Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25/06/2022, 02:42
Static task
static1
Behavioral task
behavioral1
Sample
8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe
Resource
win7-20220414-en
General
-
Target
8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe
-
Size
4.1MB
-
MD5
28fc393e1c89bb2945827aebf566fa31
-
SHA1
851fd5cb4e98a5fc9e978d6d05287715eb74a9e8
-
SHA256
8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779
-
SHA512
a58f626e831f4f1e906fad432217ac271a7818ae80f08713198b57103ce0fcd1c0a46ac6c961bc2408394ce42271fec10dd4c620dc0c19504068db3a1aa14f2e
Malware Config
Signatures
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SetupX.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe -
Executes dropped EXE 2 IoCs
pid Process 2688 Setup.exe 4276 SetupX.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SetupX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SetupX.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation SetupX.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Setup.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Wine Setup.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Wine SetupX.exe -
Loads dropped DLL 1 IoCs
pid Process 3176 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2688 Setup.exe 4276 SetupX.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Busa\SetupX.exe 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe File created C:\Program Files (x86)\Busa\database_access.php 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe File created C:\Program Files (x86)\Busa\order.php 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe File created C:\Program Files (x86)\Busa\product.php 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe File created C:\Program Files (x86)\Busa\registration_info.php 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe File created C:\Program Files (x86)\Busa\Setup.exe 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1248 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2688 Setup.exe 2688 Setup.exe 4276 SetupX.exe 4276 SetupX.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 2688 Setup.exe 2688 Setup.exe 2688 Setup.exe 2688 Setup.exe 2688 Setup.exe 2688 Setup.exe 2688 Setup.exe 2688 Setup.exe 2688 Setup.exe 2688 Setup.exe 2688 Setup.exe 2688 Setup.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3176 wrote to memory of 2688 3176 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 84 PID 3176 wrote to memory of 2688 3176 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 84 PID 3176 wrote to memory of 2688 3176 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 84 PID 3176 wrote to memory of 4276 3176 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 85 PID 3176 wrote to memory of 4276 3176 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 85 PID 3176 wrote to memory of 4276 3176 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe 85 PID 2688 wrote to memory of 3628 2688 Setup.exe 93 PID 2688 wrote to memory of 3628 2688 Setup.exe 93 PID 2688 wrote to memory of 3628 2688 Setup.exe 93 PID 3628 wrote to memory of 1248 3628 cmd.exe 95 PID 3628 wrote to memory of 1248 3628 cmd.exe 95 PID 3628 wrote to memory of 1248 3628 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe"C:\Users\Admin\AppData\Local\Temp\8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Program Files (x86)\Busa\Setup.exe"C:\Program Files (x86)\Busa\Setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\5aQ4Qd6ENMMA & timeout 2 & del /f /q "C:\Program Files (x86)\Busa\Setup.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
PID:1248
-
-
-
-
C:\Program Files (x86)\Busa\SetupX.exe"C:\Program Files (x86)\Busa\SetupX.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4276
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD53e2939633756d5eafd71201a32b971ed
SHA11c9b05c647de8ba96ede7cd9054b13e8b6be7725
SHA256c955bf4ec24e5b286fcc12fb9954d08f6a4bf323b5133ec268b37f68d01b8e6a
SHA51296e06d5972bd6ad8d836a18155c63f2022a4c626b5229c84755bc864ada567bfb5e4e3a4d6f4c63826c5ae3ceec6932f6a9b5f24e7649eb5424dbf8a85a5a954
-
Filesize
2.2MB
MD53e2939633756d5eafd71201a32b971ed
SHA11c9b05c647de8ba96ede7cd9054b13e8b6be7725
SHA256c955bf4ec24e5b286fcc12fb9954d08f6a4bf323b5133ec268b37f68d01b8e6a
SHA51296e06d5972bd6ad8d836a18155c63f2022a4c626b5229c84755bc864ada567bfb5e4e3a4d6f4c63826c5ae3ceec6932f6a9b5f24e7649eb5424dbf8a85a5a954
-
Filesize
2.0MB
MD5a4900d9fe88f8ac892c383486088288c
SHA128c089bf25992b270a4e7039bc880ba520186976
SHA25619e5e1df78d2545c13f25dfa94c33011822693461bba6c565d585a55b72343da
SHA5122c3c17183ce2675e2eb729b7e8cd4a879f45c81dea5dbc918ad7a3f14ee81b0fc4872ed9ad23e0700412ed192750a0bc9910a9948d0103b5b592ad644d271711
-
Filesize
49KB
MD518b508915abc7ae5194dbe1761cfe3b1
SHA148e08e0ca9dcf427ac91d56f80007b2a8b2f8114
SHA2566ebe06518cba7f323697abcfe682b1045c810d77b866032ad0301e88bba7167d
SHA512e68fa4cbafb81b6e02f16595a4df5886c5f9454298a88b09a9aa974ed9872b11eb8d1ffc77333820594536ff3a19adda3c2839cd2a6b557867ae63f29c95bd7f
-
Filesize
161B
MD5dd8409640e7d3d745b53a9ebaae625b2
SHA1b36c5052b2e31811543daa795c1e5084de78f67c
SHA25663423ed01aecb5f5c7bdc10a32817ef68c77d09ed7a436c90fb6f5f149d7fc58
SHA512afd24104e9027eedeb717dc4aa2a1496db07aac0a20906bfdf02e3304224ff6b22fa2dee6e92b73442a7e52f32e626f39a5551857232da269ab40f7bccc08aef
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
6KB
MD53cffa2a5db01cd0d75f5088391961a57
SHA1ea8cdfe32bc31683d05b040e65f68a304797c6f8
SHA25689acec54815ab80b165d95aa25abc51471f2462fa7e18e69a096f741f55fd879
SHA512607f1c5c6c6f58d14c386446b2db14bb7043eecd2a95ba7383ca1160811ddd41b4967459a6dfa3ec493e3c62bdd153ea841175682e88d1c920cfb207d32e0931
-
Filesize
54KB
MD5b7d470158087c0505538eb76ec8fbb12
SHA19b9e2220bbdc6bee5ac736c175ec96f99130df8a
SHA256b65f876d5e070907eaeafc6165e4db1a662d7010573e374c084a65b289da2c8d
SHA5121382978cbfef4dc3f21df8f8e5c9fa5e451a264423541e3ceaf38ee02ff587071d183b642d217397dd4c042c832e746463d69729cd1ed16138ebac2857c0338d
-
Filesize
96KB
MD589d4b62651fa5c864b12f3ea6b1521cb
SHA1570d48367b6b66ade9900a9f22d67d67a8fb2081
SHA25622f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70
SHA512e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada