Analysis
-
max time kernel
149s -
max time network
171s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21/06/2022, 19:28
Static task
static1
Behavioral task
behavioral1
Sample
2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe
Resource
win7-20220414-en
General
-
Target
2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe
-
Size
4.2MB
-
MD5
b251a4212a82d0c7e88003ed68ff8072
-
SHA1
18842358fbedf0ac45ac28f29af54067d882bb28
-
SHA256
2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467
-
SHA512
e2f80652dbcefeb152a7e3a324ed8481a2fddddc37b59c2482a863d9a49291e85100625f560fb1977aaad673aac80d85f7151ccf254bca5121096fb161d0c8ce
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ looo.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 4 1228 CScript.exe 5 1228 CScript.exe 6 1228 CScript.exe 7 1228 CScript.exe -
Executes dropped EXE 2 IoCs
pid Process 1904 setup.exe 320 looo.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion looo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion looo.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine setup.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine looo.exe -
Loads dropped DLL 8 IoCs
pid Process 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 1904 setup.exe 1904 setup.exe 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 320 looo.exe 320 looo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1904 setup.exe 320 looo.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Ivp\bin\Two.vbs 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe File created C:\Program Files (x86)\Ivp\bin\setup.exe 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe File created C:\Program Files (x86)\Ivp\bin\looo.exe 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString setup.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1904 setup.exe 320 looo.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 1904 setup.exe 1904 setup.exe 1904 setup.exe 1904 setup.exe 1904 setup.exe 1904 setup.exe 1904 setup.exe 1904 setup.exe 1904 setup.exe 1904 setup.exe 1904 setup.exe 1904 setup.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1720 wrote to memory of 1904 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 28 PID 1720 wrote to memory of 1904 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 28 PID 1720 wrote to memory of 1904 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 28 PID 1720 wrote to memory of 1904 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 28 PID 1720 wrote to memory of 1904 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 28 PID 1720 wrote to memory of 1904 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 28 PID 1720 wrote to memory of 1904 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 28 PID 1720 wrote to memory of 1228 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 29 PID 1720 wrote to memory of 1228 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 29 PID 1720 wrote to memory of 1228 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 29 PID 1720 wrote to memory of 1228 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 29 PID 1720 wrote to memory of 1228 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 29 PID 1720 wrote to memory of 1228 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 29 PID 1720 wrote to memory of 1228 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 29 PID 1720 wrote to memory of 320 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 33 PID 1720 wrote to memory of 320 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 33 PID 1720 wrote to memory of 320 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 33 PID 1720 wrote to memory of 320 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 33 PID 1720 wrote to memory of 320 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 33 PID 1720 wrote to memory of 320 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 33 PID 1720 wrote to memory of 320 1720 2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe"C:\Users\Admin\AppData\Local\Temp\2fb01e9fadecacfcf8b7217276f0598e6366c398202730629f89a956feb51467.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Program Files (x86)\Ivp\bin\setup.exe"C:\Program Files (x86)\Ivp\bin\setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1904
-
-
C:\Windows\SysWOW64\CScript.exe"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Ivp\bin\Two.vbs" //e:vbscript //B //NOLOGO2⤵
- Blocklisted process makes network request
PID:1228
-
-
C:\Program Files (x86)\Ivp\bin\looo.exe"C:\Program Files (x86)\Ivp\bin\looo.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:320
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126B
MD5c6362e3c5585f24a9e9a2712c00c52ff
SHA19259b9609313386f004328d2c306820eae01a587
SHA256184ca5b2737175e0828f3546d483778c95e23720f1375deac0090c2fe415e208
SHA51259ac94fdb6f41d6dc5cbea1855897759f35032ac922b936a0b39a21b6aafb0c862c5d419afa31c0b81f106f2ce06b2909cdb5fb713534fbe36202c5a4fedfeaa
-
Filesize
2.1MB
MD522dbb8cea37a191fab10917f03dc25c5
SHA1b5cccd3dda88428bae6f45f5ae544267e331b0be
SHA256819cbebadf520b038496932c911f1d1bb4e98c86490659ef1b939ec5cc38384e
SHA5123b069754b47087843db585f5092ddfa007293a51ddb4c84af739d1cd757a6724d1a745262bc558180af4f73d706a1351693a5fb0453ddc102a6c2fb8152b445f
-
Filesize
2.1MB
MD522dbb8cea37a191fab10917f03dc25c5
SHA1b5cccd3dda88428bae6f45f5ae544267e331b0be
SHA256819cbebadf520b038496932c911f1d1bb4e98c86490659ef1b939ec5cc38384e
SHA5123b069754b47087843db585f5092ddfa007293a51ddb4c84af739d1cd757a6724d1a745262bc558180af4f73d706a1351693a5fb0453ddc102a6c2fb8152b445f
-
Filesize
2.1MB
MD50fda20e1940d351b5c28a48ef6509876
SHA1400ca4f1dd882bee8b6cdd31367eb1cdcfe4207a
SHA256735d8568578b7342ad6e1def0489c2ae864c5e611b5b2c658b8edc2cee172bb1
SHA51235ed507a276fb3b11fc76d90130c97338f2f66d5867a20fbbe725065b8a7e70ee31f77129e408d7baee5a208460167ab2f46f52a07ccad316487622f1dc234b9
-
Filesize
2.1MB
MD50fda20e1940d351b5c28a48ef6509876
SHA1400ca4f1dd882bee8b6cdd31367eb1cdcfe4207a
SHA256735d8568578b7342ad6e1def0489c2ae864c5e611b5b2c658b8edc2cee172bb1
SHA51235ed507a276fb3b11fc76d90130c97338f2f66d5867a20fbbe725065b8a7e70ee31f77129e408d7baee5a208460167ab2f46f52a07ccad316487622f1dc234b9
-
Filesize
2.1MB
MD522dbb8cea37a191fab10917f03dc25c5
SHA1b5cccd3dda88428bae6f45f5ae544267e331b0be
SHA256819cbebadf520b038496932c911f1d1bb4e98c86490659ef1b939ec5cc38384e
SHA5123b069754b47087843db585f5092ddfa007293a51ddb4c84af739d1cd757a6724d1a745262bc558180af4f73d706a1351693a5fb0453ddc102a6c2fb8152b445f
-
Filesize
2.1MB
MD522dbb8cea37a191fab10917f03dc25c5
SHA1b5cccd3dda88428bae6f45f5ae544267e331b0be
SHA256819cbebadf520b038496932c911f1d1bb4e98c86490659ef1b939ec5cc38384e
SHA5123b069754b47087843db585f5092ddfa007293a51ddb4c84af739d1cd757a6724d1a745262bc558180af4f73d706a1351693a5fb0453ddc102a6c2fb8152b445f
-
Filesize
2.1MB
MD522dbb8cea37a191fab10917f03dc25c5
SHA1b5cccd3dda88428bae6f45f5ae544267e331b0be
SHA256819cbebadf520b038496932c911f1d1bb4e98c86490659ef1b939ec5cc38384e
SHA5123b069754b47087843db585f5092ddfa007293a51ddb4c84af739d1cd757a6724d1a745262bc558180af4f73d706a1351693a5fb0453ddc102a6c2fb8152b445f
-
Filesize
2.1MB
MD50fda20e1940d351b5c28a48ef6509876
SHA1400ca4f1dd882bee8b6cdd31367eb1cdcfe4207a
SHA256735d8568578b7342ad6e1def0489c2ae864c5e611b5b2c658b8edc2cee172bb1
SHA51235ed507a276fb3b11fc76d90130c97338f2f66d5867a20fbbe725065b8a7e70ee31f77129e408d7baee5a208460167ab2f46f52a07ccad316487622f1dc234b9
-
Filesize
2.1MB
MD50fda20e1940d351b5c28a48ef6509876
SHA1400ca4f1dd882bee8b6cdd31367eb1cdcfe4207a
SHA256735d8568578b7342ad6e1def0489c2ae864c5e611b5b2c658b8edc2cee172bb1
SHA51235ed507a276fb3b11fc76d90130c97338f2f66d5867a20fbbe725065b8a7e70ee31f77129e408d7baee5a208460167ab2f46f52a07ccad316487622f1dc234b9
-
Filesize
2.1MB
MD50fda20e1940d351b5c28a48ef6509876
SHA1400ca4f1dd882bee8b6cdd31367eb1cdcfe4207a
SHA256735d8568578b7342ad6e1def0489c2ae864c5e611b5b2c658b8edc2cee172bb1
SHA51235ed507a276fb3b11fc76d90130c97338f2f66d5867a20fbbe725065b8a7e70ee31f77129e408d7baee5a208460167ab2f46f52a07ccad316487622f1dc234b9
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
Filesize
6KB
MD5132e6153717a7f9710dcea4536f364cd
SHA1e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA5129aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1