Analysis
-
max time kernel
149s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24/06/2022, 22:20
Static task
static1
Behavioral task
behavioral1
Sample
7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38.exe
Resource
win7-20220414-en
General
-
Target
7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38.exe
-
Size
4.3MB
-
MD5
c4ebadd41eff003ad65f74012f1980f9
-
SHA1
f01d16510c7b5a875957a2cfc66a2cd6381fcbe1
-
SHA256
7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38
-
SHA512
8a25bbabff1266523f000990300abb253644dfe5c05f9be31917fb33c1be0cc0a65c703806e98899134a5bc0dbf30265f63fc1db64b86ed58f746cb0c8b2daf3
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ looo.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 6 2832 CScript.exe 8 2832 CScript.exe -
Executes dropped EXE 2 IoCs
pid Process 2324 setup.exe 2684 looo.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion looo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion looo.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine looo.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine setup.exe -
Loads dropped DLL 2 IoCs
pid Process 4568 7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38.exe 4568 7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2324 setup.exe 2684 looo.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Ivp\bin\Two.vbs 7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38.exe File created C:\Program Files (x86)\Ivp\bin\setup.exe 7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38.exe File created C:\Program Files (x86)\Ivp\bin\looo.exe 7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2324 setup.exe 2324 setup.exe 2684 looo.exe 2684 looo.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 2324 setup.exe 2324 setup.exe 2324 setup.exe 2324 setup.exe 2324 setup.exe 2324 setup.exe 2324 setup.exe 2324 setup.exe 2324 setup.exe 2324 setup.exe 2324 setup.exe 2324 setup.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4568 wrote to memory of 2324 4568 7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38.exe 80 PID 4568 wrote to memory of 2324 4568 7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38.exe 80 PID 4568 wrote to memory of 2324 4568 7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38.exe 80 PID 4568 wrote to memory of 2832 4568 7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38.exe 81 PID 4568 wrote to memory of 2832 4568 7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38.exe 81 PID 4568 wrote to memory of 2832 4568 7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38.exe 81 PID 4568 wrote to memory of 2684 4568 7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38.exe 83 PID 4568 wrote to memory of 2684 4568 7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38.exe 83 PID 4568 wrote to memory of 2684 4568 7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38.exe"C:\Users\Admin\AppData\Local\Temp\7757daa278b5833ca48222d150c8c3c5e0478c70f8e3bfa9f2f5ca2c8cebbd38.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Program Files (x86)\Ivp\bin\setup.exe"C:\Program Files (x86)\Ivp\bin\setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2324
-
-
C:\Windows\SysWOW64\CScript.exe"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Ivp\bin\Two.vbs" //e:vbscript //B //NOLOGO2⤵
- Blocklisted process makes network request
PID:2832
-
-
C:\Program Files (x86)\Ivp\bin\looo.exe"C:\Program Files (x86)\Ivp\bin\looo.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2684
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126B
MD5c6362e3c5585f24a9e9a2712c00c52ff
SHA19259b9609313386f004328d2c306820eae01a587
SHA256184ca5b2737175e0828f3546d483778c95e23720f1375deac0090c2fe415e208
SHA51259ac94fdb6f41d6dc5cbea1855897759f35032ac922b936a0b39a21b6aafb0c862c5d419afa31c0b81f106f2ce06b2909cdb5fb713534fbe36202c5a4fedfeaa
-
Filesize
2.0MB
MD57825e5f4ec5fc706ac56616f70378b0f
SHA1c70065d9bf3622027f0c7008b8dd0c7b75c77ee3
SHA256badce9a9680dec983fda2e90e363b5125b9f1ed914ca169e4711dfda7e139729
SHA512fa9196ddd53c3238af617d4e743050f8b70ce59ebf335dafcd7e5ca745d574a52807db4ad9c7cdc7b048a72a2435f809c0531fef7a32328e64f189e3a7493bd7
-
Filesize
2.2MB
MD5bbe357be9aa2e1a565e84841e8b5462e
SHA1ecc357b18d427869d97d7c0f9c123530d15da241
SHA25602b1dcdb775d947202a4a2a740e24829cdb2261de5256ac9a2af54723819b39b
SHA512b488865a518a618042bcf4a0aa9230874bb585ec34a0b61442c4dcfb3eaa88bff82091165d60db4e61c15c68bb7d29bc985c7020e2a47e713b66fa8947ab6585
-
Filesize
2.2MB
MD5bbe357be9aa2e1a565e84841e8b5462e
SHA1ecc357b18d427869d97d7c0f9c123530d15da241
SHA25602b1dcdb775d947202a4a2a740e24829cdb2261de5256ac9a2af54723819b39b
SHA512b488865a518a618042bcf4a0aa9230874bb585ec34a0b61442c4dcfb3eaa88bff82091165d60db4e61c15c68bb7d29bc985c7020e2a47e713b66fa8947ab6585
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
Filesize
6KB
MD5132e6153717a7f9710dcea4536f364cd
SHA1e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA5129aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1