Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-06-2022 17:16
Behavioral task
behavioral1
Sample
File.exe
Resource
win7-20220414-en
General
-
Target
File.exe
-
Size
4.8MB
-
MD5
c38b1f5087b560432a9e4d401c9c7c7b
-
SHA1
7bd99ddd2e3b5836317d04c506f1cc89a5f90436
-
SHA256
f072f7896731668ac389aa1d7da8c1d12a858bcf58b6ef8d023ffa78ef3f4023
-
SHA512
f09ed2df81cedf1767c5479f7a4f4c322e8c050b4ab5ccbbb8eb8ba87bcc188d67a7cb78a3c6c9a957d6bd1b9f8d9377e43b06ed464408faf3dce95a8a5c585a
Malware Config
Signatures
-
Processes:
File.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection File.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" File.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" File.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" File.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" File.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" File.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" File.exe -
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
File.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ File.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
T_SWh5cc40xSlQV3waOFyO3T.exepid process 888 T_SWh5cc40xSlQV3waOFyO3T.exe -
Processes:
resource yara_rule behavioral1/memory/892-55-0x00000000003F0000-0x0000000000BCF000-memory.dmp vmprotect behavioral1/memory/892-56-0x00000000003F0000-0x0000000000BCF000-memory.dmp vmprotect behavioral1/memory/892-58-0x00000000003F0000-0x0000000000BCF000-memory.dmp vmprotect behavioral1/memory/892-59-0x00000000003F0000-0x0000000000BCF000-memory.dmp vmprotect behavioral1/memory/892-57-0x00000000003F0000-0x0000000000BCF000-memory.dmp vmprotect behavioral1/memory/892-61-0x00000000003F0000-0x0000000000BCF000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
File.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion File.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion File.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
File.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation File.exe -
Loads dropped DLL 1 IoCs
Processes:
File.exepid process 892 File.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/892-55-0x00000000003F0000-0x0000000000BCF000-memory.dmp themida behavioral1/memory/892-56-0x00000000003F0000-0x0000000000BCF000-memory.dmp themida behavioral1/memory/892-58-0x00000000003F0000-0x0000000000BCF000-memory.dmp themida behavioral1/memory/892-59-0x00000000003F0000-0x0000000000BCF000-memory.dmp themida behavioral1/memory/892-57-0x00000000003F0000-0x0000000000BCF000-memory.dmp themida behavioral1/memory/892-61-0x00000000003F0000-0x0000000000BCF000-memory.dmp themida -
Processes:
File.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA File.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ipinfo.io 16 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
File.exepid process 892 File.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 520 892 WerFault.exe File.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
File.exeT_SWh5cc40xSlQV3waOFyO3T.exepid process 892 File.exe 892 File.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe 888 T_SWh5cc40xSlQV3waOFyO3T.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
File.exedescription pid process target process PID 892 wrote to memory of 888 892 File.exe T_SWh5cc40xSlQV3waOFyO3T.exe PID 892 wrote to memory of 888 892 File.exe T_SWh5cc40xSlQV3waOFyO3T.exe PID 892 wrote to memory of 888 892 File.exe T_SWh5cc40xSlQV3waOFyO3T.exe PID 892 wrote to memory of 888 892 File.exe T_SWh5cc40xSlQV3waOFyO3T.exe PID 892 wrote to memory of 520 892 File.exe WerFault.exe PID 892 wrote to memory of 520 892 File.exe WerFault.exe PID 892 wrote to memory of 520 892 File.exe WerFault.exe PID 892 wrote to memory of 520 892 File.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\T_SWh5cc40xSlQV3waOFyO3T.exe"C:\Users\Admin\Pictures\Adobe Films\T_SWh5cc40xSlQV3waOFyO3T.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 14562⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Pictures\Adobe Films\T_SWh5cc40xSlQV3waOFyO3T.exeFilesize
318KB
MD53f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
\Users\Admin\Pictures\Adobe Films\T_SWh5cc40xSlQV3waOFyO3T.exeFilesize
318KB
MD53f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
memory/520-66-0x0000000000000000-mapping.dmp
-
memory/888-64-0x0000000000000000-mapping.dmp
-
memory/892-58-0x00000000003F0000-0x0000000000BCF000-memory.dmpFilesize
7.9MB
-
memory/892-60-0x0000000077E30000-0x0000000077FB0000-memory.dmpFilesize
1.5MB
-
memory/892-57-0x00000000003F0000-0x0000000000BCF000-memory.dmpFilesize
7.9MB
-
memory/892-61-0x00000000003F0000-0x0000000000BCF000-memory.dmpFilesize
7.9MB
-
memory/892-62-0x0000000004B00000-0x0000000004CBE000-memory.dmpFilesize
1.7MB
-
memory/892-59-0x00000000003F0000-0x0000000000BCF000-memory.dmpFilesize
7.9MB
-
memory/892-54-0x00000000763B1000-0x00000000763B3000-memory.dmpFilesize
8KB
-
memory/892-56-0x00000000003F0000-0x0000000000BCF000-memory.dmpFilesize
7.9MB
-
memory/892-55-0x00000000003F0000-0x0000000000BCF000-memory.dmpFilesize
7.9MB
-
memory/892-67-0x0000000004B00000-0x0000000004CBE000-memory.dmpFilesize
1.7MB