Analysis
-
max time kernel
156s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:22
Static task
static1
Behavioral task
behavioral1
Sample
DIAGRAM.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DIAGRAM.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
INV45367.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
INV45367.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
PICS.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
PICS.exe
Resource
win10v2004-20220414-en
General
-
Target
DIAGRAM.exe
-
Size
666KB
-
MD5
4f356846f7030367803453f210306628
-
SHA1
960fa757fdb7f628facb24b8b686f20c2fa79382
-
SHA256
f7cc73c4bd3b43e1c4be82c8ea43d8db9bd170acc78031e83f8c71277a2d8990
-
SHA512
7ff8bda0b221bacb3b9c1d9e41e7331374963d51f4e96dcde3e99d477aef8c8d2985144110313415c624bd5c8e48188ac81456396748b1d549a19b68aff9ab86
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/100-139-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/100-139-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral2/memory/100-139-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
DIAGRAM.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DIAGRAM.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DIAGRAM.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DIAGRAM.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation DIAGRAM.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 41 whatismyipaddress.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
DIAGRAM.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DIAGRAM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DIAGRAM.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DIAGRAM.exedescription pid process target process PID 4072 set thread context of 100 4072 DIAGRAM.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DIAGRAM.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 4072 DIAGRAM.exe Token: SeDebugPrivilege 100 MSBuild.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
DIAGRAM.exedescription pid process target process PID 4072 wrote to memory of 3976 4072 DIAGRAM.exe schtasks.exe PID 4072 wrote to memory of 3976 4072 DIAGRAM.exe schtasks.exe PID 4072 wrote to memory of 3976 4072 DIAGRAM.exe schtasks.exe PID 4072 wrote to memory of 100 4072 DIAGRAM.exe MSBuild.exe PID 4072 wrote to memory of 100 4072 DIAGRAM.exe MSBuild.exe PID 4072 wrote to memory of 100 4072 DIAGRAM.exe MSBuild.exe PID 4072 wrote to memory of 100 4072 DIAGRAM.exe MSBuild.exe PID 4072 wrote to memory of 100 4072 DIAGRAM.exe MSBuild.exe PID 4072 wrote to memory of 100 4072 DIAGRAM.exe MSBuild.exe PID 4072 wrote to memory of 100 4072 DIAGRAM.exe MSBuild.exe PID 4072 wrote to memory of 100 4072 DIAGRAM.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DIAGRAM.exe"C:\Users\Admin\AppData\Local\Temp\DIAGRAM.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NurSHgGUQC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2C3B.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2C3B.tmpFilesize
1KB
MD57688d1b4c8582526b9e564f3ba3c2602
SHA148273417e450526102bd348c57664744ca18955f
SHA25619a69ae904d615b25b53ca262a720c7cbb6f8bd82f10b3a7f1b868dda680b188
SHA512a2942672acd74a399dbe5e8786cb5c902e80a44ba1e2603150ed1f495061894600ae61774247b2c1b604db1ad78eaa7655c82bfff2d18bdd7a21456381415c2f
-
memory/100-138-0x0000000000000000-mapping.dmp
-
memory/100-139-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/100-140-0x0000000005390000-0x00000000053E6000-memory.dmpFilesize
344KB
-
memory/3976-136-0x0000000000000000-mapping.dmp
-
memory/4072-130-0x0000000000C40000-0x0000000000CEE000-memory.dmpFilesize
696KB
-
memory/4072-131-0x0000000005B50000-0x00000000060F4000-memory.dmpFilesize
5.6MB
-
memory/4072-132-0x0000000005690000-0x0000000005722000-memory.dmpFilesize
584KB
-
memory/4072-133-0x0000000005840000-0x000000000584A000-memory.dmpFilesize
40KB
-
memory/4072-134-0x0000000008FA0000-0x000000000903C000-memory.dmpFilesize
624KB
-
memory/4072-135-0x0000000001420000-0x0000000001486000-memory.dmpFilesize
408KB