Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 09:47
Static task
static1
Behavioral task
behavioral1
Sample
62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe
Resource
win7-20220414-en
General
-
Target
62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe
-
Size
8.6MB
-
MD5
1d0f0178e9fe7c70684b48699b6b327a
-
SHA1
538b422631bf46c9647aac19d542cad8e910bc37
-
SHA256
62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30
-
SHA512
8f0c41459589c14a8a010e1a2eadecd17c89189ef492b9828c76cd350a7af103c2e4f38dc47d38fc127a0a963a74972b8fbea7006acfbf335145372f2b0dfdb2
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
018.exeboind.exe18.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 018.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ boind.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 18.exe -
Executes dropped EXE 3 IoCs
Processes:
018.exeboind.exe18.exepid process 64 018.exe 4672 boind.exe 2860 18.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
018.exeboind.exe18.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 018.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion boind.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion boind.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 18.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 18.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 018.exe -
Loads dropped DLL 1 IoCs
Processes:
62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exepid process 5092 62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Program Files (x86)\Taras\org\com\018.exe themida behavioral2/memory/64-134-0x0000000000400000-0x0000000000AF2000-memory.dmp themida C:\Program Files (x86)\Taras\org\com\boind.exe themida C:\Program Files (x86)\Taras\org\com\18.exe themida behavioral2/memory/64-138-0x0000000000400000-0x0000000000AF2000-memory.dmp themida behavioral2/memory/64-140-0x0000000000400000-0x0000000000AF2000-memory.dmp themida behavioral2/memory/4672-139-0x0000000000910000-0x000000000110F000-memory.dmp themida behavioral2/memory/4672-141-0x0000000000910000-0x000000000110F000-memory.dmp themida behavioral2/memory/64-142-0x0000000000400000-0x0000000000AF2000-memory.dmp themida behavioral2/memory/4672-143-0x0000000000910000-0x000000000110F000-memory.dmp themida behavioral2/memory/4672-145-0x0000000000910000-0x000000000110F000-memory.dmp themida behavioral2/memory/2860-147-0x0000000000400000-0x0000000000B76000-memory.dmp themida behavioral2/memory/4672-148-0x0000000000910000-0x000000000110F000-memory.dmp themida behavioral2/memory/4672-150-0x0000000000910000-0x000000000110F000-memory.dmp themida behavioral2/memory/4672-152-0x0000000000910000-0x000000000110F000-memory.dmp themida behavioral2/memory/4672-153-0x0000000000910000-0x000000000110F000-memory.dmp themida behavioral2/memory/64-154-0x0000000000400000-0x0000000000AF2000-memory.dmp themida behavioral2/memory/2860-156-0x0000000000400000-0x0000000000B76000-memory.dmp themida behavioral2/memory/2860-157-0x0000000000400000-0x0000000000B76000-memory.dmp themida behavioral2/memory/2860-158-0x0000000000400000-0x0000000000B76000-memory.dmp themida behavioral2/memory/4672-159-0x0000000000910000-0x000000000110F000-memory.dmp themida behavioral2/memory/2860-160-0x0000000000400000-0x0000000000B76000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
018.exeboind.exe18.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 018.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA boind.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 18.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
018.exeboind.exe18.exepid process 64 018.exe 4672 boind.exe 2860 18.exe -
Drops file in Program Files directory 3 IoCs
Processes:
62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exedescription ioc process File created C:\Program Files (x86)\Taras\org\com\boind.exe 62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe File created C:\Program Files (x86)\Taras\org\com\018.exe 62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe File created C:\Program Files (x86)\Taras\org\com\18.exe 62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
boind.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString boind.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 boind.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
boind.exepid process 4672 boind.exe 4672 boind.exe 4672 boind.exe 4672 boind.exe 4672 boind.exe 4672 boind.exe 4672 boind.exe 4672 boind.exe 4672 boind.exe 4672 boind.exe 4672 boind.exe 4672 boind.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exedescription pid process target process PID 5092 wrote to memory of 64 5092 62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe 018.exe PID 5092 wrote to memory of 64 5092 62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe 018.exe PID 5092 wrote to memory of 64 5092 62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe 018.exe PID 5092 wrote to memory of 4672 5092 62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe boind.exe PID 5092 wrote to memory of 4672 5092 62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe boind.exe PID 5092 wrote to memory of 4672 5092 62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe boind.exe PID 5092 wrote to memory of 2860 5092 62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe 18.exe PID 5092 wrote to memory of 2860 5092 62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe 18.exe PID 5092 wrote to memory of 2860 5092 62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe 18.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe"C:\Users\Admin\AppData\Local\Temp\62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Taras\org\com\018.exe"C:\Program Files (x86)\Taras\org\com\018.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\Taras\org\com\boind.exe"C:\Program Files (x86)\Taras\org\com\boind.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Taras\org\com\18.exe"C:\Program Files (x86)\Taras\org\com\18.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Taras\org\com\018.exeFilesize
2.7MB
MD549ccf5e3a5e296f82d3ed24413d5e01b
SHA1aa10cd180a20b46a6e7e2c641aa4c3c345e5ec7a
SHA2565b988b60fb68a3fb9ac847bc18b112ffebd8178faff36966f6a219a58c5f080a
SHA5128aaaa0768baa7d3c00818a5955b5b630ecb1f6fed9057bbf07df2862a981c0d16fa943de6da1703138f1777e2ea9e2939150bd86eddb654772d6505beab147f2
-
C:\Program Files (x86)\Taras\org\com\18.exeFilesize
2.9MB
MD5fe46cf63820ec9a916ba9913f5c93a67
SHA1a7ba5fd9cc6780b27a6721d94184fc6231c04151
SHA256a842ec6b502a19617bc6e677eee04dc87bc27d93acf824bd82266c625919d0c5
SHA5126e4b2b36c7339e22ff917e636d80f995c5605aab5495dac266b92e875a8e97554e4e0522efa255b83d762acbefebd8731ae967ce6bb697862a530077b4f8269c
-
C:\Program Files (x86)\Taras\org\com\boind.exeFilesize
3.3MB
MD5b85c87cc45326ffc33a4488ea54a209b
SHA11ad857c5638e2e948389c20e0c26673a9d8cd401
SHA256f866b825857a23d1fa605c551fcc81333a50ff2ad27d3aff290f5ee434b0b706
SHA512c980f521021bca2955f953af27cc86ebfae116a250eddc5f6d102af92c0e138e06dfa82902f0eb85ae21a2ca5fea8e0de2d14a28cb48e09771b88145bb4b9002
-
C:\Users\Admin\AppData\Local\Temp\nspBACA.tmp\UAC.dllFilesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/64-155-0x0000000076FA0000-0x0000000077143000-memory.dmpFilesize
1.6MB
-
memory/64-142-0x0000000000400000-0x0000000000AF2000-memory.dmpFilesize
6.9MB
-
memory/64-154-0x0000000000400000-0x0000000000AF2000-memory.dmpFilesize
6.9MB
-
memory/64-134-0x0000000000400000-0x0000000000AF2000-memory.dmpFilesize
6.9MB
-
memory/64-138-0x0000000000400000-0x0000000000AF2000-memory.dmpFilesize
6.9MB
-
memory/64-140-0x0000000000400000-0x0000000000AF2000-memory.dmpFilesize
6.9MB
-
memory/64-131-0x0000000000000000-mapping.dmp
-
memory/64-146-0x0000000076FA0000-0x0000000077143000-memory.dmpFilesize
1.6MB
-
memory/2860-160-0x0000000000400000-0x0000000000B76000-memory.dmpFilesize
7.5MB
-
memory/2860-158-0x0000000000400000-0x0000000000B76000-memory.dmpFilesize
7.5MB
-
memory/2860-157-0x0000000000400000-0x0000000000B76000-memory.dmpFilesize
7.5MB
-
memory/2860-151-0x0000000076FA0000-0x0000000077143000-memory.dmpFilesize
1.6MB
-
memory/2860-147-0x0000000000400000-0x0000000000B76000-memory.dmpFilesize
7.5MB
-
memory/2860-156-0x0000000000400000-0x0000000000B76000-memory.dmpFilesize
7.5MB
-
memory/2860-162-0x0000000076FA0000-0x0000000077143000-memory.dmpFilesize
1.6MB
-
memory/2860-136-0x0000000000000000-mapping.dmp
-
memory/4672-141-0x0000000000910000-0x000000000110F000-memory.dmpFilesize
8.0MB
-
memory/4672-152-0x0000000000910000-0x000000000110F000-memory.dmpFilesize
8.0MB
-
memory/4672-153-0x0000000000910000-0x000000000110F000-memory.dmpFilesize
8.0MB
-
memory/4672-150-0x0000000000910000-0x000000000110F000-memory.dmpFilesize
8.0MB
-
memory/4672-149-0x0000000076FA0000-0x0000000077143000-memory.dmpFilesize
1.6MB
-
memory/4672-148-0x0000000000910000-0x000000000110F000-memory.dmpFilesize
8.0MB
-
memory/4672-145-0x0000000000910000-0x000000000110F000-memory.dmpFilesize
8.0MB
-
memory/4672-143-0x0000000000910000-0x000000000110F000-memory.dmpFilesize
8.0MB
-
memory/4672-159-0x0000000000910000-0x000000000110F000-memory.dmpFilesize
8.0MB
-
memory/4672-133-0x0000000000000000-mapping.dmp
-
memory/4672-161-0x0000000076FA0000-0x0000000077143000-memory.dmpFilesize
1.6MB
-
memory/4672-139-0x0000000000910000-0x000000000110F000-memory.dmpFilesize
8.0MB