Analysis
-
max time kernel
219s -
max time network
241s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25/06/2022, 02:42
Static task
static1
Behavioral task
behavioral1
Sample
8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe
Resource
win7-20220414-en
General
-
Target
8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe
-
Size
4.1MB
-
MD5
28fc393e1c89bb2945827aebf566fa31
-
SHA1
851fd5cb4e98a5fc9e978d6d05287715eb74a9e8
-
SHA256
8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779
-
SHA512
a58f626e831f4f1e906fad432217ac271a7818ae80f08713198b57103ce0fcd1c0a46ac6c961bc2408394ce42271fec10dd4c620dc0c19504068db3a1aa14f2e
Malware Config
Signatures
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SetupX.exe -
Executes dropped EXE 2 IoCs
pid Process 1220 Setup.exe 2000 SetupX.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SetupX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SetupX.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine Setup.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine SetupX.exe -
Loads dropped DLL 7 IoCs
pid Process 1680 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 1680 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 1220 Setup.exe 1220 Setup.exe 1680 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 2000 SetupX.exe 2000 SetupX.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1220 Setup.exe 2000 SetupX.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Busa\registration_info.php 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe File created C:\Program Files (x86)\Busa\Setup.exe 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe File created C:\Program Files (x86)\Busa\SetupX.exe 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe File created C:\Program Files (x86)\Busa\database_access.php 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe File created C:\Program Files (x86)\Busa\order.php 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe File created C:\Program Files (x86)\Busa\product.php 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 SetupX.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde SetupX.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1220 Setup.exe 2000 SetupX.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 1220 Setup.exe 1220 Setup.exe 1220 Setup.exe 1220 Setup.exe 1220 Setup.exe 1220 Setup.exe 1220 Setup.exe 1220 Setup.exe 1220 Setup.exe 1220 Setup.exe 1220 Setup.exe 1220 Setup.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1680 wrote to memory of 1220 1680 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 28 PID 1680 wrote to memory of 1220 1680 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 28 PID 1680 wrote to memory of 1220 1680 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 28 PID 1680 wrote to memory of 1220 1680 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 28 PID 1680 wrote to memory of 1220 1680 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 28 PID 1680 wrote to memory of 1220 1680 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 28 PID 1680 wrote to memory of 1220 1680 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 28 PID 1680 wrote to memory of 2000 1680 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 29 PID 1680 wrote to memory of 2000 1680 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 29 PID 1680 wrote to memory of 2000 1680 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 29 PID 1680 wrote to memory of 2000 1680 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 29 PID 1680 wrote to memory of 2000 1680 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 29 PID 1680 wrote to memory of 2000 1680 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 29 PID 1680 wrote to memory of 2000 1680 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe"C:\Users\Admin\AppData\Local\Temp\8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Program Files (x86)\Busa\Setup.exe"C:\Program Files (x86)\Busa\Setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1220
-
-
C:\Program Files (x86)\Busa\SetupX.exe"C:\Program Files (x86)\Busa\SetupX.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2000
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD53e2939633756d5eafd71201a32b971ed
SHA11c9b05c647de8ba96ede7cd9054b13e8b6be7725
SHA256c955bf4ec24e5b286fcc12fb9954d08f6a4bf323b5133ec268b37f68d01b8e6a
SHA51296e06d5972bd6ad8d836a18155c63f2022a4c626b5229c84755bc864ada567bfb5e4e3a4d6f4c63826c5ae3ceec6932f6a9b5f24e7649eb5424dbf8a85a5a954
-
Filesize
2.2MB
MD53e2939633756d5eafd71201a32b971ed
SHA11c9b05c647de8ba96ede7cd9054b13e8b6be7725
SHA256c955bf4ec24e5b286fcc12fb9954d08f6a4bf323b5133ec268b37f68d01b8e6a
SHA51296e06d5972bd6ad8d836a18155c63f2022a4c626b5229c84755bc864ada567bfb5e4e3a4d6f4c63826c5ae3ceec6932f6a9b5f24e7649eb5424dbf8a85a5a954
-
Filesize
2.0MB
MD5a4900d9fe88f8ac892c383486088288c
SHA128c089bf25992b270a4e7039bc880ba520186976
SHA25619e5e1df78d2545c13f25dfa94c33011822693461bba6c565d585a55b72343da
SHA5122c3c17183ce2675e2eb729b7e8cd4a879f45c81dea5dbc918ad7a3f14ee81b0fc4872ed9ad23e0700412ed192750a0bc9910a9948d0103b5b592ad644d271711
-
Filesize
2.0MB
MD5a4900d9fe88f8ac892c383486088288c
SHA128c089bf25992b270a4e7039bc880ba520186976
SHA25619e5e1df78d2545c13f25dfa94c33011822693461bba6c565d585a55b72343da
SHA5122c3c17183ce2675e2eb729b7e8cd4a879f45c81dea5dbc918ad7a3f14ee81b0fc4872ed9ad23e0700412ed192750a0bc9910a9948d0103b5b592ad644d271711
-
Filesize
2.2MB
MD53e2939633756d5eafd71201a32b971ed
SHA11c9b05c647de8ba96ede7cd9054b13e8b6be7725
SHA256c955bf4ec24e5b286fcc12fb9954d08f6a4bf323b5133ec268b37f68d01b8e6a
SHA51296e06d5972bd6ad8d836a18155c63f2022a4c626b5229c84755bc864ada567bfb5e4e3a4d6f4c63826c5ae3ceec6932f6a9b5f24e7649eb5424dbf8a85a5a954
-
Filesize
2.2MB
MD53e2939633756d5eafd71201a32b971ed
SHA11c9b05c647de8ba96ede7cd9054b13e8b6be7725
SHA256c955bf4ec24e5b286fcc12fb9954d08f6a4bf323b5133ec268b37f68d01b8e6a
SHA51296e06d5972bd6ad8d836a18155c63f2022a4c626b5229c84755bc864ada567bfb5e4e3a4d6f4c63826c5ae3ceec6932f6a9b5f24e7649eb5424dbf8a85a5a954
-
Filesize
2.2MB
MD53e2939633756d5eafd71201a32b971ed
SHA11c9b05c647de8ba96ede7cd9054b13e8b6be7725
SHA256c955bf4ec24e5b286fcc12fb9954d08f6a4bf323b5133ec268b37f68d01b8e6a
SHA51296e06d5972bd6ad8d836a18155c63f2022a4c626b5229c84755bc864ada567bfb5e4e3a4d6f4c63826c5ae3ceec6932f6a9b5f24e7649eb5424dbf8a85a5a954
-
Filesize
2.0MB
MD5a4900d9fe88f8ac892c383486088288c
SHA128c089bf25992b270a4e7039bc880ba520186976
SHA25619e5e1df78d2545c13f25dfa94c33011822693461bba6c565d585a55b72343da
SHA5122c3c17183ce2675e2eb729b7e8cd4a879f45c81dea5dbc918ad7a3f14ee81b0fc4872ed9ad23e0700412ed192750a0bc9910a9948d0103b5b592ad644d271711
-
Filesize
2.0MB
MD5a4900d9fe88f8ac892c383486088288c
SHA128c089bf25992b270a4e7039bc880ba520186976
SHA25619e5e1df78d2545c13f25dfa94c33011822693461bba6c565d585a55b72343da
SHA5122c3c17183ce2675e2eb729b7e8cd4a879f45c81dea5dbc918ad7a3f14ee81b0fc4872ed9ad23e0700412ed192750a0bc9910a9948d0103b5b592ad644d271711
-
Filesize
2.0MB
MD5a4900d9fe88f8ac892c383486088288c
SHA128c089bf25992b270a4e7039bc880ba520186976
SHA25619e5e1df78d2545c13f25dfa94c33011822693461bba6c565d585a55b72343da
SHA5122c3c17183ce2675e2eb729b7e8cd4a879f45c81dea5dbc918ad7a3f14ee81b0fc4872ed9ad23e0700412ed192750a0bc9910a9948d0103b5b592ad644d271711
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada