Analysis
-
max time kernel
185s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22/06/2022, 11:54
Static task
static1
Behavioral task
behavioral1
Sample
2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe
Resource
win7-20220414-en
General
-
Target
2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe
-
Size
4.2MB
-
MD5
994cc30fc5c8e845d21746b147b5856d
-
SHA1
685220882fe159660dc0bde6a594b68699d9ce0c
-
SHA256
2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee
-
SHA512
70d00f9055550f97b161b9da85b4620d1db133200c77bac647804ba2fb5d639016dc5d3f3afc4f8e3857463b664b59176ce65cd4dc9e2bb8cbd795094581d18e
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ looo.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 9 4872 CScript.exe 11 4872 CScript.exe -
Executes dropped EXE 2 IoCs
pid Process 4424 setup.exe 1996 looo.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion looo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion looo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion setup.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine setup.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine looo.exe -
Loads dropped DLL 2 IoCs
pid Process 2964 2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe 2964 2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4424 setup.exe 1996 looo.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Ivp\bin\setup.exe 2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe File created C:\Program Files (x86)\Ivp\bin\looo.exe 2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe File created C:\Program Files (x86)\Ivp\bin\Two.vbs 2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4424 setup.exe 4424 setup.exe 1996 looo.exe 1996 looo.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 4424 setup.exe 4424 setup.exe 4424 setup.exe 4424 setup.exe 4424 setup.exe 4424 setup.exe 4424 setup.exe 4424 setup.exe 4424 setup.exe 4424 setup.exe 4424 setup.exe 4424 setup.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2964 wrote to memory of 4424 2964 2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe 82 PID 2964 wrote to memory of 4424 2964 2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe 82 PID 2964 wrote to memory of 4424 2964 2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe 82 PID 2964 wrote to memory of 4872 2964 2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe 83 PID 2964 wrote to memory of 4872 2964 2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe 83 PID 2964 wrote to memory of 4872 2964 2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe 83 PID 2964 wrote to memory of 1996 2964 2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe 85 PID 2964 wrote to memory of 1996 2964 2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe 85 PID 2964 wrote to memory of 1996 2964 2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe"C:\Users\Admin\AppData\Local\Temp\2e28f1b81561265b436047c612838618d6fcb5371f28626d6ec8f7de6b2789ee.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Program Files (x86)\Ivp\bin\setup.exe"C:\Program Files (x86)\Ivp\bin\setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4424
-
-
C:\Windows\SysWOW64\CScript.exe"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Ivp\bin\Two.vbs" //e:vbscript //B //NOLOGO2⤵
- Blocklisted process makes network request
PID:4872
-
-
C:\Program Files (x86)\Ivp\bin\looo.exe"C:\Program Files (x86)\Ivp\bin\looo.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1996
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126B
MD5c6362e3c5585f24a9e9a2712c00c52ff
SHA19259b9609313386f004328d2c306820eae01a587
SHA256184ca5b2737175e0828f3546d483778c95e23720f1375deac0090c2fe415e208
SHA51259ac94fdb6f41d6dc5cbea1855897759f35032ac922b936a0b39a21b6aafb0c862c5d419afa31c0b81f106f2ce06b2909cdb5fb713534fbe36202c5a4fedfeaa
-
Filesize
2.0MB
MD5e1e49175b2c2cab149e99146aba86db8
SHA169baac79a2bd1883284ef7126a0d0fb95a838505
SHA2567a0c0d41d3e0d0b925ad10d3e094c8d2f695d91cf2d70e6a2404adfcb0adf000
SHA5128cb304d5a81182b8bbe94fcb477996398c4a53818e17b2fac56fb2076cf5873f2faa4f2f4ad22bc90109891edf0b430937055432ede503a2f137ace0dbed306e
-
Filesize
2.1MB
MD5fe84f8c12d844ea18a189161d89c29f5
SHA1d501ff3dff98263bb967e0903467a65ae96dd3ee
SHA2564daef9b00dddadca0e2a1163293071171b5866796bb01461efd8dbd4331d105a
SHA5123dffbba11c2f71ccd30019abce3cbf8568bb761921ddbc50fb080571ba3abbb32611a7ea7f851239e014537797f575331943dd11a68146551bc006de5f7973a0
-
Filesize
2.1MB
MD5fe84f8c12d844ea18a189161d89c29f5
SHA1d501ff3dff98263bb967e0903467a65ae96dd3ee
SHA2564daef9b00dddadca0e2a1163293071171b5866796bb01461efd8dbd4331d105a
SHA5123dffbba11c2f71ccd30019abce3cbf8568bb761921ddbc50fb080571ba3abbb32611a7ea7f851239e014537797f575331943dd11a68146551bc006de5f7973a0
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
Filesize
6KB
MD5132e6153717a7f9710dcea4536f364cd
SHA1e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA5129aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1