Analysis
-
max time kernel
153s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-06-2022 22:54
Static task
static1
Behavioral task
behavioral1
Sample
869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe
Resource
win7-20220414-en
General
-
Target
869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe
-
Size
8.4MB
-
MD5
49b3b8bd7e48d8810bd487485d4f0d0f
-
SHA1
02ab9044729cb319e1ef54bbb148ced5975315af
-
SHA256
869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7
-
SHA512
5784bbc2faa1150f01f0ed0f07361ad1d9dd84e2a551f1ca78ce3835fc2c9fd77e9f0bea69cdb74c380efef6d4de2b3dba47893b1a968febf55bf78a53085ca3
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe1_protected.exe2_protected.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1_protected.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2_protected.exe -
Executes dropped EXE 2 IoCs
Processes:
1_protected.exe2_protected.exepid process 1112 1_protected.exe 2028 2_protected.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1_protected.exe2_protected.exe869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1_protected.exe -
Loads dropped DLL 2 IoCs
Processes:
869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exepid process 1796 869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe 1796 869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1796-55-0x0000000000400000-0x00000000010EA000-memory.dmp themida behavioral1/memory/1796-57-0x0000000000400000-0x00000000010EA000-memory.dmp themida behavioral1/memory/1796-59-0x0000000000400000-0x00000000010EA000-memory.dmp themida behavioral1/memory/1796-60-0x0000000000400000-0x00000000010EA000-memory.dmp themida \ProgramData\Dcs\1_protected.exe themida C:\ProgramData\Dcs\1_protected.exe themida behavioral1/memory/1112-66-0x0000000000400000-0x0000000000AED000-memory.dmp themida behavioral1/memory/1112-67-0x0000000000400000-0x0000000000AED000-memory.dmp themida behavioral1/memory/1112-68-0x0000000000400000-0x0000000000AED000-memory.dmp themida behavioral1/memory/1112-70-0x0000000000400000-0x0000000000AED000-memory.dmp themida \ProgramData\Dcs\2_protected.exe themida C:\ProgramData\Dcs\2_protected.exe themida behavioral1/memory/2028-75-0x0000000000E00000-0x000000000150A000-memory.dmp themida behavioral1/memory/2028-79-0x0000000000E00000-0x000000000150A000-memory.dmp themida behavioral1/memory/2028-78-0x0000000000E00000-0x000000000150A000-memory.dmp themida behavioral1/memory/2028-81-0x0000000000E00000-0x000000000150A000-memory.dmp themida behavioral1/memory/2028-82-0x0000000000E00000-0x000000000150A000-memory.dmp themida behavioral1/memory/2028-84-0x0000000000E00000-0x000000000150A000-memory.dmp themida behavioral1/memory/2028-83-0x0000000000E00000-0x000000000150A000-memory.dmp themida behavioral1/memory/1112-95-0x0000000000400000-0x0000000000AED000-memory.dmp themida behavioral1/memory/2028-101-0x0000000000E00000-0x000000000150A000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe1_protected.exe2_protected.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1_protected.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2_protected.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe1_protected.exe2_protected.exepid process 1796 869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe 1112 1_protected.exe 2028 2_protected.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1_protected.exe2_protected.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1_protected.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2_protected.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1_protected.exe -
Suspicious use of FindShellTrayWindow 13 IoCs
Processes:
2_protected.exe1_protected.exepid process 2028 2_protected.exe 2028 2_protected.exe 2028 2_protected.exe 2028 2_protected.exe 2028 2_protected.exe 1112 1_protected.exe 2028 2_protected.exe 2028 2_protected.exe 2028 2_protected.exe 2028 2_protected.exe 2028 2_protected.exe 2028 2_protected.exe 2028 2_protected.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exedescription pid process target process PID 1796 wrote to memory of 1112 1796 869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe 1_protected.exe PID 1796 wrote to memory of 1112 1796 869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe 1_protected.exe PID 1796 wrote to memory of 1112 1796 869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe 1_protected.exe PID 1796 wrote to memory of 1112 1796 869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe 1_protected.exe PID 1796 wrote to memory of 2028 1796 869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe 2_protected.exe PID 1796 wrote to memory of 2028 1796 869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe 2_protected.exe PID 1796 wrote to memory of 2028 1796 869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe 2_protected.exe PID 1796 wrote to memory of 2028 1796 869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe 2_protected.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe"C:\Users\Admin\AppData\Local\Temp\869ac51c41c295b3d6dce7580280c8c352fa12c62821edf7bb60df3a27bc35e7.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\ProgramData\Dcs\1_protected.exeC:\ProgramData\Dcs\1_protected.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:1112 -
C:\ProgramData\Dcs\2_protected.exeC:\ProgramData\Dcs\2_protected.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2028
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Dcs\1_protected.exeFilesize
2.7MB
MD5d585ed8a8c75d24dabdc9719188fb071
SHA16fb6b33fe93c6f18f1b1bf1211b3752ab15280a8
SHA2564b0f91ba3f6e7b15fe33f868ff3cc03c5d6a44be8445b3082c54adc3cca94eee
SHA512eb0c30483a565164edd5c3542712af4363229fdbed0d9a7afa04b7d8c04073a650a64869d39b8de272ac48bfa4082e0df7dfcbd1f8383c3f83dbc8b9eb92df1c
-
C:\ProgramData\Dcs\2_protected.exeFilesize
2.8MB
MD561e89680f3693952f63bb60daac1dfb6
SHA1db28117a57ac955a39ee2a1a38fb83760be2ad08
SHA256f838fb3cc74b59d2a20e3ccaeaa035ede40a12a7c8eb6c33d366b104e57ddb91
SHA512ab5c90ca6d2a133d47ec9a4acd58934fff60076aa6263488bee57264d43b59f9f586f55041bc53ee71e166cbb9927df04054042beccc47f1832ac4c840f9ceaa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FJZU34PA\line[1].txtFilesize
161B
MD5b26465add1927d3a0d318f8a83fb603e
SHA172b1d6895160c6a58483583856bfb57d580abc9f
SHA25679407f411759c49be519022a762862f09dd8439362785f37902bac62d93a047e
SHA512914ab20fd6b55dbe9478fc3169e94ef14d76ffbfaab132280ae248ed516697624ac34bdc9219bc242dcedd29544e526c5c1cb58721f61d76b524e95c44d60a95
-
\ProgramData\Dcs\1_protected.exeFilesize
2.7MB
MD5d585ed8a8c75d24dabdc9719188fb071
SHA16fb6b33fe93c6f18f1b1bf1211b3752ab15280a8
SHA2564b0f91ba3f6e7b15fe33f868ff3cc03c5d6a44be8445b3082c54adc3cca94eee
SHA512eb0c30483a565164edd5c3542712af4363229fdbed0d9a7afa04b7d8c04073a650a64869d39b8de272ac48bfa4082e0df7dfcbd1f8383c3f83dbc8b9eb92df1c
-
\ProgramData\Dcs\2_protected.exeFilesize
2.8MB
MD561e89680f3693952f63bb60daac1dfb6
SHA1db28117a57ac955a39ee2a1a38fb83760be2ad08
SHA256f838fb3cc74b59d2a20e3ccaeaa035ede40a12a7c8eb6c33d366b104e57ddb91
SHA512ab5c90ca6d2a133d47ec9a4acd58934fff60076aa6263488bee57264d43b59f9f586f55041bc53ee71e166cbb9927df04054042beccc47f1832ac4c840f9ceaa
-
memory/1112-68-0x0000000000400000-0x0000000000AED000-memory.dmpFilesize
6.9MB
-
memory/1112-70-0x0000000000400000-0x0000000000AED000-memory.dmpFilesize
6.9MB
-
memory/1112-90-0x0000000073CF1000-0x0000000073CF3000-memory.dmpFilesize
8KB
-
memory/1112-63-0x0000000000000000-mapping.dmp
-
memory/1112-95-0x0000000000400000-0x0000000000AED000-memory.dmpFilesize
6.9MB
-
memory/1112-66-0x0000000000400000-0x0000000000AED000-memory.dmpFilesize
6.9MB
-
memory/1112-67-0x0000000000400000-0x0000000000AED000-memory.dmpFilesize
6.9MB
-
memory/1112-99-0x0000000077400000-0x0000000077580000-memory.dmpFilesize
1.5MB
-
memory/1112-74-0x0000000077400000-0x0000000077580000-memory.dmpFilesize
1.5MB
-
memory/1796-60-0x0000000000400000-0x00000000010EA000-memory.dmpFilesize
12.9MB
-
memory/1796-57-0x0000000000400000-0x00000000010EA000-memory.dmpFilesize
12.9MB
-
memory/1796-55-0x0000000000400000-0x00000000010EA000-memory.dmpFilesize
12.9MB
-
memory/1796-100-0x00000000054B0000-0x0000000005BBA000-memory.dmpFilesize
7.0MB
-
memory/1796-54-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/1796-76-0x00000000054B0000-0x0000000005BBA000-memory.dmpFilesize
7.0MB
-
memory/1796-58-0x0000000077400000-0x0000000077580000-memory.dmpFilesize
1.5MB
-
memory/1796-59-0x0000000000400000-0x00000000010EA000-memory.dmpFilesize
12.9MB
-
memory/1796-92-0x00000000054B0000-0x0000000005B9D000-memory.dmpFilesize
6.9MB
-
memory/1796-62-0x00000000054B0000-0x0000000005B9D000-memory.dmpFilesize
6.9MB
-
memory/2028-75-0x0000000000E00000-0x000000000150A000-memory.dmpFilesize
7.0MB
-
memory/2028-84-0x0000000000E00000-0x000000000150A000-memory.dmpFilesize
7.0MB
-
memory/2028-83-0x0000000000E00000-0x000000000150A000-memory.dmpFilesize
7.0MB
-
memory/2028-85-0x0000000074021000-0x0000000074023000-memory.dmpFilesize
8KB
-
memory/2028-86-0x0000000073E61000-0x0000000073E63000-memory.dmpFilesize
8KB
-
memory/2028-82-0x0000000000E00000-0x000000000150A000-memory.dmpFilesize
7.0MB
-
memory/2028-81-0x0000000000E00000-0x000000000150A000-memory.dmpFilesize
7.0MB
-
memory/2028-80-0x0000000077400000-0x0000000077580000-memory.dmpFilesize
1.5MB
-
memory/2028-78-0x0000000000E00000-0x000000000150A000-memory.dmpFilesize
7.0MB
-
memory/2028-79-0x0000000000E00000-0x000000000150A000-memory.dmpFilesize
7.0MB
-
memory/2028-71-0x0000000000000000-mapping.dmp
-
memory/2028-101-0x0000000000E00000-0x000000000150A000-memory.dmpFilesize
7.0MB
-
memory/2028-102-0x0000000077400000-0x0000000077580000-memory.dmpFilesize
1.5MB