Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17-02-2022 23:39
General
-
Target
stangs.exe
-
Size
3.3MB
-
MD5
aef3dd554664f1c82a56a2e2775fa6d4
-
SHA1
8456da14bc786bf6ee3fc6ff4ec17665189ea556
-
SHA256
0ef273d54fe7d444cdcd783faa40bba94bad7a85d58ffd94724a5bb6813f0247
-
SHA512
511d5bd264a4808342e1d350f1d731399f11d5da89009820601eb9174ac69b44768b333b08fbab8dc552652ba66b51348eee64023198087d5eeea4e18a5f76e3
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\stangs.exe"C:\Users\Admin\AppData\Local\Temp\stangs.exe"1⤵
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
aef3dd554664f1c82a56a2e2775fa6d4
SHA18456da14bc786bf6ee3fc6ff4ec17665189ea556
SHA2560ef273d54fe7d444cdcd783faa40bba94bad7a85d58ffd94724a5bb6813f0247
SHA512511d5bd264a4808342e1d350f1d731399f11d5da89009820601eb9174ac69b44768b333b08fbab8dc552652ba66b51348eee64023198087d5eeea4e18a5f76e3
-
MD5
aef3dd554664f1c82a56a2e2775fa6d4
SHA18456da14bc786bf6ee3fc6ff4ec17665189ea556
SHA2560ef273d54fe7d444cdcd783faa40bba94bad7a85d58ffd94724a5bb6813f0247
SHA512511d5bd264a4808342e1d350f1d731399f11d5da89009820601eb9174ac69b44768b333b08fbab8dc552652ba66b51348eee64023198087d5eeea4e18a5f76e3
-
MD5
aef3dd554664f1c82a56a2e2775fa6d4
SHA18456da14bc786bf6ee3fc6ff4ec17665189ea556
SHA2560ef273d54fe7d444cdcd783faa40bba94bad7a85d58ffd94724a5bb6813f0247
SHA512511d5bd264a4808342e1d350f1d731399f11d5da89009820601eb9174ac69b44768b333b08fbab8dc552652ba66b51348eee64023198087d5eeea4e18a5f76e3
-
MD5
aef3dd554664f1c82a56a2e2775fa6d4
SHA18456da14bc786bf6ee3fc6ff4ec17665189ea556
SHA2560ef273d54fe7d444cdcd783faa40bba94bad7a85d58ffd94724a5bb6813f0247
SHA512511d5bd264a4808342e1d350f1d731399f11d5da89009820601eb9174ac69b44768b333b08fbab8dc552652ba66b51348eee64023198087d5eeea4e18a5f76e3
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
8KB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
9.0MB
-
Filesize
8KB