Analysis
-
max time kernel
158s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25/06/2022, 02:25
Static task
static1
Behavioral task
behavioral1
Sample
4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe
Resource
win7-20220414-en
General
-
Target
4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe
-
Size
4.2MB
-
MD5
6f2f7f2ce0ef33d170cf9ee67265770d
-
SHA1
beb2c4bd2ab65ed67028a1a8db92750c624d7eb8
-
SHA256
4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb
-
SHA512
11e01409e4038e812f5351753f498e3a179d7a8e209f7d652682198796fab226406e4b613a669cac379513d689d0f920050d7a7e6a362470c5599169481b00fc
Malware Config
Signatures
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setupres.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 14 4840 CScript.exe 16 4840 CScript.exe -
Executes dropped EXE 2 IoCs
pid Process 1560 Setup.exe 204 Setupres.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setupres.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setupres.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation Setupres.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Wine Setup.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Wine Setupres.exe -
Loads dropped DLL 2 IoCs
pid Process 3536 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe 3536 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1560 Setup.exe 204 Setupres.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Sir\Xd\ipras.vbs 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe File created C:\Program Files (x86)\Sir\Xd\Setup.exe 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe File created C:\Program Files (x86)\Sir\Xd\Setupres.exe 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe File created C:\Program Files (x86)\Sir\Xd\Project1.dpr 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe File created C:\Program Files (x86)\Sir\Xd\Project1.res 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe File created C:\Program Files (x86)\Sir\Xd\Unit1.pas 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe File created C:\Program Files (x86)\Sir\Xd\VMProtectSDK.pas 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe File created C:\Program Files (x86)\Sir\Xd\VMProtectSDK32.dll 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1560 Setup.exe 1560 Setup.exe 204 Setupres.exe 204 Setupres.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 1560 Setup.exe 1560 Setup.exe 1560 Setup.exe 1560 Setup.exe 1560 Setup.exe 1560 Setup.exe 1560 Setup.exe 1560 Setup.exe 1560 Setup.exe 1560 Setup.exe 1560 Setup.exe 1560 Setup.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3536 wrote to memory of 1560 3536 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe 78 PID 3536 wrote to memory of 1560 3536 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe 78 PID 3536 wrote to memory of 1560 3536 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe 78 PID 3536 wrote to memory of 4840 3536 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe 79 PID 3536 wrote to memory of 4840 3536 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe 79 PID 3536 wrote to memory of 4840 3536 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe 79 PID 3536 wrote to memory of 204 3536 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe 83 PID 3536 wrote to memory of 204 3536 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe 83 PID 3536 wrote to memory of 204 3536 4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe"C:\Users\Admin\AppData\Local\Temp\4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Program Files (x86)\Sir\Xd\Setup.exe"C:\Program Files (x86)\Sir\Xd\Setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1560
-
-
C:\Windows\SysWOW64\CScript.exe"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Sir\Xd\ipras.vbs" //e:vbscript //B //NOLOGO2⤵
- Blocklisted process makes network request
PID:4840
-
-
C:\Program Files (x86)\Sir\Xd\Setupres.exe"C:\Program Files (x86)\Sir\Xd\Setupres.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:204
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5112612c1ceaf7965ed7beb7d2341e0e2
SHA14a2e3df41d122e0ab2e4d8b774e806554f4a6296
SHA256b5ee04d73e9cfa30a1719d2cbf9d17e76a5c8dc6149f9bb571365d5ee5b00072
SHA5125ebf8b9f98497c35629d6924e03ca5d7661fea4ff5ae46ae56c56111f38d3af2ad51818d4363985424991e53663d1b96c366d84cbeb34dbecf641e7d09c1eeba
-
Filesize
2.2MB
MD5112612c1ceaf7965ed7beb7d2341e0e2
SHA14a2e3df41d122e0ab2e4d8b774e806554f4a6296
SHA256b5ee04d73e9cfa30a1719d2cbf9d17e76a5c8dc6149f9bb571365d5ee5b00072
SHA5125ebf8b9f98497c35629d6924e03ca5d7661fea4ff5ae46ae56c56111f38d3af2ad51818d4363985424991e53663d1b96c366d84cbeb34dbecf641e7d09c1eeba
-
Filesize
2.0MB
MD5e75b71aa66f4177b62485503809ec837
SHA18203e06f29d51c25b2af48c62fa6074c58958660
SHA256f2ac71dbbc1ec524d93811dd4cd64edc5c836be379fa9cfd565af7ba45cfe80c
SHA5122761d0880e60a87b9cca31cd533f626b218ddf9939dbd751cc468904500d19a59e63c09af0f44ede21bbf8a416ec05b08ac7f6629cf7de1072323b349d9df2f7
-
Filesize
126B
MD5b802ff9244875f69db2fae0f78e92b10
SHA149385a89cd575894a29fbda969b99cc1f5cf8076
SHA256a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
SHA512609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
Filesize
6KB
MD5132e6153717a7f9710dcea4536f364cd
SHA1e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA5129aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1