Analysis
-
max time kernel
149s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24/06/2022, 22:50
Static task
static1
Behavioral task
behavioral1
Sample
41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe
Resource
win7-20220414-en
General
-
Target
41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe
-
Size
4.1MB
-
MD5
88f8f695e6af7d58da5f5b7ef60d0bde
-
SHA1
16b06bd05058abf520703ab656826099f93a094b
-
SHA256
41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c
-
SHA512
37781b0d848f512caf258f3d21836827d8206ecafabced9f579f9fc25537c60ed20cf5e509b0de882dee7b4d09751fcc8a68541ae9e2d60175b2e4d9f6344ddc
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Download.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 4 2020 CScript.exe 6 2020 CScript.exe 7 2020 CScript.exe 8 2020 CScript.exe -
Executes dropped EXE 1 IoCs
pid Process 436 Download.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Download.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Download.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine Download.exe -
Loads dropped DLL 5 IoCs
pid Process 1016 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe 1016 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe 1016 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe 436 Download.exe 436 Download.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 436 Download.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Doper\Download.exe 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe File created C:\Program Files (x86)\Doper\ipras.vbs 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe File created C:\Program Files (x86)\Doper\DowloadX.exe 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Download.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Download.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 436 Download.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 436 Download.exe 436 Download.exe 436 Download.exe 436 Download.exe 436 Download.exe 436 Download.exe 436 Download.exe 436 Download.exe 436 Download.exe 436 Download.exe 436 Download.exe 436 Download.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1016 wrote to memory of 2020 1016 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe 27 PID 1016 wrote to memory of 2020 1016 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe 27 PID 1016 wrote to memory of 2020 1016 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe 27 PID 1016 wrote to memory of 2020 1016 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe 27 PID 1016 wrote to memory of 2020 1016 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe 27 PID 1016 wrote to memory of 2020 1016 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe 27 PID 1016 wrote to memory of 2020 1016 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe 27 PID 1016 wrote to memory of 436 1016 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe 31 PID 1016 wrote to memory of 436 1016 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe 31 PID 1016 wrote to memory of 436 1016 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe 31 PID 1016 wrote to memory of 436 1016 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe 31 PID 1016 wrote to memory of 436 1016 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe 31 PID 1016 wrote to memory of 436 1016 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe 31 PID 1016 wrote to memory of 436 1016 41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe"C:\Users\Admin\AppData\Local\Temp\41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\CScript.exe"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Doper\ipras.vbs" //e:vbscript //B //NOLOGO2⤵
- Blocklisted process makes network request
PID:2020
-
-
C:\Program Files (x86)\Doper\Download.exe"C:\Program Files (x86)\Doper\Download.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:436
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5b8312084a400862a2c19797691c6f0a6
SHA1d675f4ed00508ff0208f75fd6851d14348c9bed4
SHA2569f23b60e0b3c3360a2b67cc40d977577a74d1b16306522aa306b0feb29dad07b
SHA512beae195ed8dd2572e7299cdbe137d80f152cefa89c8bca25bafcf9527b34157833972cc3142d803e8cef33d5fe72217278253f423cc203585097a7ec1a0496ce
-
Filesize
2.1MB
MD5b8312084a400862a2c19797691c6f0a6
SHA1d675f4ed00508ff0208f75fd6851d14348c9bed4
SHA2569f23b60e0b3c3360a2b67cc40d977577a74d1b16306522aa306b0feb29dad07b
SHA512beae195ed8dd2572e7299cdbe137d80f152cefa89c8bca25bafcf9527b34157833972cc3142d803e8cef33d5fe72217278253f423cc203585097a7ec1a0496ce
-
Filesize
126B
MD5b802ff9244875f69db2fae0f78e92b10
SHA149385a89cd575894a29fbda969b99cc1f5cf8076
SHA256a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
SHA512609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e
-
Filesize
2.1MB
MD5b8312084a400862a2c19797691c6f0a6
SHA1d675f4ed00508ff0208f75fd6851d14348c9bed4
SHA2569f23b60e0b3c3360a2b67cc40d977577a74d1b16306522aa306b0feb29dad07b
SHA512beae195ed8dd2572e7299cdbe137d80f152cefa89c8bca25bafcf9527b34157833972cc3142d803e8cef33d5fe72217278253f423cc203585097a7ec1a0496ce
-
Filesize
2.1MB
MD5b8312084a400862a2c19797691c6f0a6
SHA1d675f4ed00508ff0208f75fd6851d14348c9bed4
SHA2569f23b60e0b3c3360a2b67cc40d977577a74d1b16306522aa306b0feb29dad07b
SHA512beae195ed8dd2572e7299cdbe137d80f152cefa89c8bca25bafcf9527b34157833972cc3142d803e8cef33d5fe72217278253f423cc203585097a7ec1a0496ce
-
Filesize
2.1MB
MD5b8312084a400862a2c19797691c6f0a6
SHA1d675f4ed00508ff0208f75fd6851d14348c9bed4
SHA2569f23b60e0b3c3360a2b67cc40d977577a74d1b16306522aa306b0feb29dad07b
SHA512beae195ed8dd2572e7299cdbe137d80f152cefa89c8bca25bafcf9527b34157833972cc3142d803e8cef33d5fe72217278253f423cc203585097a7ec1a0496ce
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
Filesize
6KB
MD5132e6153717a7f9710dcea4536f364cd
SHA1e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA5129aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1