Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24/06/2022, 22:51
Static task
static1
Behavioral task
behavioral1
Sample
8c8cef530df353824aae4f471153ec7beb2a5647b372c5bdbf58c2fcd6fe71e4.exe
Resource
win7-20220414-en
General
-
Target
8c8cef530df353824aae4f471153ec7beb2a5647b372c5bdbf58c2fcd6fe71e4.exe
-
Size
4.5MB
-
MD5
cae75656bc627b259e8c3f7dfe5f1444
-
SHA1
0a2e6a52ce7500f15bece3564e4faf0e5ce6c552
-
SHA256
8c8cef530df353824aae4f471153ec7beb2a5647b372c5bdbf58c2fcd6fe71e4
-
SHA512
62beb3dfd2badf86106aa668448430a19842c20dfe38a651d740f61ac5ca4268308f3e69589002ab7c130bd868ee65054762bb8ac8b57c32be704049340e35c1
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 22.exe -
Executes dropped EXE 2 IoCs
pid Process 1636 Holyre.exe 2016 22.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 22.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 22.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Wine 22.exe -
Loads dropped DLL 7 IoCs
pid Process 1636 Holyre.exe 1636 Holyre.exe 1636 Holyre.exe 1636 Holyre.exe 1636 Holyre.exe 2016 22.exe 2016 22.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2016 22.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Sir\Xsa.vbs Holyre.exe File created C:\Program Files (x86)\Sir\Rew\1049.lng Holyre.exe File created C:\Program Files (x86)\Sir\dolphin32_red.vm Holyre.exe File created C:\Program Files (x86)\Sir\22.exe Holyre.exe File created C:\Program Files (x86)\Sir\44.exe Holyre.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 22.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 22.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2016 22.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 2016 22.exe 2016 22.exe 2016 22.exe 2016 22.exe 2016 22.exe 2016 22.exe 2016 22.exe 2016 22.exe 2016 22.exe 2016 22.exe 2016 22.exe 2016 22.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 908 wrote to memory of 1636 908 8c8cef530df353824aae4f471153ec7beb2a5647b372c5bdbf58c2fcd6fe71e4.exe 27 PID 908 wrote to memory of 1636 908 8c8cef530df353824aae4f471153ec7beb2a5647b372c5bdbf58c2fcd6fe71e4.exe 27 PID 908 wrote to memory of 1636 908 8c8cef530df353824aae4f471153ec7beb2a5647b372c5bdbf58c2fcd6fe71e4.exe 27 PID 908 wrote to memory of 1636 908 8c8cef530df353824aae4f471153ec7beb2a5647b372c5bdbf58c2fcd6fe71e4.exe 27 PID 908 wrote to memory of 1636 908 8c8cef530df353824aae4f471153ec7beb2a5647b372c5bdbf58c2fcd6fe71e4.exe 27 PID 908 wrote to memory of 1636 908 8c8cef530df353824aae4f471153ec7beb2a5647b372c5bdbf58c2fcd6fe71e4.exe 27 PID 908 wrote to memory of 1636 908 8c8cef530df353824aae4f471153ec7beb2a5647b372c5bdbf58c2fcd6fe71e4.exe 27 PID 1636 wrote to memory of 2016 1636 Holyre.exe 28 PID 1636 wrote to memory of 2016 1636 Holyre.exe 28 PID 1636 wrote to memory of 2016 1636 Holyre.exe 28 PID 1636 wrote to memory of 2016 1636 Holyre.exe 28 PID 1636 wrote to memory of 2016 1636 Holyre.exe 28 PID 1636 wrote to memory of 2016 1636 Holyre.exe 28 PID 1636 wrote to memory of 2016 1636 Holyre.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c8cef530df353824aae4f471153ec7beb2a5647b372c5bdbf58c2fcd6fe71e4.exe"C:\Users\Admin\AppData\Local\Temp\8c8cef530df353824aae4f471153ec7beb2a5647b372c5bdbf58c2fcd6fe71e4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Users\Admin\AppData\Local\Temp\Holyre.exe"C:\Users\Admin\AppData\Local\Temp\Holyre.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Program Files (x86)\Sir\22.exe"C:\Program Files (x86)\Sir\22.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2016
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD571eda273356cf20c05ca6223966ebec0
SHA108e4469bd87c8798b4cbc8102cae81042fef3995
SHA2567834d52e58b2d23293a21c5213424153b027dbdf4dba04a4058da76eaecf7214
SHA51256f3b39bae5a56693e052ca33cc9b249addedb73c261cf9570319eb6ffa388ecb10b870e7a956240e5af7bd62d12a28c800d8c228e3afcf66b98cd3480b882b5
-
Filesize
2.2MB
MD571eda273356cf20c05ca6223966ebec0
SHA108e4469bd87c8798b4cbc8102cae81042fef3995
SHA2567834d52e58b2d23293a21c5213424153b027dbdf4dba04a4058da76eaecf7214
SHA51256f3b39bae5a56693e052ca33cc9b249addedb73c261cf9570319eb6ffa388ecb10b870e7a956240e5af7bd62d12a28c800d8c228e3afcf66b98cd3480b882b5
-
Filesize
4.3MB
MD57ac5c21bc936ff34cecc64bf43fd156b
SHA1d68cdd4e3c82ae9799fd0814ff525abeba59ff37
SHA2560519cc1df1ad26cf8f6f023240ba8c582f6d8d8529bef034f55c0d0feaa17645
SHA51261323fc21c03ddb21029fae7919efaec9b42dc47c617e096ac13a780cccaf10cd953a5d30c689616605f81f053b1d1423960a4dc2cf503bebfaedcc2c0d13b94
-
Filesize
4.3MB
MD57ac5c21bc936ff34cecc64bf43fd156b
SHA1d68cdd4e3c82ae9799fd0814ff525abeba59ff37
SHA2560519cc1df1ad26cf8f6f023240ba8c582f6d8d8529bef034f55c0d0feaa17645
SHA51261323fc21c03ddb21029fae7919efaec9b42dc47c617e096ac13a780cccaf10cd953a5d30c689616605f81f053b1d1423960a4dc2cf503bebfaedcc2c0d13b94
-
Filesize
2.2MB
MD571eda273356cf20c05ca6223966ebec0
SHA108e4469bd87c8798b4cbc8102cae81042fef3995
SHA2567834d52e58b2d23293a21c5213424153b027dbdf4dba04a4058da76eaecf7214
SHA51256f3b39bae5a56693e052ca33cc9b249addedb73c261cf9570319eb6ffa388ecb10b870e7a956240e5af7bd62d12a28c800d8c228e3afcf66b98cd3480b882b5
-
Filesize
2.2MB
MD571eda273356cf20c05ca6223966ebec0
SHA108e4469bd87c8798b4cbc8102cae81042fef3995
SHA2567834d52e58b2d23293a21c5213424153b027dbdf4dba04a4058da76eaecf7214
SHA51256f3b39bae5a56693e052ca33cc9b249addedb73c261cf9570319eb6ffa388ecb10b870e7a956240e5af7bd62d12a28c800d8c228e3afcf66b98cd3480b882b5
-
Filesize
2.2MB
MD571eda273356cf20c05ca6223966ebec0
SHA108e4469bd87c8798b4cbc8102cae81042fef3995
SHA2567834d52e58b2d23293a21c5213424153b027dbdf4dba04a4058da76eaecf7214
SHA51256f3b39bae5a56693e052ca33cc9b249addedb73c261cf9570319eb6ffa388ecb10b870e7a956240e5af7bd62d12a28c800d8c228e3afcf66b98cd3480b882b5
-
Filesize
4.3MB
MD57ac5c21bc936ff34cecc64bf43fd156b
SHA1d68cdd4e3c82ae9799fd0814ff525abeba59ff37
SHA2560519cc1df1ad26cf8f6f023240ba8c582f6d8d8529bef034f55c0d0feaa17645
SHA51261323fc21c03ddb21029fae7919efaec9b42dc47c617e096ac13a780cccaf10cd953a5d30c689616605f81f053b1d1423960a4dc2cf503bebfaedcc2c0d13b94
-
Filesize
4.3MB
MD57ac5c21bc936ff34cecc64bf43fd156b
SHA1d68cdd4e3c82ae9799fd0814ff525abeba59ff37
SHA2560519cc1df1ad26cf8f6f023240ba8c582f6d8d8529bef034f55c0d0feaa17645
SHA51261323fc21c03ddb21029fae7919efaec9b42dc47c617e096ac13a780cccaf10cd953a5d30c689616605f81f053b1d1423960a4dc2cf503bebfaedcc2c0d13b94
-
Filesize
4.3MB
MD57ac5c21bc936ff34cecc64bf43fd156b
SHA1d68cdd4e3c82ae9799fd0814ff525abeba59ff37
SHA2560519cc1df1ad26cf8f6f023240ba8c582f6d8d8529bef034f55c0d0feaa17645
SHA51261323fc21c03ddb21029fae7919efaec9b42dc47c617e096ac13a780cccaf10cd953a5d30c689616605f81f053b1d1423960a4dc2cf503bebfaedcc2c0d13b94
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada