Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-02-2022 07:20
Static task
static1
Behavioral task
behavioral1
Sample
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe
Resource
win7-en-20211208
General
-
Target
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe
-
Size
2.6MB
-
MD5
6937e159a174fa4109c366acf4aed9ed
-
SHA1
90546e2e91c84758274b85da5e43cec871af8fe9
-
SHA256
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c
-
SHA512
36e7509c72426253f984544e6ea8cf687f4feebe47e9643c6869948635882517d53a339be16bc2eb0e10fc5bd4b9099c76a2617b4407d3601125f1af9d00c282
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exeflow pid process 13 1540 WScript.exe 14 1540 WScript.exe 15 1540 WScript.exe 16 1540 WScript.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe -
Processes:
resource yara_rule behavioral1/memory/1532-55-0x00000000013E0000-0x0000000001AA3000-memory.dmp themida behavioral1/memory/1532-56-0x00000000013E0000-0x0000000001AA3000-memory.dmp themida behavioral1/memory/1532-57-0x00000000013E0000-0x0000000001AA3000-memory.dmp themida behavioral1/memory/1532-58-0x00000000013E0000-0x0000000001AA3000-memory.dmp themida -
Processes:
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exepid process 1532 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exepid process 1532 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exedescription pid process target process PID 1532 wrote to memory of 1336 1532 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe WScript.exe PID 1532 wrote to memory of 1336 1532 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe WScript.exe PID 1532 wrote to memory of 1336 1532 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe WScript.exe PID 1532 wrote to memory of 1336 1532 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe WScript.exe PID 1532 wrote to memory of 1540 1532 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe WScript.exe PID 1532 wrote to memory of 1540 1532 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe WScript.exe PID 1532 wrote to memory of 1540 1532 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe WScript.exe PID 1532 wrote to memory of 1540 1532 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe"C:\Users\Admin\AppData\Local\Temp\a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qddcywbwxihu.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vqpxankj.vbs"2⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\qddcywbwxihu.vbsMD5
274ce1b7ce01753b23450c9ccb448dc9
SHA1041394b18c7a3ce50a93a6ede4fa34f30df05686
SHA25663d6584c870a41c54f84974c2070f1b4e3d9f4b6fb919b4649c6b5d0c772ebe8
SHA512201e27e5c9ba6a749c3f5aad924a55b64a42f4896d2d382dbc2a66223b1c059816494411281332b69ace03da70c934b3d70bc2d9c5d093dad1108bdbdc5c1fe3
-
C:\Users\Admin\AppData\Local\Temp\vqpxankj.vbsMD5
d4c346c9ff1651ff0ef2b1252b3a138e
SHA181d65cab15e30f363daf7cf307fda3e88189ec55
SHA2564f6f11f24d5e0e81ea8ae197086ec4cf743ef7d1014ecc10551df9091d167c7a
SHA51245ddd7c33f9005d1cff5793d2fcf95f01a4138a14c30649c09b5cdefaba1e40d1f0e59a67679e441fcf29ad1539db2b6810fc36bc9770708ec9b982830373793
-
memory/1532-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB
-
memory/1532-55-0x00000000013E0000-0x0000000001AA3000-memory.dmpFilesize
6.8MB
-
memory/1532-56-0x00000000013E0000-0x0000000001AA3000-memory.dmpFilesize
6.8MB
-
memory/1532-57-0x00000000013E0000-0x0000000001AA3000-memory.dmpFilesize
6.8MB
-
memory/1532-58-0x00000000013E0000-0x0000000001AA3000-memory.dmpFilesize
6.8MB
-
memory/1532-59-0x0000000077D30000-0x0000000077D32000-memory.dmpFilesize
8KB