Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
15-02-2022 07:20
Static task
static1
Behavioral task
behavioral1
Sample
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe
Resource
win7-en-20211208
General
-
Target
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe
-
Size
2.6MB
-
MD5
6937e159a174fa4109c366acf4aed9ed
-
SHA1
90546e2e91c84758274b85da5e43cec871af8fe9
-
SHA256
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c
-
SHA512
36e7509c72426253f984544e6ea8cf687f4feebe47e9643c6869948635882517d53a339be16bc2eb0e10fc5bd4b9099c76a2617b4407d3601125f1af9d00c282
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 49 1848 WScript.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe -
Processes:
resource yara_rule behavioral2/memory/996-130-0x0000000000FB0000-0x0000000001673000-memory.dmp themida behavioral2/memory/996-131-0x0000000000FB0000-0x0000000001673000-memory.dmp themida behavioral2/memory/996-132-0x0000000000FB0000-0x0000000001673000-memory.dmp themida behavioral2/memory/996-133-0x0000000000FB0000-0x0000000001673000-memory.dmp themida -
Processes:
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exepid process 996 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe -
Modifies registry class 1 IoCs
Processes:
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exepid process 996 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe 996 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 116 svchost.exe Token: SeCreatePagefilePrivilege 116 svchost.exe Token: SeShutdownPrivilege 116 svchost.exe Token: SeCreatePagefilePrivilege 116 svchost.exe Token: SeShutdownPrivilege 116 svchost.exe Token: SeCreatePagefilePrivilege 116 svchost.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe Token: SeRestorePrivilege 3492 TiWorker.exe Token: SeSecurityPrivilege 3492 TiWorker.exe Token: SeBackupPrivilege 3492 TiWorker.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exedescription pid process target process PID 996 wrote to memory of 4912 996 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe WScript.exe PID 996 wrote to memory of 4912 996 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe WScript.exe PID 996 wrote to memory of 4912 996 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe WScript.exe PID 996 wrote to memory of 1848 996 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe WScript.exe PID 996 wrote to memory of 1848 996 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe WScript.exe PID 996 wrote to memory of 1848 996 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe"C:\Users\Admin\AppData\Local\Temp\a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\inesven.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\diidxpemfa.vbs"2⤵
- Blocklisted process makes network request
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
5a2ff3604b9d33057b47861f5f16cbee
SHA14873dda38975714d72ecac1296331a35eb649c55
SHA256a382dd51981224e866100b9ecc1402a5d890d014222dd03ca1e3c1354f8de29b
SHA5127ac9e7a41033ceeb163169eb0fb4887e51de5f191dd897d10cf5c1d883e9bc92560ed7e72da6c85801271785ed5c702d8dbf6ac2dde3198f6496068453c3ee74
-
C:\Users\Admin\AppData\Local\Temp\diidxpemfa.vbsMD5
54ec4314cfd4a869bc4cb118646a1bc5
SHA15fa512e52c775eba2d7843136d889dbcd8c993d6
SHA2569952bff78a8e88ea1f6a7991dd07deab22473138b646ec7ac0c1f7ccf57bb33c
SHA5128c9c206b68c6e1f8a8a630ab4ae98a1b047a9209caad1e1652e63785762b5ca5b55b4212681300ffe784aa957cbec178aa5f002f74c95f83eadf42c5f0a92c70
-
C:\Users\Admin\AppData\Local\Temp\inesven.vbsMD5
6e4301c8c12b1ecec4057cce04a9c7e5
SHA109e3540c656086b1f2182a765ef5a0729ec0a11c
SHA256781f7e903db5f6447b2699be1a89376e0a591e495b7827d9660d8a4bb6d08b5d
SHA51239a3a7e42851a33c591eb73191fd2aba3d91fea26141807df9268d67d05e6c903d257cbc0e6065c81e7cfb1a01ac4619c0dcc2b945ccbed11a113ba2f0df36ef
-
memory/116-136-0x0000018CBD820000-0x0000018CBD830000-memory.dmpFilesize
64KB
-
memory/116-137-0x0000018CBD880000-0x0000018CBD890000-memory.dmpFilesize
64KB
-
memory/116-138-0x0000018CBFF40000-0x0000018CBFF44000-memory.dmpFilesize
16KB
-
memory/996-130-0x0000000000FB0000-0x0000000001673000-memory.dmpFilesize
6.8MB
-
memory/996-131-0x0000000000FB0000-0x0000000001673000-memory.dmpFilesize
6.8MB
-
memory/996-132-0x0000000000FB0000-0x0000000001673000-memory.dmpFilesize
6.8MB
-
memory/996-133-0x0000000000FB0000-0x0000000001673000-memory.dmpFilesize
6.8MB
-
memory/996-134-0x0000000076F54000-0x0000000076F56000-memory.dmpFilesize
8KB