Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25/06/2022, 02:42

General

  • Target

    8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe

  • Size

    4.1MB

  • MD5

    28fc393e1c89bb2945827aebf566fa31

  • SHA1

    851fd5cb4e98a5fc9e978d6d05287715eb74a9e8

  • SHA256

    8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779

  • SHA512

    a58f626e831f4f1e906fad432217ac271a7818ae80f08713198b57103ce0fcd1c0a46ac6c961bc2408394ce42271fec10dd4c620dc0c19504068db3a1aa14f2e

Malware Config

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe
    "C:\Users\Admin\AppData\Local\Temp\8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\Program Files (x86)\Busa\Setup.exe
      "C:\Program Files (x86)\Busa\Setup.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks computer location settings
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\5aQ4Qd6ENMMA & timeout 2 & del /f /q "C:\Program Files (x86)\Busa\Setup.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3628
        • C:\Windows\SysWOW64\timeout.exe
          timeout 2
          4⤵
          • Delays execution with timeout.exe
          PID:1248
    • C:\Program Files (x86)\Busa\SetupX.exe
      "C:\Program Files (x86)\Busa\SetupX.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks computer location settings
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4276

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Busa\Setup.exe

    Filesize

    2.2MB

    MD5

    3e2939633756d5eafd71201a32b971ed

    SHA1

    1c9b05c647de8ba96ede7cd9054b13e8b6be7725

    SHA256

    c955bf4ec24e5b286fcc12fb9954d08f6a4bf323b5133ec268b37f68d01b8e6a

    SHA512

    96e06d5972bd6ad8d836a18155c63f2022a4c626b5229c84755bc864ada567bfb5e4e3a4d6f4c63826c5ae3ceec6932f6a9b5f24e7649eb5424dbf8a85a5a954

  • C:\Program Files (x86)\Busa\Setup.exe

    Filesize

    2.2MB

    MD5

    3e2939633756d5eafd71201a32b971ed

    SHA1

    1c9b05c647de8ba96ede7cd9054b13e8b6be7725

    SHA256

    c955bf4ec24e5b286fcc12fb9954d08f6a4bf323b5133ec268b37f68d01b8e6a

    SHA512

    96e06d5972bd6ad8d836a18155c63f2022a4c626b5229c84755bc864ada567bfb5e4e3a4d6f4c63826c5ae3ceec6932f6a9b5f24e7649eb5424dbf8a85a5a954

  • C:\Program Files (x86)\Busa\SetupX.exe

    Filesize

    2.0MB

    MD5

    a4900d9fe88f8ac892c383486088288c

    SHA1

    28c089bf25992b270a4e7039bc880ba520186976

    SHA256

    19e5e1df78d2545c13f25dfa94c33011822693461bba6c565d585a55b72343da

    SHA512

    2c3c17183ce2675e2eb729b7e8cd4a879f45c81dea5dbc918ad7a3f14ee81b0fc4872ed9ad23e0700412ed192750a0bc9910a9948d0103b5b592ad644d271711

  • C:\ProgramData\5aQ4Qd6ENMMA\0TIISZ~1.ZIP

    Filesize

    49KB

    MD5

    18b508915abc7ae5194dbe1761cfe3b1

    SHA1

    48e08e0ca9dcf427ac91d56f80007b2a8b2f8114

    SHA256

    6ebe06518cba7f323697abcfe682b1045c810d77b866032ad0301e88bba7167d

    SHA512

    e68fa4cbafb81b6e02f16595a4df5886c5f9454298a88b09a9aa974ed9872b11eb8d1ffc77333820594536ff3a19adda3c2839cd2a6b557867ae63f29c95bd7f

  • C:\ProgramData\5aQ4Qd6ENMMA\47283761.txt

    Filesize

    161B

    MD5

    dd8409640e7d3d745b53a9ebaae625b2

    SHA1

    b36c5052b2e31811543daa795c1e5084de78f67c

    SHA256

    63423ed01aecb5f5c7bdc10a32817ef68c77d09ed7a436c90fb6f5f149d7fc58

    SHA512

    afd24104e9027eedeb717dc4aa2a1496db07aac0a20906bfdf02e3304224ff6b22fa2dee6e92b73442a7e52f32e626f39a5551857232da269ab40f7bccc08aef

  • C:\ProgramData\5aQ4Qd6ENMMA\Files\Browsers\_FILEC~1.TXT

    Filesize

    2B

    MD5

    81051bcc2cf1bedf378224b0a93e2877

    SHA1

    ba8ab5a0280b953aa97435ff8946cbcbb2755a27

    SHA256

    7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

    SHA512

    1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

  • C:\ProgramData\5aQ4Qd6ENMMA\Files\_Info.txt

    Filesize

    6KB

    MD5

    3cffa2a5db01cd0d75f5088391961a57

    SHA1

    ea8cdfe32bc31683d05b040e65f68a304797c6f8

    SHA256

    89acec54815ab80b165d95aa25abc51471f2462fa7e18e69a096f741f55fd879

    SHA512

    607f1c5c6c6f58d14c386446b2db14bb7043eecd2a95ba7383ca1160811ddd41b4967459a6dfa3ec493e3c62bdd153ea841175682e88d1c920cfb207d32e0931

  • C:\ProgramData\5aQ4Qd6ENMMA\Files\_Screen.jpg

    Filesize

    54KB

    MD5

    b7d470158087c0505538eb76ec8fbb12

    SHA1

    9b9e2220bbdc6bee5ac736c175ec96f99130df8a

    SHA256

    b65f876d5e070907eaeafc6165e4db1a662d7010573e374c084a65b289da2c8d

    SHA512

    1382978cbfef4dc3f21df8f8e5c9fa5e451a264423541e3ceaf38ee02ff587071d183b642d217397dd4c042c832e746463d69729cd1ed16138ebac2857c0338d

  • C:\ProgramData\5aQ4Qd6ENMMA\MOZ_CO~1.DB

    Filesize

    96KB

    MD5

    89d4b62651fa5c864b12f3ea6b1521cb

    SHA1

    570d48367b6b66ade9900a9f22d67d67a8fb2081

    SHA256

    22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70

    SHA512

    e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff

  • C:\Users\Admin\AppData\Local\Temp\nsxB4EE.tmp\UAC.dll

    Filesize

    14KB

    MD5

    adb29e6b186daa765dc750128649b63d

    SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

    SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

  • memory/2688-142-0x00000000773E0000-0x0000000077583000-memory.dmp

    Filesize

    1.6MB

  • memory/2688-136-0x0000000000F20000-0x0000000001468000-memory.dmp

    Filesize

    5.3MB

  • memory/2688-143-0x0000000000F20000-0x0000000001468000-memory.dmp

    Filesize

    5.3MB

  • memory/2688-150-0x0000000000F20000-0x0000000001468000-memory.dmp

    Filesize

    5.3MB

  • memory/2688-158-0x00000000773E0000-0x0000000077583000-memory.dmp

    Filesize

    1.6MB

  • memory/2688-140-0x0000000000F20000-0x0000000001468000-memory.dmp

    Filesize

    5.3MB

  • memory/2688-138-0x00000000773E0000-0x0000000077583000-memory.dmp

    Filesize

    1.6MB

  • memory/4276-137-0x0000000000400000-0x0000000000918000-memory.dmp

    Filesize

    5.1MB

  • memory/4276-148-0x00000000773E0000-0x0000000077583000-memory.dmp

    Filesize

    1.6MB

  • memory/4276-147-0x0000000000400000-0x0000000000918000-memory.dmp

    Filesize

    5.1MB

  • memory/4276-146-0x0000000000400000-0x0000000000918000-memory.dmp

    Filesize

    5.1MB

  • memory/4276-145-0x00000000773E0000-0x0000000077583000-memory.dmp

    Filesize

    1.6MB

  • memory/4276-144-0x0000000000400000-0x0000000000918000-memory.dmp

    Filesize

    5.1MB

  • memory/4276-141-0x0000000000400000-0x0000000000918000-memory.dmp

    Filesize

    5.1MB

  • memory/4276-139-0x00000000773E0000-0x0000000077583000-memory.dmp

    Filesize

    1.6MB