Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25/06/2022, 03:24
Static task
static1
Behavioral task
behavioral1
Sample
fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe
Resource
win7-20220414-en
General
-
Target
fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe
-
Size
2.2MB
-
MD5
afa7b150f54cbc139f9586b16594bec4
-
SHA1
08109ddd53482cdcd6138d888626a5b860bc0925
-
SHA256
fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8
-
SHA512
75f39564c813419c5f275dd50113be54801e7afbd365e489c7c365d9e4e14c5ec15474f4bf451a9ffa7555e2e711f869da572149d0654c34fd92664cdfec6431
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3232 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2348 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3232 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe 3232 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 3232 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe 3232 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe 3232 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe 3232 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe 3232 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe 3232 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe 3232 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe 3232 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe 3232 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe 3232 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe 3232 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe 3232 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3232 wrote to memory of 3688 3232 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe 86 PID 3232 wrote to memory of 3688 3232 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe 86 PID 3232 wrote to memory of 3688 3232 fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe 86 PID 3688 wrote to memory of 2348 3688 cmd.exe 88 PID 3688 wrote to memory of 2348 3688 cmd.exe 88 PID 3688 wrote to memory of 2348 3688 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe"C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\XcfphEnUK & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
PID:2348
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
161B
MD5b26465add1927d3a0d318f8a83fb603e
SHA172b1d6895160c6a58483583856bfb57d580abc9f
SHA25679407f411759c49be519022a762862f09dd8439362785f37902bac62d93a047e
SHA512914ab20fd6b55dbe9478fc3169e94ef14d76ffbfaab132280ae248ed516697624ac34bdc9219bc242dcedd29544e526c5c1cb58721f61d76b524e95c44d60a95
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
418KB
MD57c0784119d2ccd2784e07956f7ddacb8
SHA113c00637b870dc8bac6f5026647e02bd27a86f2d
SHA2569b81d98c3d97d0c5a0f349778e7cbbac7ac7806b24f016bd40b38c5f55eff775
SHA5125cf1849db135762f18c3350af5bb3aa68c2057beaf70d568ac7a4bbe6e22d97e0db041bee8b4457ebd30092652d0c5260fcce0a67f78c7a4bc3d437a8df5c253
-
Filesize
6KB
MD51e60a7a795eec078737ab72b62fdbcbd
SHA1bfcccd9608176a9fbd83346cd00b5496e4b5c2d1
SHA256cef0efd8dcbe2fa073c72d66f7837b2cd3f59087dcb05bbbbb9ddfddf0f42a06
SHA5128cd2c575e330aa9d5a8cc8f0235e2271e81a7c72f5817eab18dfab7f670baab67f1584d7818a7b70ab70be4fcee4c7722f45e0faf29d13833ba9351a88410f58
-
Filesize
50KB
MD534eec874419f303664c334c229235a4a
SHA1bdfd50c36a8a0e83260349dd3dd4c10c4f132b64
SHA256fa7f25d1d7ae3b6da665143c380b06ffeba4b4635b37bffc3c328c68f5e4e58e
SHA512c519cec9c9ece0bf65168d706352c10ae1d22ee568fc7feb867a83608c9f5869e5fb6b75618092c2f7b19477c9840ee6c5416fc011b5298b63497ca851b1cab1
-
Filesize
96KB
MD589d4b62651fa5c864b12f3ea6b1521cb
SHA1570d48367b6b66ade9900a9f22d67d67a8fb2081
SHA25622f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70
SHA512e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff
-
Filesize
464KB
MD533d87dc210f3bb4c2c39af2eefd8f139
SHA1940f485029051b8900db7e091182311d2f88b70c
SHA256bb2a03f08f913e0da257d3e8675062eb135cbef29b9655a15ccac7fdf81f8e1f
SHA512cdf6f4ecd8fdbb6a9b09511227c3af13e1b85f32a600d47123eba9194aab3c78a60c78bb8ade2df885ad463cf43c9bfa43b45544e13db9f842e9e7e4439401f1