Analysis
-
max time kernel
53s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-05-2022 05:17
Static task
static1
Behavioral task
behavioral1
Sample
e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe
Resource
win7-20220414-en
General
-
Target
e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe
-
Size
361KB
-
MD5
e2eb762d6d248fec5b8af8ab437cfdc2
-
SHA1
c6be1c85d65136e6ce2cc098db499837d2c5ea9e
-
SHA256
e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28
-
SHA512
0c85ede00a5ae7d0fe5aabfb9b662c6329922e6278bc80b59384234891a1383fe53d7931b9ca7d52ac95a355cd10840a4886a268238e347077d91fb0ba7d3a33
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
SendShow.exepid process 1708 SendShow.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1484 cmd.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\WINE e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe -
Loads dropped DLL 1 IoCs
Processes:
e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exepid process 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exepid process 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exedescription pid process Token: SeSecurityPrivilege 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exeSendShow.exedescription pid process target process PID 1592 wrote to memory of 1708 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe SendShow.exe PID 1592 wrote to memory of 1708 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe SendShow.exe PID 1592 wrote to memory of 1708 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe SendShow.exe PID 1592 wrote to memory of 1708 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe SendShow.exe PID 1708 wrote to memory of 2012 1708 SendShow.exe svchost.exe PID 1708 wrote to memory of 2012 1708 SendShow.exe svchost.exe PID 1708 wrote to memory of 2012 1708 SendShow.exe svchost.exe PID 1708 wrote to memory of 2012 1708 SendShow.exe svchost.exe PID 1708 wrote to memory of 2012 1708 SendShow.exe svchost.exe PID 1708 wrote to memory of 2012 1708 SendShow.exe svchost.exe PID 1708 wrote to memory of 2012 1708 SendShow.exe svchost.exe PID 1708 wrote to memory of 2012 1708 SendShow.exe svchost.exe PID 1708 wrote to memory of 596 1708 SendShow.exe svchost.exe PID 1708 wrote to memory of 596 1708 SendShow.exe svchost.exe PID 1708 wrote to memory of 596 1708 SendShow.exe svchost.exe PID 1708 wrote to memory of 596 1708 SendShow.exe svchost.exe PID 1708 wrote to memory of 596 1708 SendShow.exe svchost.exe PID 1708 wrote to memory of 596 1708 SendShow.exe svchost.exe PID 1708 wrote to memory of 596 1708 SendShow.exe svchost.exe PID 1708 wrote to memory of 596 1708 SendShow.exe svchost.exe PID 1592 wrote to memory of 1484 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe cmd.exe PID 1592 wrote to memory of 1484 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe cmd.exe PID 1592 wrote to memory of 1484 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe cmd.exe PID 1592 wrote to memory of 1484 1592 e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe"C:\Users\Admin\AppData\Local\Temp\e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SendShow.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SendShow.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd09fdb9da.bat"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\upd09fdb9da.batFilesize
313B
MD577b1708671aa3b400e3b8678e80eff47
SHA15c4e1b8ecbf91d9dcf9e00a39c41bfbf296f57a9
SHA256c569b573250d66c8d34328937f0463abb21e0e6d20db496511d88683b44c182f
SHA512ef00d1405b9d638ed1a4f3215c19ba1cc2ec92989c51173e87d92118aa19be5fccfa87a36a7dfb13bed174b18f60792f5bb60ec3e0152c6cb4630a48fa7a2a64
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SendShow.exeFilesize
361KB
MD5e2eb762d6d248fec5b8af8ab437cfdc2
SHA1c6be1c85d65136e6ce2cc098db499837d2c5ea9e
SHA256e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28
SHA5120c85ede00a5ae7d0fe5aabfb9b662c6329922e6278bc80b59384234891a1383fe53d7931b9ca7d52ac95a355cd10840a4886a268238e347077d91fb0ba7d3a33
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SendShow.exeFilesize
361KB
MD5e2eb762d6d248fec5b8af8ab437cfdc2
SHA1c6be1c85d65136e6ce2cc098db499837d2c5ea9e
SHA256e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28
SHA5120c85ede00a5ae7d0fe5aabfb9b662c6329922e6278bc80b59384234891a1383fe53d7931b9ca7d52ac95a355cd10840a4886a268238e347077d91fb0ba7d3a33
-
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SendShow.exeFilesize
361KB
MD5e2eb762d6d248fec5b8af8ab437cfdc2
SHA1c6be1c85d65136e6ce2cc098db499837d2c5ea9e
SHA256e6967a3e28cc938341c5ca21332c84ec700e33ae632cd0c08dc6bbf16b212f28
SHA5120c85ede00a5ae7d0fe5aabfb9b662c6329922e6278bc80b59384234891a1383fe53d7931b9ca7d52ac95a355cd10840a4886a268238e347077d91fb0ba7d3a33
-
memory/596-73-0x0000000000100000-0x0000000000124000-memory.dmpFilesize
144KB
-
memory/596-74-0x0000000000100000-0x0000000000124000-memory.dmpFilesize
144KB
-
memory/596-77-0x0000000000100000-0x0000000000124000-memory.dmpFilesize
144KB
-
memory/596-76-0x0000000000000000-mapping.dmp
-
memory/596-75-0x0000000000100000-0x0000000000124000-memory.dmpFilesize
144KB
-
memory/1484-78-0x0000000000000000-mapping.dmp
-
memory/1592-56-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/1592-55-0x0000000002180000-0x00000000021AA000-memory.dmpFilesize
168KB
-
memory/1592-54-0x0000000076781000-0x0000000076783000-memory.dmpFilesize
8KB
-
memory/1708-61-0x0000000002370000-0x000000000239A000-memory.dmpFilesize
168KB
-
memory/1708-62-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/1708-58-0x0000000000000000-mapping.dmp
-
memory/2012-64-0x0000000000080000-0x00000000000A4000-memory.dmpFilesize
144KB
-
memory/2012-70-0x0000000000080000-0x00000000000A4000-memory.dmpFilesize
144KB
-
memory/2012-69-0x0000000000000000-mapping.dmp
-
memory/2012-67-0x0000000000080000-0x00000000000A4000-memory.dmpFilesize
144KB
-
memory/2012-68-0x0000000000080000-0x00000000000A4000-memory.dmpFilesize
144KB
-
memory/2012-66-0x0000000000080000-0x00000000000A4000-memory.dmpFilesize
144KB