Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16/06/2022, 02:25
Static task
static1
Behavioral task
behavioral1
Sample
2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe
Resource
win7-20220414-en
General
-
Target
2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe
-
Size
4.2MB
-
MD5
39563dbf4a0421506d0d0236ced276b8
-
SHA1
b3bfb1cc8e53817d88649cd347aeb84a582798cd
-
SHA256
2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165
-
SHA512
da369b86b2c39b26ac178d9d3c2a1a87c7b6f0143dd8e3a082445b639a932bd90a3363ac18c8b11d30050d5ac6b4025e0c3f4cde6e20fb8e94c625a6bc76ea20
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ City.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 5 1956 WScript.exe 6 1956 WScript.exe 7 1956 WScript.exe 8 1956 WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 832 City.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion City.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion City.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Wine 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Wine City.exe -
Loads dropped DLL 1 IoCs
pid Process 1624 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1624 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 832 City.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 City.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString City.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1624 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 832 City.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 832 City.exe 832 City.exe 832 City.exe 832 City.exe 832 City.exe 832 City.exe 832 City.exe 832 City.exe 832 City.exe 832 City.exe 832 City.exe 832 City.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1624 wrote to memory of 832 1624 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 27 PID 1624 wrote to memory of 832 1624 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 27 PID 1624 wrote to memory of 832 1624 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 27 PID 1624 wrote to memory of 832 1624 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 27 PID 1624 wrote to memory of 1956 1624 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 28 PID 1624 wrote to memory of 1956 1624 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 28 PID 1624 wrote to memory of 1956 1624 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 28 PID 1624 wrote to memory of 1956 1624 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe"C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\ProgramData\Newu\City.exeC:\ProgramData\Newu\City.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:832
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\ipras.vbs"2⤵
- Blocklisted process makes network request
PID:1956
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD54e74e3957beb1fbf8f790de6d262a12f
SHA11e74a37e218b25e8218af0d68e5d2533d44255dc
SHA25689120c2b00c6f9299ec1afdd6255a78e475c8205a1c05ffa6e133c7f22cfc8db
SHA512c437614c198648c7956301f643bfaccb57fea66e87a2b0798f17cce92476497fb3f1cd3eee16162e92e2c5a8bfd97de2458d5a5ee4c6aac6f188c81e20296e96
-
Filesize
126B
MD5b802ff9244875f69db2fae0f78e92b10
SHA149385a89cd575894a29fbda969b99cc1f5cf8076
SHA256a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
SHA512609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e
-
Filesize
2.2MB
MD54e74e3957beb1fbf8f790de6d262a12f
SHA11e74a37e218b25e8218af0d68e5d2533d44255dc
SHA25689120c2b00c6f9299ec1afdd6255a78e475c8205a1c05ffa6e133c7f22cfc8db
SHA512c437614c198648c7956301f643bfaccb57fea66e87a2b0798f17cce92476497fb3f1cd3eee16162e92e2c5a8bfd97de2458d5a5ee4c6aac6f188c81e20296e96