Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24/06/2022, 22:51

General

  • Target

    8c8cef530df353824aae4f471153ec7beb2a5647b372c5bdbf58c2fcd6fe71e4.exe

  • Size

    4.5MB

  • MD5

    cae75656bc627b259e8c3f7dfe5f1444

  • SHA1

    0a2e6a52ce7500f15bece3564e4faf0e5ce6c552

  • SHA256

    8c8cef530df353824aae4f471153ec7beb2a5647b372c5bdbf58c2fcd6fe71e4

  • SHA512

    62beb3dfd2badf86106aa668448430a19842c20dfe38a651d740f61ac5ca4268308f3e69589002ab7c130bd868ee65054762bb8ac8b57c32be704049340e35c1

Malware Config

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c8cef530df353824aae4f471153ec7beb2a5647b372c5bdbf58c2fcd6fe71e4.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8cef530df353824aae4f471153ec7beb2a5647b372c5bdbf58c2fcd6fe71e4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Users\Admin\AppData\Local\Temp\Holyre.exe
      "C:\Users\Admin\AppData\Local\Temp\Holyre.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:5080
      • C:\Program Files (x86)\Sir\22.exe
        "C:\Program Files (x86)\Sir\22.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:4924

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Sir\22.exe

    Filesize

    2.2MB

    MD5

    71eda273356cf20c05ca6223966ebec0

    SHA1

    08e4469bd87c8798b4cbc8102cae81042fef3995

    SHA256

    7834d52e58b2d23293a21c5213424153b027dbdf4dba04a4058da76eaecf7214

    SHA512

    56f3b39bae5a56693e052ca33cc9b249addedb73c261cf9570319eb6ffa388ecb10b870e7a956240e5af7bd62d12a28c800d8c228e3afcf66b98cd3480b882b5

  • C:\Program Files (x86)\Sir\22.exe

    Filesize

    2.2MB

    MD5

    71eda273356cf20c05ca6223966ebec0

    SHA1

    08e4469bd87c8798b4cbc8102cae81042fef3995

    SHA256

    7834d52e58b2d23293a21c5213424153b027dbdf4dba04a4058da76eaecf7214

    SHA512

    56f3b39bae5a56693e052ca33cc9b249addedb73c261cf9570319eb6ffa388ecb10b870e7a956240e5af7bd62d12a28c800d8c228e3afcf66b98cd3480b882b5

  • C:\Users\Admin\AppData\Local\Temp\Holyre.exe

    Filesize

    4.3MB

    MD5

    7ac5c21bc936ff34cecc64bf43fd156b

    SHA1

    d68cdd4e3c82ae9799fd0814ff525abeba59ff37

    SHA256

    0519cc1df1ad26cf8f6f023240ba8c582f6d8d8529bef034f55c0d0feaa17645

    SHA512

    61323fc21c03ddb21029fae7919efaec9b42dc47c617e096ac13a780cccaf10cd953a5d30c689616605f81f053b1d1423960a4dc2cf503bebfaedcc2c0d13b94

  • C:\Users\Admin\AppData\Local\Temp\Holyre.exe

    Filesize

    4.3MB

    MD5

    7ac5c21bc936ff34cecc64bf43fd156b

    SHA1

    d68cdd4e3c82ae9799fd0814ff525abeba59ff37

    SHA256

    0519cc1df1ad26cf8f6f023240ba8c582f6d8d8529bef034f55c0d0feaa17645

    SHA512

    61323fc21c03ddb21029fae7919efaec9b42dc47c617e096ac13a780cccaf10cd953a5d30c689616605f81f053b1d1423960a4dc2cf503bebfaedcc2c0d13b94

  • C:\Users\Admin\AppData\Local\Temp\nsd10AA.tmp\UAC.dll

    Filesize

    14KB

    MD5

    adb29e6b186daa765dc750128649b63d

    SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

    SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

  • memory/4924-137-0x00000000009E0000-0x0000000000F20000-memory.dmp

    Filesize

    5.2MB

  • memory/4924-138-0x0000000077990000-0x0000000077B33000-memory.dmp

    Filesize

    1.6MB

  • memory/4924-139-0x00000000009E0000-0x0000000000F20000-memory.dmp

    Filesize

    5.2MB

  • memory/4924-140-0x00000000009E0000-0x0000000000F20000-memory.dmp

    Filesize

    5.2MB

  • memory/4924-141-0x0000000077990000-0x0000000077B33000-memory.dmp

    Filesize

    1.6MB

  • memory/4924-142-0x00000000009E0000-0x0000000000F20000-memory.dmp

    Filesize

    5.2MB