Analysis
-
max time kernel
157s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16/06/2022, 02:25
Static task
static1
Behavioral task
behavioral1
Sample
2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe
Resource
win7-20220414-en
General
-
Target
2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe
-
Size
4.2MB
-
MD5
39563dbf4a0421506d0d0236ced276b8
-
SHA1
b3bfb1cc8e53817d88649cd347aeb84a582798cd
-
SHA256
2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165
-
SHA512
da369b86b2c39b26ac178d9d3c2a1a87c7b6f0143dd8e3a082445b639a932bd90a3363ac18c8b11d30050d5ac6b4025e0c3f4cde6e20fb8e94c625a6bc76ea20
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ City.exe -
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2396 WScript.exe 5 2396 WScript.exe 7 2396 WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 4844 City.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion City.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion City.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Wine 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Wine City.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{B541C762-BD3F-4B53-8812-2E662F94E065}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{80D290BA-1542-452F-9561-246829826708}.catalogItem svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4652 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 4844 City.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString City.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 City.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4652 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 4652 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 4844 City.exe 4844 City.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 4844 City.exe 4844 City.exe 4844 City.exe 4844 City.exe 4844 City.exe 4844 City.exe 4844 City.exe 4844 City.exe 4844 City.exe 4844 City.exe 4844 City.exe 4844 City.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4652 wrote to memory of 4844 4652 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 77 PID 4652 wrote to memory of 4844 4652 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 77 PID 4652 wrote to memory of 4844 4652 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 77 PID 4652 wrote to memory of 2396 4652 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 78 PID 4652 wrote to memory of 2396 4652 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 78 PID 4652 wrote to memory of 2396 4652 2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe"C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\ProgramData\Newu\City.exeC:\ProgramData\Newu\City.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4844
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\ipras.vbs"2⤵
- Blocklisted process makes network request
PID:2396
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD54e74e3957beb1fbf8f790de6d262a12f
SHA11e74a37e218b25e8218af0d68e5d2533d44255dc
SHA25689120c2b00c6f9299ec1afdd6255a78e475c8205a1c05ffa6e133c7f22cfc8db
SHA512c437614c198648c7956301f643bfaccb57fea66e87a2b0798f17cce92476497fb3f1cd3eee16162e92e2c5a8bfd97de2458d5a5ee4c6aac6f188c81e20296e96
-
Filesize
2.2MB
MD54e74e3957beb1fbf8f790de6d262a12f
SHA11e74a37e218b25e8218af0d68e5d2533d44255dc
SHA25689120c2b00c6f9299ec1afdd6255a78e475c8205a1c05ffa6e133c7f22cfc8db
SHA512c437614c198648c7956301f643bfaccb57fea66e87a2b0798f17cce92476497fb3f1cd3eee16162e92e2c5a8bfd97de2458d5a5ee4c6aac6f188c81e20296e96
-
Filesize
126B
MD5b802ff9244875f69db2fae0f78e92b10
SHA149385a89cd575894a29fbda969b99cc1f5cf8076
SHA256a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
SHA512609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e
-
Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD5fcd5acbfc30059d2a4ce55c6b35da4b6
SHA17c0d1463bd692e2432d426601027c03e7ca14241
SHA256769cc14dc667140513d0c18e1e2e019fbce0ad4356276305a224c39aae63f8e0
SHA512f6248ea6ccc4c1d01c05a4d51b4ab31ea474bb7c9d7d747cb7eff31acb2aa5eaec28ba7c96aca70a20fe4a454efbada43dd85b488092e75fad1ba109509768df