
C:\Users\Admin\AppData\Local\Temp\hempen\clayer.exeMD5
a9b07ab88765c14f3a37ddaa3548bbea
SHA164e57975e760302e17ef0821e208d178035d0d1c
SHA2568f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17
SHA512eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33
-
C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exeMD5
db9f562738a4cd6adbfde0669264da02
SHA1350c4acbd7a7b26e3ef5d4aaaecf660c7a8a07d1
SHA25652ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191
SHA51235b7d1f9f40e49563092c523a0a27554d22e8587e3378aea46711d20c155ac2746d24c19c15c7db3a915480e04ef738d6d19cac6a5ce1c6b881a506b2ee968e7
-
C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exeMD5
db9f562738a4cd6adbfde0669264da02
SHA1350c4acbd7a7b26e3ef5d4aaaecf660c7a8a07d1
SHA25652ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191
SHA51235b7d1f9f40e49563092c523a0a27554d22e8587e3378aea46711d20c155ac2746d24c19c15c7db3a915480e04ef738d6d19cac6a5ce1c6b881a506b2ee968e7
-
C:\Users\Admin\AppData\Local\Temp\pooajhl.vbsMD5
e5c8a7a1c9a7270f2c2ffe16ccda5252
SHA1d1f2818cad5de689285d70734a91bd0a1176135b
SHA256ad2c97470e15c64a276875d2e426e04d4efd99bef0a01b0aa1e78764136e37ce
SHA51285ab429e811f7594a82bab0e25e174bdb2f2e5d20f725b45201b2eca1f007c14f2e90a5405cf7b50b3ca487ab6c9bf50e6ab84675f6c868fb42eec8386b8e74e
-
\Users\Admin\AppData\Local\Temp\hempen\clayer.exeMD5
a9b07ab88765c14f3a37ddaa3548bbea
SHA164e57975e760302e17ef0821e208d178035d0d1c
SHA2568f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17
SHA512eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33
-
\Users\Admin\AppData\Local\Temp\hempen\clayer.exeMD5
a9b07ab88765c14f3a37ddaa3548bbea
SHA164e57975e760302e17ef0821e208d178035d0d1c
SHA2568f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17
SHA512eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33
-
\Users\Admin\AppData\Local\Temp\hempen\clayer.exeMD5
a9b07ab88765c14f3a37ddaa3548bbea
SHA164e57975e760302e17ef0821e208d178035d0d1c
SHA2568f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17
SHA512eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33
-
\Users\Admin\AppData\Local\Temp\hempen\clayer.exeMD5
a9b07ab88765c14f3a37ddaa3548bbea
SHA164e57975e760302e17ef0821e208d178035d0d1c
SHA2568f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17
SHA512eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33
-
\Users\Admin\AppData\Local\Temp\hempen\clayer.exeMD5
a9b07ab88765c14f3a37ddaa3548bbea
SHA164e57975e760302e17ef0821e208d178035d0d1c
SHA2568f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17
SHA512eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33
-
\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exeMD5
db9f562738a4cd6adbfde0669264da02
SHA1350c4acbd7a7b26e3ef5d4aaaecf660c7a8a07d1
SHA25652ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191
SHA51235b7d1f9f40e49563092c523a0a27554d22e8587e3378aea46711d20c155ac2746d24c19c15c7db3a915480e04ef738d6d19cac6a5ce1c6b881a506b2ee968e7
-
\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exeMD5
db9f562738a4cd6adbfde0669264da02
SHA1350c4acbd7a7b26e3ef5d4aaaecf660c7a8a07d1
SHA25652ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191
SHA51235b7d1f9f40e49563092c523a0a27554d22e8587e3378aea46711d20c155ac2746d24c19c15c7db3a915480e04ef738d6d19cac6a5ce1c6b881a506b2ee968e7
-
\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exeMD5
db9f562738a4cd6adbfde0669264da02
SHA1350c4acbd7a7b26e3ef5d4aaaecf660c7a8a07d1
SHA25652ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191
SHA51235b7d1f9f40e49563092c523a0a27554d22e8587e3378aea46711d20c155ac2746d24c19c15c7db3a915480e04ef738d6d19cac6a5ce1c6b881a506b2ee968e7
-
\Users\Admin\AppData\Local\Temp\nsnC8BC.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/268-70-0x0000000000BE0000-0x00000000012AB000-memory.dmpFilesize
6.8MB
-
memory/268-71-0x0000000000BE0000-0x00000000012AB000-memory.dmpFilesize
6.8MB
-
memory/268-72-0x0000000076F80000-0x0000000076F82000-memory.dmpFilesize
8KB
-
memory/268-73-0x0000000000BE0000-0x00000000012AB000-memory.dmpFilesize
6.8MB
-
memory/1600-54-0x0000000075471000-0x0000000075473000-memory.dmpFilesize
8KB
-
memory/1916-78-0x0000000000402000-0x0000000000404000-memory.dmpFilesize
8KB
-
memory/1916-80-0x00000000009F0000-0x0000000000A38000-memory.dmpFilesize
288KB
-
memory/1916-79-0x00000000009F0000-0x0000000000A38000-memory.dmpFilesize
288KB
-
memory/1916-81-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1916-82-0x00000000009F0000-0x0000000000A38000-memory.dmpFilesize
288KB