Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15/06/2022, 15:42
Static task
static1
Behavioral task
behavioral1
Sample
29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe
Resource
win7-20220414-en
General
-
Target
29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe
-
Size
4.1MB
-
MD5
d647a51a9a2c8fa190d251a4a445ea68
-
SHA1
b330047cbd4eb566b2a54c5d70d659b28f589c57
-
SHA256
29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82
-
SHA512
04c15b58095ced658355b93673bfeffb8e07a5a1e0a238c348c91e9ac1d70a05c2c74f3d46b5e2a28edf5b0ddbdf1884caca17fa3238ad7dfdbb219b6fe272b1
Malware Config
Signatures
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SetupX.exe -
Executes dropped EXE 2 IoCs
pid Process 1044 Setup.exe 1720 SetupX.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SetupX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SetupX.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine SetupX.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine Setup.exe -
Loads dropped DLL 7 IoCs
pid Process 1448 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 1448 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 1044 Setup.exe 1044 Setup.exe 1448 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 1720 SetupX.exe 1720 SetupX.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1044 Setup.exe 1720 SetupX.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\New Year\Pass.txt 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe File created C:\Program Files (x86)\New Year\Setup.exe 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe File created C:\Program Files (x86)\New Year\SetupX.exe 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 SetupX.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde SetupX.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1044 Setup.exe 1720 SetupX.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 1044 Setup.exe 1044 Setup.exe 1044 Setup.exe 1044 Setup.exe 1044 Setup.exe 1044 Setup.exe 1044 Setup.exe 1044 Setup.exe 1044 Setup.exe 1044 Setup.exe 1044 Setup.exe 1044 Setup.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1448 wrote to memory of 1044 1448 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 28 PID 1448 wrote to memory of 1044 1448 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 28 PID 1448 wrote to memory of 1044 1448 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 28 PID 1448 wrote to memory of 1044 1448 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 28 PID 1448 wrote to memory of 1044 1448 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 28 PID 1448 wrote to memory of 1044 1448 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 28 PID 1448 wrote to memory of 1044 1448 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 28 PID 1448 wrote to memory of 1720 1448 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 29 PID 1448 wrote to memory of 1720 1448 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 29 PID 1448 wrote to memory of 1720 1448 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 29 PID 1448 wrote to memory of 1720 1448 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 29 PID 1448 wrote to memory of 1720 1448 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 29 PID 1448 wrote to memory of 1720 1448 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 29 PID 1448 wrote to memory of 1720 1448 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe"C:\Users\Admin\AppData\Local\Temp\29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Program Files (x86)\New Year\Setup.exe"C:\Program Files (x86)\New Year\Setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1044
-
-
C:\Program Files (x86)\New Year\SetupX.exe"C:\Program Files (x86)\New Year\SetupX.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1720
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD513938b74ee35f932790e2cd20a5fb939
SHA1cdd956c899b86684f454934d739edf7434462a2e
SHA256c01deda4855d396698aa336130662e2cefbc5d6dc83f93508781aa166a1ad8b9
SHA5123bdce3182f36f5a1e220f8d7d55a546a51bca249f7fe68f27216e7b41784ce226a1798965679da3ddeb76964495667d80d6d7f4e5b219c6ec0ac184591f78ee5
-
Filesize
2.2MB
MD513938b74ee35f932790e2cd20a5fb939
SHA1cdd956c899b86684f454934d739edf7434462a2e
SHA256c01deda4855d396698aa336130662e2cefbc5d6dc83f93508781aa166a1ad8b9
SHA5123bdce3182f36f5a1e220f8d7d55a546a51bca249f7fe68f27216e7b41784ce226a1798965679da3ddeb76964495667d80d6d7f4e5b219c6ec0ac184591f78ee5
-
Filesize
2.0MB
MD5191d56d1bb4233a1004b2a80c3affb74
SHA1245551fc86c81b2c1718bd23301d86ffc42406c2
SHA256910ed7b9bb93c880e76308db8cff1d84215a94bfa41128ef0ba21d24ae4a1a4c
SHA512bf1508f5b7d7d7d3ac572781eeab2e4f1f93748e8aa34ca833e049f419df1991d082e53fc3e16071dba8f4ffae3f032e0d3bb389ea5f45b1780c7f1fe0ec3d96
-
Filesize
2.0MB
MD5191d56d1bb4233a1004b2a80c3affb74
SHA1245551fc86c81b2c1718bd23301d86ffc42406c2
SHA256910ed7b9bb93c880e76308db8cff1d84215a94bfa41128ef0ba21d24ae4a1a4c
SHA512bf1508f5b7d7d7d3ac572781eeab2e4f1f93748e8aa34ca833e049f419df1991d082e53fc3e16071dba8f4ffae3f032e0d3bb389ea5f45b1780c7f1fe0ec3d96
-
Filesize
2.2MB
MD513938b74ee35f932790e2cd20a5fb939
SHA1cdd956c899b86684f454934d739edf7434462a2e
SHA256c01deda4855d396698aa336130662e2cefbc5d6dc83f93508781aa166a1ad8b9
SHA5123bdce3182f36f5a1e220f8d7d55a546a51bca249f7fe68f27216e7b41784ce226a1798965679da3ddeb76964495667d80d6d7f4e5b219c6ec0ac184591f78ee5
-
Filesize
2.2MB
MD513938b74ee35f932790e2cd20a5fb939
SHA1cdd956c899b86684f454934d739edf7434462a2e
SHA256c01deda4855d396698aa336130662e2cefbc5d6dc83f93508781aa166a1ad8b9
SHA5123bdce3182f36f5a1e220f8d7d55a546a51bca249f7fe68f27216e7b41784ce226a1798965679da3ddeb76964495667d80d6d7f4e5b219c6ec0ac184591f78ee5
-
Filesize
2.2MB
MD513938b74ee35f932790e2cd20a5fb939
SHA1cdd956c899b86684f454934d739edf7434462a2e
SHA256c01deda4855d396698aa336130662e2cefbc5d6dc83f93508781aa166a1ad8b9
SHA5123bdce3182f36f5a1e220f8d7d55a546a51bca249f7fe68f27216e7b41784ce226a1798965679da3ddeb76964495667d80d6d7f4e5b219c6ec0ac184591f78ee5
-
Filesize
2.0MB
MD5191d56d1bb4233a1004b2a80c3affb74
SHA1245551fc86c81b2c1718bd23301d86ffc42406c2
SHA256910ed7b9bb93c880e76308db8cff1d84215a94bfa41128ef0ba21d24ae4a1a4c
SHA512bf1508f5b7d7d7d3ac572781eeab2e4f1f93748e8aa34ca833e049f419df1991d082e53fc3e16071dba8f4ffae3f032e0d3bb389ea5f45b1780c7f1fe0ec3d96
-
Filesize
2.0MB
MD5191d56d1bb4233a1004b2a80c3affb74
SHA1245551fc86c81b2c1718bd23301d86ffc42406c2
SHA256910ed7b9bb93c880e76308db8cff1d84215a94bfa41128ef0ba21d24ae4a1a4c
SHA512bf1508f5b7d7d7d3ac572781eeab2e4f1f93748e8aa34ca833e049f419df1991d082e53fc3e16071dba8f4ffae3f032e0d3bb389ea5f45b1780c7f1fe0ec3d96
-
Filesize
2.0MB
MD5191d56d1bb4233a1004b2a80c3affb74
SHA1245551fc86c81b2c1718bd23301d86ffc42406c2
SHA256910ed7b9bb93c880e76308db8cff1d84215a94bfa41128ef0ba21d24ae4a1a4c
SHA512bf1508f5b7d7d7d3ac572781eeab2e4f1f93748e8aa34ca833e049f419df1991d082e53fc3e16071dba8f4ffae3f032e0d3bb389ea5f45b1780c7f1fe0ec3d96
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada