Analysis
-
max time kernel
118s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-02-2022 14:52
Static task
static1
Behavioral task
behavioral1
Sample
26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe
Resource
win7-en-20211208
General
-
Target
26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe
-
Size
3.1MB
-
MD5
e02a6d825992d0532b21584beeb2e91a
-
SHA1
375ddee62c5598026fcb1420dba4273e95cabb8d
-
SHA256
26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680
-
SHA512
80bfeb85caa5244d262684d21f02b5ccc2c206b670ae88628badf3104d90c907d211930bf3b7620ad61b4b3b1fedcd9a76c35556ed321766dbfb96cfa95621ba
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exeflow pid process 13 1600 WScript.exe 14 1600 WScript.exe 15 1600 WScript.exe 16 1600 WScript.exe -
Executes dropped EXE 2 IoCs
Processes:
enmesh.exeflaviavp.exepid process 1084 enmesh.exe 472 flaviavp.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
flaviavp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion flaviavp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion flaviavp.exe -
Loads dropped DLL 9 IoCs
Processes:
26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exeenmesh.exeflaviavp.exepid process 960 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe 960 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe 960 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe 1084 enmesh.exe 1084 enmesh.exe 1084 enmesh.exe 960 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe 472 flaviavp.exe 472 flaviavp.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\geason\flaviavp.exe themida C:\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe themida \Users\Admin\AppData\Local\Temp\geason\flaviavp.exe themida \Users\Admin\AppData\Local\Temp\geason\flaviavp.exe themida C:\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe themida behavioral1/memory/472-70-0x00000000003E0000-0x0000000000AA5000-memory.dmp themida behavioral1/memory/472-71-0x00000000003E0000-0x0000000000AA5000-memory.dmp themida behavioral1/memory/472-72-0x00000000003E0000-0x0000000000AA5000-memory.dmp themida -
Processes:
flaviavp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA flaviavp.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
flaviavp.exepid process 472 flaviavp.exe -
Drops file in Program Files directory 3 IoCs
Processes:
26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe File created C:\Program Files (x86)\foler\olader\acledit.dll 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe -
Drops file in Windows directory 1 IoCs
Processes:
enmesh.exedescription ioc process File opened for modification C:\Windows\ enmesh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
flaviavp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 flaviavp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString flaviavp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
enmesh.exepid process 1084 enmesh.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
flaviavp.exepid process 472 flaviavp.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exeflaviavp.exedescription pid process target process PID 960 wrote to memory of 1084 960 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe enmesh.exe PID 960 wrote to memory of 1084 960 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe enmesh.exe PID 960 wrote to memory of 1084 960 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe enmesh.exe PID 960 wrote to memory of 1084 960 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe enmesh.exe PID 960 wrote to memory of 1084 960 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe enmesh.exe PID 960 wrote to memory of 1084 960 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe enmesh.exe PID 960 wrote to memory of 1084 960 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe enmesh.exe PID 960 wrote to memory of 472 960 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe flaviavp.exe PID 960 wrote to memory of 472 960 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe flaviavp.exe PID 960 wrote to memory of 472 960 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe flaviavp.exe PID 960 wrote to memory of 472 960 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe flaviavp.exe PID 960 wrote to memory of 472 960 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe flaviavp.exe PID 960 wrote to memory of 472 960 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe flaviavp.exe PID 960 wrote to memory of 472 960 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe flaviavp.exe PID 472 wrote to memory of 1056 472 flaviavp.exe WScript.exe PID 472 wrote to memory of 1056 472 flaviavp.exe WScript.exe PID 472 wrote to memory of 1056 472 flaviavp.exe WScript.exe PID 472 wrote to memory of 1056 472 flaviavp.exe WScript.exe PID 472 wrote to memory of 1056 472 flaviavp.exe WScript.exe PID 472 wrote to memory of 1056 472 flaviavp.exe WScript.exe PID 472 wrote to memory of 1056 472 flaviavp.exe WScript.exe PID 472 wrote to memory of 1600 472 flaviavp.exe WScript.exe PID 472 wrote to memory of 1600 472 flaviavp.exe WScript.exe PID 472 wrote to memory of 1600 472 flaviavp.exe WScript.exe PID 472 wrote to memory of 1600 472 flaviavp.exe WScript.exe PID 472 wrote to memory of 1600 472 flaviavp.exe WScript.exe PID 472 wrote to memory of 1600 472 flaviavp.exe WScript.exe PID 472 wrote to memory of 1600 472 flaviavp.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe"C:\Users\Admin\AppData\Local\Temp\26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\geason\enmesh.exe"C:\Users\Admin\AppData\Local\Temp\geason\enmesh.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
-
C:\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe"C:\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\binpcvuhr.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gshpjsjgxtxd.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\binpcvuhr.vbsMD5
6855c2f4dd1749f3005ac3efea1fc09a
SHA1913e8656bdfcabda4c5c25c33b2b8b4dd054b89f
SHA25612323bf2fc4a0784003c8bdd6a379b644c676166b838348fdf13e4f18dba4867
SHA512a556125e61f53e8b45fd700a50f4dc8befa936db9e5911c4f1ce41ed51083af2a3d973a06a3bf4df4804d88ee6206b82107f3f94df5cc79a51c3835e80fb0aaa
-
C:\Users\Admin\AppData\Local\Temp\geason\enmesh.exeMD5
ccbc63bdca7c5436c81f32ccfae9456c
SHA11d4c3083166ef769f8f0e4296c9dc8b56b12ba8b
SHA2562061a4ba324c47bdc95660d47a7ac6b624e01d847ff4170975e7deb28500525a
SHA51237e1c1c0c922b8f1c1ed37a40b2d5e36f06f7b6d1138abf10b5b97482f9665c6515d837080e99a60251cba6935b087dc704914a7c82364aa2e3b9439ac2a8916
-
C:\Users\Admin\AppData\Local\Temp\geason\enmesh.exeMD5
ccbc63bdca7c5436c81f32ccfae9456c
SHA11d4c3083166ef769f8f0e4296c9dc8b56b12ba8b
SHA2562061a4ba324c47bdc95660d47a7ac6b624e01d847ff4170975e7deb28500525a
SHA51237e1c1c0c922b8f1c1ed37a40b2d5e36f06f7b6d1138abf10b5b97482f9665c6515d837080e99a60251cba6935b087dc704914a7c82364aa2e3b9439ac2a8916
-
C:\Users\Admin\AppData\Local\Temp\geason\flaviavp.exeMD5
9c8142047df3966d72ee64a59b467a29
SHA1ad46a75ae11827c7776a41662abb7d0ba0d6e33a
SHA25622ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f
SHA5124761aa85d4afec93f3b829fb9060d9f8af501674398c5764bcaf7bace8a35bef49028d326cbff956127c1600964cfb9a59b19973ca0bad0bcb91833b9bb33bc0
-
C:\Users\Admin\AppData\Local\Temp\geason\flaviavp.exeMD5
9c8142047df3966d72ee64a59b467a29
SHA1ad46a75ae11827c7776a41662abb7d0ba0d6e33a
SHA25622ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f
SHA5124761aa85d4afec93f3b829fb9060d9f8af501674398c5764bcaf7bace8a35bef49028d326cbff956127c1600964cfb9a59b19973ca0bad0bcb91833b9bb33bc0
-
C:\Users\Admin\AppData\Local\Temp\gshpjsjgxtxd.vbsMD5
476f122006b739161636a22acc4ed426
SHA1b4474315228a62dcf015515056d42c64438680a2
SHA256eb5e4530d0034437e90654d0d9cc3f522e894746ed3066032c78a075f2272c15
SHA512c668ed97ffde85e5ad189d939c9501bba34bb9c05e6ccb0c4f380ebd3d070a36dcd44db08dc4a689f926a8da9822159dfaa525ba942b5c4728bbc06f83569a05
-
\Users\Admin\AppData\Local\Temp\geason\enmesh.exeMD5
ccbc63bdca7c5436c81f32ccfae9456c
SHA11d4c3083166ef769f8f0e4296c9dc8b56b12ba8b
SHA2562061a4ba324c47bdc95660d47a7ac6b624e01d847ff4170975e7deb28500525a
SHA51237e1c1c0c922b8f1c1ed37a40b2d5e36f06f7b6d1138abf10b5b97482f9665c6515d837080e99a60251cba6935b087dc704914a7c82364aa2e3b9439ac2a8916
-
\Users\Admin\AppData\Local\Temp\geason\enmesh.exeMD5
ccbc63bdca7c5436c81f32ccfae9456c
SHA11d4c3083166ef769f8f0e4296c9dc8b56b12ba8b
SHA2562061a4ba324c47bdc95660d47a7ac6b624e01d847ff4170975e7deb28500525a
SHA51237e1c1c0c922b8f1c1ed37a40b2d5e36f06f7b6d1138abf10b5b97482f9665c6515d837080e99a60251cba6935b087dc704914a7c82364aa2e3b9439ac2a8916
-
\Users\Admin\AppData\Local\Temp\geason\enmesh.exeMD5
ccbc63bdca7c5436c81f32ccfae9456c
SHA11d4c3083166ef769f8f0e4296c9dc8b56b12ba8b
SHA2562061a4ba324c47bdc95660d47a7ac6b624e01d847ff4170975e7deb28500525a
SHA51237e1c1c0c922b8f1c1ed37a40b2d5e36f06f7b6d1138abf10b5b97482f9665c6515d837080e99a60251cba6935b087dc704914a7c82364aa2e3b9439ac2a8916
-
\Users\Admin\AppData\Local\Temp\geason\enmesh.exeMD5
ccbc63bdca7c5436c81f32ccfae9456c
SHA11d4c3083166ef769f8f0e4296c9dc8b56b12ba8b
SHA2562061a4ba324c47bdc95660d47a7ac6b624e01d847ff4170975e7deb28500525a
SHA51237e1c1c0c922b8f1c1ed37a40b2d5e36f06f7b6d1138abf10b5b97482f9665c6515d837080e99a60251cba6935b087dc704914a7c82364aa2e3b9439ac2a8916
-
\Users\Admin\AppData\Local\Temp\geason\enmesh.exeMD5
ccbc63bdca7c5436c81f32ccfae9456c
SHA11d4c3083166ef769f8f0e4296c9dc8b56b12ba8b
SHA2562061a4ba324c47bdc95660d47a7ac6b624e01d847ff4170975e7deb28500525a
SHA51237e1c1c0c922b8f1c1ed37a40b2d5e36f06f7b6d1138abf10b5b97482f9665c6515d837080e99a60251cba6935b087dc704914a7c82364aa2e3b9439ac2a8916
-
\Users\Admin\AppData\Local\Temp\geason\flaviavp.exeMD5
9c8142047df3966d72ee64a59b467a29
SHA1ad46a75ae11827c7776a41662abb7d0ba0d6e33a
SHA25622ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f
SHA5124761aa85d4afec93f3b829fb9060d9f8af501674398c5764bcaf7bace8a35bef49028d326cbff956127c1600964cfb9a59b19973ca0bad0bcb91833b9bb33bc0
-
\Users\Admin\AppData\Local\Temp\geason\flaviavp.exeMD5
9c8142047df3966d72ee64a59b467a29
SHA1ad46a75ae11827c7776a41662abb7d0ba0d6e33a
SHA25622ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f
SHA5124761aa85d4afec93f3b829fb9060d9f8af501674398c5764bcaf7bace8a35bef49028d326cbff956127c1600964cfb9a59b19973ca0bad0bcb91833b9bb33bc0
-
\Users\Admin\AppData\Local\Temp\geason\flaviavp.exeMD5
9c8142047df3966d72ee64a59b467a29
SHA1ad46a75ae11827c7776a41662abb7d0ba0d6e33a
SHA25622ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f
SHA5124761aa85d4afec93f3b829fb9060d9f8af501674398c5764bcaf7bace8a35bef49028d326cbff956127c1600964cfb9a59b19973ca0bad0bcb91833b9bb33bc0
-
\Users\Admin\AppData\Local\Temp\nsdDF58.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/472-71-0x00000000003E0000-0x0000000000AA5000-memory.dmpFilesize
6.8MB
-
memory/472-72-0x00000000003E0000-0x0000000000AA5000-memory.dmpFilesize
6.8MB
-
memory/472-70-0x00000000003E0000-0x0000000000AA5000-memory.dmpFilesize
6.8MB
-
memory/960-54-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB
-
memory/1084-76-0x0000000000520000-0x0000000000568000-memory.dmpFilesize
288KB
-
memory/1084-75-0x0000000000520000-0x0000000000568000-memory.dmpFilesize
288KB
-
memory/1084-80-0x000000000045A000-0x000000000045C000-memory.dmpFilesize
8KB
-
memory/1084-79-0x0000000000400000-0x00000000004C5000-memory.dmpFilesize
788KB