Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25/06/2022, 01:38
Static task
static1
Behavioral task
behavioral1
Sample
a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe
Resource
win7-20220414-en
General
-
Target
a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe
-
Size
4.0MB
-
MD5
87baf758e41c9e99d91975085d024aad
-
SHA1
7816e63608f056dbb1aaf25fbf4041a959073f81
-
SHA256
a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d
-
SHA512
770b669b7821c4c893d222a023b12d41b01cc6afd4ca6a81c738a583411e7c6f61576a1e1d6aec943e5257c9233038d0827d67e8d9743a4d1e3440f3ae3541a3
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe -
Executes dropped EXE 1 IoCs
pid Process 5108 Setup.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Wine Setup.exe -
Loads dropped DLL 1 IoCs
pid Process 1940 a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 5108 Setup.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Cyper\Set.exe a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe File created C:\Program Files (x86)\Cyper\Setup.exe a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe File created C:\Program Files (x86)\Cyper\vm_begin.inc a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe File created C:\Program Files (x86)\Cyper\vm_end.inc a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe File created C:\Program Files (x86)\Cyper\vm_risc_begin.inc a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5108 Setup.exe 5108 Setup.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 5108 Setup.exe 5108 Setup.exe 5108 Setup.exe 5108 Setup.exe 5108 Setup.exe 5108 Setup.exe 5108 Setup.exe 5108 Setup.exe 5108 Setup.exe 5108 Setup.exe 5108 Setup.exe 5108 Setup.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1940 wrote to memory of 5108 1940 a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe 82 PID 1940 wrote to memory of 5108 1940 a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe 82 PID 1940 wrote to memory of 5108 1940 a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe"C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Program Files (x86)\Cyper\Setup.exe"C:\Program Files (x86)\Cyper\Setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5108
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5184073024e93d570c71c2e49afc5b26b
SHA1dbb7cdcb73b04092e9465969f1075227617e88bb
SHA256cc76ddcff8abaf26698c735a56abb171773c48262e06ae2dbdcaf13769edb8de
SHA51200296de5e63229dd91e71dc8d347a34203829314339690a63b5e448ecfda9a7be0f1be11fd34f2936590d30c05ec7ef126ad9ab695ef18459326bdc66160474d
-
Filesize
2.2MB
MD5184073024e93d570c71c2e49afc5b26b
SHA1dbb7cdcb73b04092e9465969f1075227617e88bb
SHA256cc76ddcff8abaf26698c735a56abb171773c48262e06ae2dbdcaf13769edb8de
SHA51200296de5e63229dd91e71dc8d347a34203829314339690a63b5e448ecfda9a7be0f1be11fd34f2936590d30c05ec7ef126ad9ab695ef18459326bdc66160474d
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada