Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25/06/2022, 01:49

General

  • Target

    d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe

  • Size

    4.3MB

  • MD5

    87ff226077aa2f3db328d217b8a19033

  • SHA1

    946b7937d9f7742199b59c4024848a695b27c36b

  • SHA256

    d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd

  • SHA512

    0930d4b17d6c2617f5edbdd75974d015b3da27e07d1ef903d7c5fb20366c74394a1450f4f924d6a924d6d622e3c282e84406d0a94c171aaf5eaccf432532a317

Malware Config

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe
    "C:\Users\Admin\AppData\Local\Temp\d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Program Files (x86)\Der\Supr\Setup.exe
      "C:\Program Files (x86)\Der\Supr\Setup.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:2084
    • C:\Windows\SysWOW64\CScript.exe
      "C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Der\Supr\Two.vbs" //e:vbscript //B //NOLOGO
      2⤵
      • Blocklisted process makes network request
      PID:4088
    • C:\Program Files (x86)\Der\Supr\Cdx.exe
      "C:\Program Files (x86)\Der\Supr\Cdx.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3828

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Der\Supr\Cdx.exe

    Filesize

    2.0MB

    MD5

    4439cc1740e82b9f3fb33530a6e1e8a6

    SHA1

    48e54edeaa74bef978331bd8462a6574e3d0082e

    SHA256

    808df2e63220ea5d4f44e14fc2889aaf5fc4cf4ae4a108483d98b8af731a6996

    SHA512

    2b356b2fe5bd74e6ddaaa26b8e56c1dc0b8b6d96239169c23c4e8648bae8dc786c1ae65278a3a701fc56f5057920ed067c5021b97090935beff1512a7c70324b

  • C:\Program Files (x86)\Der\Supr\Setup.exe

    Filesize

    2.2MB

    MD5

    85f23b584b90f70c3df7fc98786cef0e

    SHA1

    f79271242dc8332ea8ac3644367b86a1fdb6604c

    SHA256

    dcaae466817bfe1a408ce564c702ccc373eff859b6b134f2b8b5b10142e948d8

    SHA512

    a3d33cedf920e83eb438306821e8243d815c85176c993e6b91fba6c5279c3e0f47f8a868b8f10a80b3f8edf53f6625af566eef22da7a182896ad812e26b58a7d

  • C:\Program Files (x86)\Der\Supr\Setup.exe

    Filesize

    2.2MB

    MD5

    85f23b584b90f70c3df7fc98786cef0e

    SHA1

    f79271242dc8332ea8ac3644367b86a1fdb6604c

    SHA256

    dcaae466817bfe1a408ce564c702ccc373eff859b6b134f2b8b5b10142e948d8

    SHA512

    a3d33cedf920e83eb438306821e8243d815c85176c993e6b91fba6c5279c3e0f47f8a868b8f10a80b3f8edf53f6625af566eef22da7a182896ad812e26b58a7d

  • C:\Program Files (x86)\Der\Supr\Two.vbs

    Filesize

    126B

    MD5

    c6362e3c5585f24a9e9a2712c00c52ff

    SHA1

    9259b9609313386f004328d2c306820eae01a587

    SHA256

    184ca5b2737175e0828f3546d483778c95e23720f1375deac0090c2fe415e208

    SHA512

    59ac94fdb6f41d6dc5cbea1855897759f35032ac922b936a0b39a21b6aafb0c862c5d419afa31c0b81f106f2ce06b2909cdb5fb713534fbe36202c5a4fedfeaa

  • C:\Users\Admin\AppData\Local\Temp\nsmA677.tmp\UAC.dll

    Filesize

    14KB

    MD5

    adb29e6b186daa765dc750128649b63d

    SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

    SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

  • C:\Users\Admin\AppData\Local\Temp\nsmA677.tmp\nsExec.dll

    Filesize

    6KB

    MD5

    132e6153717a7f9710dcea4536f364cd

    SHA1

    e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

    SHA256

    d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

    SHA512

    9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

  • memory/2084-145-0x0000000000800000-0x0000000000D42000-memory.dmp

    Filesize

    5.3MB

  • memory/2084-138-0x00000000777E0000-0x0000000077983000-memory.dmp

    Filesize

    1.6MB

  • memory/2084-139-0x0000000000800000-0x0000000000D42000-memory.dmp

    Filesize

    5.3MB

  • memory/2084-136-0x0000000000800000-0x0000000000D42000-memory.dmp

    Filesize

    5.3MB

  • memory/2084-147-0x0000000000800000-0x0000000000D42000-memory.dmp

    Filesize

    5.3MB

  • memory/2084-146-0x00000000777E0000-0x0000000077983000-memory.dmp

    Filesize

    1.6MB

  • memory/3828-144-0x0000000000400000-0x000000000091A000-memory.dmp

    Filesize

    5.1MB

  • memory/3828-143-0x00000000777E0000-0x0000000077983000-memory.dmp

    Filesize

    1.6MB

  • memory/3828-142-0x0000000000400000-0x000000000091A000-memory.dmp

    Filesize

    5.1MB

  • memory/3828-148-0x0000000000400000-0x000000000091A000-memory.dmp

    Filesize

    5.1MB

  • memory/3828-149-0x0000000000400000-0x000000000091A000-memory.dmp

    Filesize

    5.1MB