Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24/06/2022, 22:53
Static task
static1
Behavioral task
behavioral1
Sample
b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe
Resource
win7-20220414-en
General
-
Target
b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe
-
Size
4.5MB
-
MD5
79d775433be505a57ae175f5e6f427af
-
SHA1
32b9ac8255c3076841e658eabe581586ecdd8c8b
-
SHA256
b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91
-
SHA512
2c74529531c163ba9f768bf9aae97464aa5ddf2935c4085eb80d372a4e15d853bdfa46fc616b7b9b2e30730f4a484dfe3ba8b64188a3921faca589ffd379e7f7
Malware Config
Signatures
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setupres.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 4 964 CScript.exe 5 964 CScript.exe 6 964 CScript.exe 7 964 CScript.exe -
Executes dropped EXE 2 IoCs
pid Process 2012 Setup.exe 988 Setupres.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setupres.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setupres.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine Setup.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine Setupres.exe -
Loads dropped DLL 8 IoCs
pid Process 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 2012 Setup.exe 2012 Setup.exe 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 988 Setupres.exe 988 Setupres.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2012 Setup.exe 988 Setupres.exe -
Drops file in Program Files directory 18 IoCs
description ioc Process File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\driver\OemWin2k.inf b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\driver\tap0901.cat b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe File created C:\Program Files (x86)\Ferr\SEDA\countries.tsv b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe File created C:\Program Files (x86)\Ferr\SEDA\vpnpro.PTB.lng b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe File created C:\Program Files (x86)\Ferr\SEDA\vpnpro.RUS.lng b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\ssleay32.dll b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\superb.ovpn b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\test.ovpn b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\ipras.vbs b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\bin\deltapall.bat b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\bin\devcon.exe b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\driver\tap0901.sys b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe File created C:\Program Files (x86)\Ferr\SEDA\SX\bin\vpn850936802.ovpn b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\bin\addtap.bat b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\bin\tapinstall.exe b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe File created C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\driver\OemVista.inf b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Setupres.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Setupres.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2012 Setup.exe 988 Setupres.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 2012 Setup.exe 2012 Setup.exe 2012 Setup.exe 2012 Setup.exe 2012 Setup.exe 2012 Setup.exe 2012 Setup.exe 2012 Setup.exe 2012 Setup.exe 2012 Setup.exe 2012 Setup.exe 2012 Setup.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1208 wrote to memory of 2012 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 27 PID 1208 wrote to memory of 2012 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 27 PID 1208 wrote to memory of 2012 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 27 PID 1208 wrote to memory of 2012 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 27 PID 1208 wrote to memory of 2012 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 27 PID 1208 wrote to memory of 2012 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 27 PID 1208 wrote to memory of 2012 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 27 PID 1208 wrote to memory of 964 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 28 PID 1208 wrote to memory of 964 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 28 PID 1208 wrote to memory of 964 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 28 PID 1208 wrote to memory of 964 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 28 PID 1208 wrote to memory of 964 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 28 PID 1208 wrote to memory of 964 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 28 PID 1208 wrote to memory of 964 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 28 PID 1208 wrote to memory of 988 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 32 PID 1208 wrote to memory of 988 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 32 PID 1208 wrote to memory of 988 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 32 PID 1208 wrote to memory of 988 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 32 PID 1208 wrote to memory of 988 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 32 PID 1208 wrote to memory of 988 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 32 PID 1208 wrote to memory of 988 1208 b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe"C:\Users\Admin\AppData\Local\Temp\b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe"C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2012
-
-
C:\Windows\SysWOW64\CScript.exe"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Ferr\SEDA\SX\bin\ipras.vbs" //e:vbscript //B //NOLOGO2⤵
- Blocklisted process makes network request
PID:964
-
-
C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe"C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:988
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5b5861c96767caed4fce1473ac338d1bf
SHA1c9575e657706a01a28aa63943f39018377a5dfe1
SHA256883ecab1d18c6e8153b56541df2df4980a27f5faa93ba2b42ff1dd14a8f4c161
SHA512388bb192a27442c80f0ece67ef5e43ec6e148e24aa4634a524d3e7ec3cbd78b11bd4a200d76610168efd52711af8e3d6b2773088f09630843d9cfd6a02ab2240
-
Filesize
2.2MB
MD5b5861c96767caed4fce1473ac338d1bf
SHA1c9575e657706a01a28aa63943f39018377a5dfe1
SHA256883ecab1d18c6e8153b56541df2df4980a27f5faa93ba2b42ff1dd14a8f4c161
SHA512388bb192a27442c80f0ece67ef5e43ec6e148e24aa4634a524d3e7ec3cbd78b11bd4a200d76610168efd52711af8e3d6b2773088f09630843d9cfd6a02ab2240
-
Filesize
2.1MB
MD5c9638374b6732d9756d9a6ae50061747
SHA17952f8225a6cf692ce226bfaf8112260e4ac2b71
SHA25634d2e90229c1c3c41b931bb65ea015f023744543d915dcfeffe2328e32c27e8e
SHA512428d4977300ba3f95905f655a93aaad89145e8c09a96491ad8142be18a6802294e735f9b3fe04845c5c80a3997275203d3a5861fc7e4cc185fb8eae19b2a0ffa
-
Filesize
2.1MB
MD5c9638374b6732d9756d9a6ae50061747
SHA17952f8225a6cf692ce226bfaf8112260e4ac2b71
SHA25634d2e90229c1c3c41b931bb65ea015f023744543d915dcfeffe2328e32c27e8e
SHA512428d4977300ba3f95905f655a93aaad89145e8c09a96491ad8142be18a6802294e735f9b3fe04845c5c80a3997275203d3a5861fc7e4cc185fb8eae19b2a0ffa
-
Filesize
126B
MD5b802ff9244875f69db2fae0f78e92b10
SHA149385a89cd575894a29fbda969b99cc1f5cf8076
SHA256a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
SHA512609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e
-
Filesize
2.2MB
MD5b5861c96767caed4fce1473ac338d1bf
SHA1c9575e657706a01a28aa63943f39018377a5dfe1
SHA256883ecab1d18c6e8153b56541df2df4980a27f5faa93ba2b42ff1dd14a8f4c161
SHA512388bb192a27442c80f0ece67ef5e43ec6e148e24aa4634a524d3e7ec3cbd78b11bd4a200d76610168efd52711af8e3d6b2773088f09630843d9cfd6a02ab2240
-
Filesize
2.2MB
MD5b5861c96767caed4fce1473ac338d1bf
SHA1c9575e657706a01a28aa63943f39018377a5dfe1
SHA256883ecab1d18c6e8153b56541df2df4980a27f5faa93ba2b42ff1dd14a8f4c161
SHA512388bb192a27442c80f0ece67ef5e43ec6e148e24aa4634a524d3e7ec3cbd78b11bd4a200d76610168efd52711af8e3d6b2773088f09630843d9cfd6a02ab2240
-
Filesize
2.2MB
MD5b5861c96767caed4fce1473ac338d1bf
SHA1c9575e657706a01a28aa63943f39018377a5dfe1
SHA256883ecab1d18c6e8153b56541df2df4980a27f5faa93ba2b42ff1dd14a8f4c161
SHA512388bb192a27442c80f0ece67ef5e43ec6e148e24aa4634a524d3e7ec3cbd78b11bd4a200d76610168efd52711af8e3d6b2773088f09630843d9cfd6a02ab2240
-
Filesize
2.1MB
MD5c9638374b6732d9756d9a6ae50061747
SHA17952f8225a6cf692ce226bfaf8112260e4ac2b71
SHA25634d2e90229c1c3c41b931bb65ea015f023744543d915dcfeffe2328e32c27e8e
SHA512428d4977300ba3f95905f655a93aaad89145e8c09a96491ad8142be18a6802294e735f9b3fe04845c5c80a3997275203d3a5861fc7e4cc185fb8eae19b2a0ffa
-
Filesize
2.1MB
MD5c9638374b6732d9756d9a6ae50061747
SHA17952f8225a6cf692ce226bfaf8112260e4ac2b71
SHA25634d2e90229c1c3c41b931bb65ea015f023744543d915dcfeffe2328e32c27e8e
SHA512428d4977300ba3f95905f655a93aaad89145e8c09a96491ad8142be18a6802294e735f9b3fe04845c5c80a3997275203d3a5861fc7e4cc185fb8eae19b2a0ffa
-
Filesize
2.1MB
MD5c9638374b6732d9756d9a6ae50061747
SHA17952f8225a6cf692ce226bfaf8112260e4ac2b71
SHA25634d2e90229c1c3c41b931bb65ea015f023744543d915dcfeffe2328e32c27e8e
SHA512428d4977300ba3f95905f655a93aaad89145e8c09a96491ad8142be18a6802294e735f9b3fe04845c5c80a3997275203d3a5861fc7e4cc185fb8eae19b2a0ffa
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
Filesize
6KB
MD5132e6153717a7f9710dcea4536f364cd
SHA1e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA5129aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1