Analysis
-
max time kernel
92s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-06-2022 15:16
Static task
static1
Behavioral task
behavioral1
Sample
1286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa.exe
Resource
win10v2004-20220414-en
General
-
Target
1286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa.exe
-
Size
1.7MB
-
MD5
5052bb8fdec5fed9db55c44c11cfc568
-
SHA1
a5b781562d536aeb098113257641b704c2d18715
-
SHA256
1286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa
-
SHA512
1cef862fb24e26f37167fe385e47a5c22fc7f2a011315b9a019203ac94e651084d6cf059d0db7f0b1ef7a917cfdad8a3f56bf727a6c6178e0610c261b4a194fa
Malware Config
Extracted
buer
http://kload01.info/
http://kload02.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\UBlockPlugin\\plugin.exe\"" plugin.exe -
resource yara_rule behavioral2/memory/2380-132-0x000000003FFA0000-0x00000000403EB000-memory.dmp buer behavioral2/memory/2380-133-0x000000003FFA0000-0x00000000403EB000-memory.dmp buer behavioral2/memory/2380-134-0x000000003FFA0000-0x00000000403EB000-memory.dmp buer behavioral2/memory/2380-138-0x000000003FFA0000-0x00000000403EB000-memory.dmp buer behavioral2/memory/1452-142-0x000000003F900000-0x000000003FD4B000-memory.dmp buer behavioral2/memory/1452-143-0x000000003F900000-0x000000003FD4B000-memory.dmp buer behavioral2/memory/1452-144-0x000000003F900000-0x000000003FD4B000-memory.dmp buer -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ plugin.exe -
Executes dropped EXE 1 IoCs
pid Process 1452 plugin.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion plugin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion plugin.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Wine 1286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Wine plugin.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2380 1286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa.exe 1452 plugin.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4756 4324 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2380 1286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa.exe 2380 1286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa.exe 1452 plugin.exe 1452 plugin.exe 1452 plugin.exe 1452 plugin.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2380 wrote to memory of 1452 2380 1286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa.exe 85 PID 2380 wrote to memory of 1452 2380 1286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa.exe 85 PID 2380 wrote to memory of 1452 2380 1286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa.exe 85 PID 1452 wrote to memory of 4324 1452 plugin.exe 88 PID 1452 wrote to memory of 4324 1452 plugin.exe 88 PID 1452 wrote to memory of 4324 1452 plugin.exe 88 PID 1452 wrote to memory of 4324 1452 plugin.exe 88 PID 1452 wrote to memory of 4324 1452 plugin.exe 88 PID 1452 wrote to memory of 4324 1452 plugin.exe 88 PID 1452 wrote to memory of 4324 1452 plugin.exe 88 PID 1452 wrote to memory of 4324 1452 plugin.exe 88 PID 1452 wrote to memory of 4324 1452 plugin.exe 88 PID 1452 wrote to memory of 4324 1452 plugin.exe 88 PID 1452 wrote to memory of 4324 1452 plugin.exe 88 PID 1452 wrote to memory of 4324 1452 plugin.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\1286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa.exe"C:\Users\Admin\AppData\Local\Temp\1286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\ProgramData\UBlockPlugin\plugin.exeC:\ProgramData\UBlockPlugin\plugin.exe "C:\Users\Admin\AppData\Local\Temp\1286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa.exe" ensgJJ2⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\UBlockPlugin\plugin.exe3⤵PID:4324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1764⤵
- Program crash
PID:4756
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4324 -ip 43241⤵PID:3532
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD55052bb8fdec5fed9db55c44c11cfc568
SHA1a5b781562d536aeb098113257641b704c2d18715
SHA2561286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa
SHA5121cef862fb24e26f37167fe385e47a5c22fc7f2a011315b9a019203ac94e651084d6cf059d0db7f0b1ef7a917cfdad8a3f56bf727a6c6178e0610c261b4a194fa
-
Filesize
1.7MB
MD55052bb8fdec5fed9db55c44c11cfc568
SHA1a5b781562d536aeb098113257641b704c2d18715
SHA2561286f05c8e544ee2a3c1818a28f4f05d9b2c5d802fc413cd210fadeb537437aa
SHA5121cef862fb24e26f37167fe385e47a5c22fc7f2a011315b9a019203ac94e651084d6cf059d0db7f0b1ef7a917cfdad8a3f56bf727a6c6178e0610c261b4a194fa