Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-05-2022 23:40
Static task
static1
Behavioral task
behavioral1
Sample
0807f543bc8322a5c55739c0a46aa8912feb5d3c8785b36188f9eb9e8b5e6af0.exe
Resource
win7-20220414-en
General
-
Target
0807f543bc8322a5c55739c0a46aa8912feb5d3c8785b36188f9eb9e8b5e6af0.exe
-
Size
1.7MB
-
MD5
3e397d12e8dc5a6194c6c275977f8bba
-
SHA1
2aa3297e700208a43cad912c69aa5ff1f9435bce
-
SHA256
0807f543bc8322a5c55739c0a46aa8912feb5d3c8785b36188f9eb9e8b5e6af0
-
SHA512
6f0fba2a65073e0e8f526c4bfd0a24ae130a68c3f21b49595afc2bd4fd9c7d9f4661312f356011fae3ee626ffcb2ca364046e7fbc947f90d11719593a2ba9453
Malware Config
Extracted
buer
https://loddd01.info/
https://loddd02.info/
Signatures
-
resource yara_rule behavioral2/memory/4448-132-0x000000003FAA0000-0x000000003FF00000-memory.dmp buer behavioral2/memory/4448-133-0x000000003FAA0000-0x000000003FF00000-memory.dmp buer behavioral2/memory/4448-134-0x000000003FAA0000-0x000000003FF00000-memory.dmp buer behavioral2/memory/4448-138-0x000000003FAA0000-0x000000003FF00000-memory.dmp buer behavioral2/memory/4188-142-0x000000003F840000-0x000000003FCA0000-memory.dmp buer behavioral2/memory/4188-143-0x000000003F840000-0x000000003FCA0000-memory.dmp buer behavioral2/memory/4188-144-0x000000003F840000-0x000000003FCA0000-memory.dmp buer -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 4188 plugin.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0807f543bc8322a5c55739c0a46aa8912feb5d3c8785b36188f9eb9e8b5e6af0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0807f543bc8322a5c55739c0a46aa8912feb5d3c8785b36188f9eb9e8b5e6af0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion plugin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion plugin.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Wine 0807f543bc8322a5c55739c0a46aa8912feb5d3c8785b36188f9eb9e8b5e6af0.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Wine plugin.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4448 0807f543bc8322a5c55739c0a46aa8912feb5d3c8785b36188f9eb9e8b5e6af0.exe 4188 plugin.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3032 4820 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4448 0807f543bc8322a5c55739c0a46aa8912feb5d3c8785b36188f9eb9e8b5e6af0.exe 4448 0807f543bc8322a5c55739c0a46aa8912feb5d3c8785b36188f9eb9e8b5e6af0.exe 4188 plugin.exe 4188 plugin.exe 4188 plugin.exe 4188 plugin.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4448 wrote to memory of 4188 4448 0807f543bc8322a5c55739c0a46aa8912feb5d3c8785b36188f9eb9e8b5e6af0.exe 88 PID 4448 wrote to memory of 4188 4448 0807f543bc8322a5c55739c0a46aa8912feb5d3c8785b36188f9eb9e8b5e6af0.exe 88 PID 4448 wrote to memory of 4188 4448 0807f543bc8322a5c55739c0a46aa8912feb5d3c8785b36188f9eb9e8b5e6af0.exe 88 PID 4188 wrote to memory of 4820 4188 plugin.exe 89 PID 4188 wrote to memory of 4820 4188 plugin.exe 89 PID 4188 wrote to memory of 4820 4188 plugin.exe 89 PID 4188 wrote to memory of 4820 4188 plugin.exe 89 PID 4188 wrote to memory of 4820 4188 plugin.exe 89 PID 4188 wrote to memory of 4820 4188 plugin.exe 89 PID 4188 wrote to memory of 4820 4188 plugin.exe 89 PID 4188 wrote to memory of 4820 4188 plugin.exe 89 PID 4188 wrote to memory of 4820 4188 plugin.exe 89 PID 4188 wrote to memory of 4820 4188 plugin.exe 89 PID 4188 wrote to memory of 4820 4188 plugin.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\0807f543bc8322a5c55739c0a46aa8912feb5d3c8785b36188f9eb9e8b5e6af0.exe"C:\Users\Admin\AppData\Local\Temp\0807f543bc8322a5c55739c0a46aa8912feb5d3c8785b36188f9eb9e8b5e6af0.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\ProgramData\UBlockPlugin\plugin.exeC:\ProgramData\UBlockPlugin\plugin.exe "C:\Users\Admin\AppData\Local\Temp\0807f543bc8322a5c55739c0a46aa8912feb5d3c8785b36188f9eb9e8b5e6af0.exe" ensgJJ2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\UBlockPlugin\plugin.exe3⤵PID:4820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 2204⤵
- Program crash
PID:3032
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4820 -ip 48201⤵PID:4496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD53e397d12e8dc5a6194c6c275977f8bba
SHA12aa3297e700208a43cad912c69aa5ff1f9435bce
SHA2560807f543bc8322a5c55739c0a46aa8912feb5d3c8785b36188f9eb9e8b5e6af0
SHA5126f0fba2a65073e0e8f526c4bfd0a24ae130a68c3f21b49595afc2bd4fd9c7d9f4661312f356011fae3ee626ffcb2ca364046e7fbc947f90d11719593a2ba9453
-
Filesize
1.7MB
MD53e397d12e8dc5a6194c6c275977f8bba
SHA12aa3297e700208a43cad912c69aa5ff1f9435bce
SHA2560807f543bc8322a5c55739c0a46aa8912feb5d3c8785b36188f9eb9e8b5e6af0
SHA5126f0fba2a65073e0e8f526c4bfd0a24ae130a68c3f21b49595afc2bd4fd9c7d9f4661312f356011fae3ee626ffcb2ca364046e7fbc947f90d11719593a2ba9453