Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25/06/2022, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe
Resource
win7-20220414-en
General
-
Target
d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe
-
Size
4.3MB
-
MD5
87ff226077aa2f3db328d217b8a19033
-
SHA1
946b7937d9f7742199b59c4024848a695b27c36b
-
SHA256
d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd
-
SHA512
0930d4b17d6c2617f5edbdd75974d015b3da27e07d1ef903d7c5fb20366c74394a1450f4f924d6a924d6d622e3c282e84406d0a94c171aaf5eaccf432532a317
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Cdx.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 23 4088 CScript.exe 28 4088 CScript.exe -
Executes dropped EXE 2 IoCs
pid Process 2084 Setup.exe 3828 Cdx.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Cdx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Cdx.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Wine Setup.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Wine Cdx.exe -
Loads dropped DLL 2 IoCs
pid Process 2204 d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe 2204 d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 31 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2084 Setup.exe 3828 Cdx.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\Der\Supr\udis.dll d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe File created C:\Program Files (x86)\Der\Supr\Setup.exe d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe File created C:\Program Files (x86)\Der\Supr\Two.vbs d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe File created C:\Program Files (x86)\Der\Supr\Pass.txt d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe File created C:\Program Files (x86)\Der\Supr\Cdx.exe d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe File created C:\Program Files (x86)\Der\Supr\enigma_ide.dll d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe File created C:\Program Files (x86)\Der\Supr\enigma_ide64.dll d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2084 Setup.exe 2084 Setup.exe 3828 Cdx.exe 3828 Cdx.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 2084 Setup.exe 2084 Setup.exe 2084 Setup.exe 2084 Setup.exe 2084 Setup.exe 2084 Setup.exe 2084 Setup.exe 2084 Setup.exe 2084 Setup.exe 2084 Setup.exe 2084 Setup.exe 2084 Setup.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2084 2204 d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe 84 PID 2204 wrote to memory of 2084 2204 d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe 84 PID 2204 wrote to memory of 2084 2204 d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe 84 PID 2204 wrote to memory of 4088 2204 d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe 85 PID 2204 wrote to memory of 4088 2204 d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe 85 PID 2204 wrote to memory of 4088 2204 d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe 85 PID 2204 wrote to memory of 3828 2204 d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe 88 PID 2204 wrote to memory of 3828 2204 d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe 88 PID 2204 wrote to memory of 3828 2204 d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe"C:\Users\Admin\AppData\Local\Temp\d1d65a8a10ee7258e2c0c2d43a8180a0faa56c399c76eecd075d053d565a8ddd.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Program Files (x86)\Der\Supr\Setup.exe"C:\Program Files (x86)\Der\Supr\Setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2084
-
-
C:\Windows\SysWOW64\CScript.exe"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Der\Supr\Two.vbs" //e:vbscript //B //NOLOGO2⤵
- Blocklisted process makes network request
PID:4088
-
-
C:\Program Files (x86)\Der\Supr\Cdx.exe"C:\Program Files (x86)\Der\Supr\Cdx.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3828
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD54439cc1740e82b9f3fb33530a6e1e8a6
SHA148e54edeaa74bef978331bd8462a6574e3d0082e
SHA256808df2e63220ea5d4f44e14fc2889aaf5fc4cf4ae4a108483d98b8af731a6996
SHA5122b356b2fe5bd74e6ddaaa26b8e56c1dc0b8b6d96239169c23c4e8648bae8dc786c1ae65278a3a701fc56f5057920ed067c5021b97090935beff1512a7c70324b
-
Filesize
2.2MB
MD585f23b584b90f70c3df7fc98786cef0e
SHA1f79271242dc8332ea8ac3644367b86a1fdb6604c
SHA256dcaae466817bfe1a408ce564c702ccc373eff859b6b134f2b8b5b10142e948d8
SHA512a3d33cedf920e83eb438306821e8243d815c85176c993e6b91fba6c5279c3e0f47f8a868b8f10a80b3f8edf53f6625af566eef22da7a182896ad812e26b58a7d
-
Filesize
2.2MB
MD585f23b584b90f70c3df7fc98786cef0e
SHA1f79271242dc8332ea8ac3644367b86a1fdb6604c
SHA256dcaae466817bfe1a408ce564c702ccc373eff859b6b134f2b8b5b10142e948d8
SHA512a3d33cedf920e83eb438306821e8243d815c85176c993e6b91fba6c5279c3e0f47f8a868b8f10a80b3f8edf53f6625af566eef22da7a182896ad812e26b58a7d
-
Filesize
126B
MD5c6362e3c5585f24a9e9a2712c00c52ff
SHA19259b9609313386f004328d2c306820eae01a587
SHA256184ca5b2737175e0828f3546d483778c95e23720f1375deac0090c2fe415e208
SHA51259ac94fdb6f41d6dc5cbea1855897759f35032ac922b936a0b39a21b6aafb0c862c5d419afa31c0b81f106f2ce06b2909cdb5fb713534fbe36202c5a4fedfeaa
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
Filesize
6KB
MD5132e6153717a7f9710dcea4536f364cd
SHA1e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA5129aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1