Analysis
-
max time kernel
125s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
21/03/2022, 21:38
Static task
static1
Behavioral task
behavioral1
Sample
0x00080000000122ea-60.exe
Resource
win7-20220311-en
0 signatures
0 seconds
General
-
Target
0x00080000000122ea-60.exe
-
Size
7.7MB
-
MD5
b61ae72b50a40197085687a8df2c4f32
-
SHA1
ccc71c89853966f7001c6ea43287d9c396884bc6
-
SHA256
a262c8414eafbd3587c395b4a6b08ba010efcb4681c1759396386de7d223a50b
-
SHA512
83ce36d6bf70f2afc0bb07f403f797e2b3207501fe67a94ae69c5ae8f2530f8bd31fea6b8ad5c1f97fcff046818f2adfd1b16ed2ab89a601d15bb4162bc7c1ae
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0x00080000000122ea-60.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0x00080000000122ea-60.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0x00080000000122ea-60.exe -
Kills process with WMI 2 IoCs
pid Process 3048 WMIC.exe 4436 WMIC.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2248 PING.EXE 2060 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe 4300 0x00080000000122ea-60.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4300 0x00080000000122ea-60.exe Token: SeIncreaseQuotaPrivilege 3048 WMIC.exe Token: SeSecurityPrivilege 3048 WMIC.exe Token: SeTakeOwnershipPrivilege 3048 WMIC.exe Token: SeLoadDriverPrivilege 3048 WMIC.exe Token: SeSystemProfilePrivilege 3048 WMIC.exe Token: SeSystemtimePrivilege 3048 WMIC.exe Token: SeProfSingleProcessPrivilege 3048 WMIC.exe Token: SeIncBasePriorityPrivilege 3048 WMIC.exe Token: SeCreatePagefilePrivilege 3048 WMIC.exe Token: SeBackupPrivilege 3048 WMIC.exe Token: SeRestorePrivilege 3048 WMIC.exe Token: SeShutdownPrivilege 3048 WMIC.exe Token: SeDebugPrivilege 3048 WMIC.exe Token: SeSystemEnvironmentPrivilege 3048 WMIC.exe Token: SeRemoteShutdownPrivilege 3048 WMIC.exe Token: SeUndockPrivilege 3048 WMIC.exe Token: SeManageVolumePrivilege 3048 WMIC.exe Token: 33 3048 WMIC.exe Token: 34 3048 WMIC.exe Token: 35 3048 WMIC.exe Token: 36 3048 WMIC.exe Token: SeIncreaseQuotaPrivilege 228 WMIC.exe Token: SeSecurityPrivilege 228 WMIC.exe Token: SeTakeOwnershipPrivilege 228 WMIC.exe Token: SeLoadDriverPrivilege 228 WMIC.exe Token: SeSystemProfilePrivilege 228 WMIC.exe Token: SeSystemtimePrivilege 228 WMIC.exe Token: SeProfSingleProcessPrivilege 228 WMIC.exe Token: SeIncBasePriorityPrivilege 228 WMIC.exe Token: SeCreatePagefilePrivilege 228 WMIC.exe Token: SeBackupPrivilege 228 WMIC.exe Token: SeRestorePrivilege 228 WMIC.exe Token: SeShutdownPrivilege 228 WMIC.exe Token: SeDebugPrivilege 228 WMIC.exe Token: SeSystemEnvironmentPrivilege 228 WMIC.exe Token: SeRemoteShutdownPrivilege 228 WMIC.exe Token: SeUndockPrivilege 228 WMIC.exe Token: SeManageVolumePrivilege 228 WMIC.exe Token: 33 228 WMIC.exe Token: 34 228 WMIC.exe Token: 35 228 WMIC.exe Token: 36 228 WMIC.exe Token: SeIncreaseQuotaPrivilege 3048 WMIC.exe Token: SeSecurityPrivilege 3048 WMIC.exe Token: SeTakeOwnershipPrivilege 3048 WMIC.exe Token: SeLoadDriverPrivilege 3048 WMIC.exe Token: SeSystemProfilePrivilege 3048 WMIC.exe Token: SeSystemtimePrivilege 3048 WMIC.exe Token: SeProfSingleProcessPrivilege 3048 WMIC.exe Token: SeIncBasePriorityPrivilege 3048 WMIC.exe Token: SeCreatePagefilePrivilege 3048 WMIC.exe Token: SeBackupPrivilege 3048 WMIC.exe Token: SeRestorePrivilege 3048 WMIC.exe Token: SeShutdownPrivilege 3048 WMIC.exe Token: SeDebugPrivilege 3048 WMIC.exe Token: SeSystemEnvironmentPrivilege 3048 WMIC.exe Token: SeRemoteShutdownPrivilege 3048 WMIC.exe Token: SeUndockPrivilege 3048 WMIC.exe Token: SeManageVolumePrivilege 3048 WMIC.exe Token: 33 3048 WMIC.exe Token: 34 3048 WMIC.exe Token: 35 3048 WMIC.exe Token: 36 3048 WMIC.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4300 wrote to memory of 4064 4300 0x00080000000122ea-60.exe 92 PID 4300 wrote to memory of 4064 4300 0x00080000000122ea-60.exe 92 PID 4300 wrote to memory of 3956 4300 0x00080000000122ea-60.exe 91 PID 4300 wrote to memory of 3956 4300 0x00080000000122ea-60.exe 91 PID 4300 wrote to memory of 448 4300 0x00080000000122ea-60.exe 87 PID 4300 wrote to memory of 448 4300 0x00080000000122ea-60.exe 87 PID 448 wrote to memory of 2248 448 cmd.exe 93 PID 448 wrote to memory of 2248 448 cmd.exe 93 PID 4064 wrote to memory of 3048 4064 cmd.exe 94 PID 4064 wrote to memory of 3048 4064 cmd.exe 94 PID 4300 wrote to memory of 2692 4300 0x00080000000122ea-60.exe 100 PID 4300 wrote to memory of 2692 4300 0x00080000000122ea-60.exe 100 PID 4300 wrote to memory of 3224 4300 0x00080000000122ea-60.exe 95 PID 4300 wrote to memory of 3224 4300 0x00080000000122ea-60.exe 95 PID 4300 wrote to memory of 3652 4300 0x00080000000122ea-60.exe 99 PID 4300 wrote to memory of 3652 4300 0x00080000000122ea-60.exe 99 PID 3956 wrote to memory of 228 3956 cmd.exe 102 PID 3956 wrote to memory of 228 3956 cmd.exe 102 PID 2692 wrote to memory of 4436 2692 cmd.exe 103 PID 2692 wrote to memory of 4436 2692 cmd.exe 103 PID 3224 wrote to memory of 2480 3224 cmd.exe 104 PID 3224 wrote to memory of 2480 3224 cmd.exe 104 PID 3652 wrote to memory of 2060 3652 cmd.exe 105 PID 3652 wrote to memory of 2060 3652 cmd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe"C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping -n 2 127.0.0.1>%temp%\log2 && rd /s /q %appdata%\Sysfiles & rd /s /q %temp%2⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
PID:2248
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C erase %appdata%\Sysfiles /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' delete2⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\System32\Wbem\WMIC.exewmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:228
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C erase %temp% /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' call terminate2⤵
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\System32\Wbem\WMIC.exewmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' call terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C erase %temp% /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' delete2⤵
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\System32\Wbem\WMIC.exewmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' delete3⤵PID:2480
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C erase %appdata%\Sysfiles /s /f /q & ping -n 10 127.0.0.1>%temp%\log1 && erase %temp% /s /f /q & rd /s /q %appdata%\Sysfiles2⤵
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\system32\PING.EXEping -n 10 127.0.0.13⤵
- Runs ping.exe
PID:2060
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C erase %appdata%\Sysfiles /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' call terminate2⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\System32\Wbem\WMIC.exewmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' call terminate3⤵
- Kills process with WMI
PID:4436
-
-