Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    16/06/2022, 02:25

General

  • Target

    2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe

  • Size

    4.2MB

  • MD5

    39563dbf4a0421506d0d0236ced276b8

  • SHA1

    b3bfb1cc8e53817d88649cd347aeb84a582798cd

  • SHA256

    2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165

  • SHA512

    da369b86b2c39b26ac178d9d3c2a1a87c7b6f0143dd8e3a082445b639a932bd90a3363ac18c8b11d30050d5ac6b4025e0c3f4cde6e20fb8e94c625a6bc76ea20

Malware Config

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe
    "C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\ProgramData\Newu\City.exe
      C:\ProgramData\Newu\City.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:832
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\ipras.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:1956

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Newu\City.exe

    Filesize

    2.2MB

    MD5

    4e74e3957beb1fbf8f790de6d262a12f

    SHA1

    1e74a37e218b25e8218af0d68e5d2533d44255dc

    SHA256

    89120c2b00c6f9299ec1afdd6255a78e475c8205a1c05ffa6e133c7f22cfc8db

    SHA512

    c437614c198648c7956301f643bfaccb57fea66e87a2b0798f17cce92476497fb3f1cd3eee16162e92e2c5a8bfd97de2458d5a5ee4c6aac6f188c81e20296e96

  • C:\ProgramData\ipras.vbs

    Filesize

    126B

    MD5

    b802ff9244875f69db2fae0f78e92b10

    SHA1

    49385a89cd575894a29fbda969b99cc1f5cf8076

    SHA256

    a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8

    SHA512

    609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e

  • \ProgramData\Newu\City.exe

    Filesize

    2.2MB

    MD5

    4e74e3957beb1fbf8f790de6d262a12f

    SHA1

    1e74a37e218b25e8218af0d68e5d2533d44255dc

    SHA256

    89120c2b00c6f9299ec1afdd6255a78e475c8205a1c05ffa6e133c7f22cfc8db

    SHA512

    c437614c198648c7956301f643bfaccb57fea66e87a2b0798f17cce92476497fb3f1cd3eee16162e92e2c5a8bfd97de2458d5a5ee4c6aac6f188c81e20296e96

  • memory/832-65-0x0000000000860000-0x0000000000DB7000-memory.dmp

    Filesize

    5.3MB

  • memory/832-73-0x0000000073901000-0x0000000073903000-memory.dmp

    Filesize

    8KB

  • memory/832-84-0x0000000000860000-0x0000000000DB7000-memory.dmp

    Filesize

    5.3MB

  • memory/832-83-0x0000000077010000-0x0000000077190000-memory.dmp

    Filesize

    1.5MB

  • memory/832-61-0x0000000000860000-0x0000000000DB7000-memory.dmp

    Filesize

    5.3MB

  • memory/832-63-0x0000000074081000-0x0000000074083000-memory.dmp

    Filesize

    8KB

  • memory/832-64-0x0000000077010000-0x0000000077190000-memory.dmp

    Filesize

    1.5MB

  • memory/832-82-0x0000000000860000-0x0000000000DB7000-memory.dmp

    Filesize

    5.3MB

  • memory/832-66-0x0000000073D81000-0x0000000073D83000-memory.dmp

    Filesize

    8KB

  • memory/832-80-0x0000000073951000-0x0000000073953000-memory.dmp

    Filesize

    8KB

  • memory/832-72-0x0000000073AC1000-0x0000000073AC3000-memory.dmp

    Filesize

    8KB

  • memory/1624-74-0x0000000000400000-0x0000000000B3B000-memory.dmp

    Filesize

    7.2MB

  • memory/1624-55-0x0000000000400000-0x0000000000B3B000-memory.dmp

    Filesize

    7.2MB

  • memory/1624-81-0x000000000A7A0000-0x000000000ACF7000-memory.dmp

    Filesize

    5.3MB

  • memory/1624-54-0x0000000075C71000-0x0000000075C73000-memory.dmp

    Filesize

    8KB

  • memory/1624-60-0x000000000A7A0000-0x000000000ACF7000-memory.dmp

    Filesize

    5.3MB

  • memory/1624-56-0x0000000077010000-0x0000000077190000-memory.dmp

    Filesize

    1.5MB