Analysis
-
max time kernel
158s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15/06/2022, 15:42
Static task
static1
Behavioral task
behavioral1
Sample
29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe
Resource
win7-20220414-en
General
-
Target
29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe
-
Size
4.1MB
-
MD5
d647a51a9a2c8fa190d251a4a445ea68
-
SHA1
b330047cbd4eb566b2a54c5d70d659b28f589c57
-
SHA256
29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82
-
SHA512
04c15b58095ced658355b93673bfeffb8e07a5a1e0a238c348c91e9ac1d70a05c2c74f3d46b5e2a28edf5b0ddbdf1884caca17fa3238ad7dfdbb219b6fe272b1
Malware Config
Signatures
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SetupX.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe -
Executes dropped EXE 2 IoCs
pid Process 4224 Setup.exe 4824 SetupX.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SetupX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SetupX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation SetupX.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine SetupX.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine Setup.exe -
Loads dropped DLL 1 IoCs
pid Process 3504 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4824 SetupX.exe 4224 Setup.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\New Year\Pass.txt 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe File created C:\Program Files (x86)\New Year\Setup.exe 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe File created C:\Program Files (x86)\New Year\SetupX.exe 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4824 SetupX.exe 4824 SetupX.exe 4224 Setup.exe 4224 Setup.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe 4224 Setup.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3504 wrote to memory of 4224 3504 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 80 PID 3504 wrote to memory of 4224 3504 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 80 PID 3504 wrote to memory of 4224 3504 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 80 PID 3504 wrote to memory of 4824 3504 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 81 PID 3504 wrote to memory of 4824 3504 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 81 PID 3504 wrote to memory of 4824 3504 29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe"C:\Users\Admin\AppData\Local\Temp\29067a22a6de69488cf625f401728aa0ba5882029c536919fb27a87a78b23a82.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Program Files (x86)\New Year\Setup.exe"C:\Program Files (x86)\New Year\Setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4224
-
-
C:\Program Files (x86)\New Year\SetupX.exe"C:\Program Files (x86)\New Year\SetupX.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4824
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD513938b74ee35f932790e2cd20a5fb939
SHA1cdd956c899b86684f454934d739edf7434462a2e
SHA256c01deda4855d396698aa336130662e2cefbc5d6dc83f93508781aa166a1ad8b9
SHA5123bdce3182f36f5a1e220f8d7d55a546a51bca249f7fe68f27216e7b41784ce226a1798965679da3ddeb76964495667d80d6d7f4e5b219c6ec0ac184591f78ee5
-
Filesize
2.2MB
MD513938b74ee35f932790e2cd20a5fb939
SHA1cdd956c899b86684f454934d739edf7434462a2e
SHA256c01deda4855d396698aa336130662e2cefbc5d6dc83f93508781aa166a1ad8b9
SHA5123bdce3182f36f5a1e220f8d7d55a546a51bca249f7fe68f27216e7b41784ce226a1798965679da3ddeb76964495667d80d6d7f4e5b219c6ec0ac184591f78ee5
-
Filesize
2.0MB
MD5191d56d1bb4233a1004b2a80c3affb74
SHA1245551fc86c81b2c1718bd23301d86ffc42406c2
SHA256910ed7b9bb93c880e76308db8cff1d84215a94bfa41128ef0ba21d24ae4a1a4c
SHA512bf1508f5b7d7d7d3ac572781eeab2e4f1f93748e8aa34ca833e049f419df1991d082e53fc3e16071dba8f4ffae3f032e0d3bb389ea5f45b1780c7f1fe0ec3d96
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada