Analysis
-
max time kernel
155s -
max time network
172s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25/06/2022, 09:45
Static task
static1
Behavioral task
behavioral1
Sample
76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe
Resource
win7-20220414-en
General
-
Target
76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe
-
Size
4.2MB
-
MD5
9b6bb16c4699b4af550f9420392b5524
-
SHA1
7e33c896bb7a2a831ed95faee818523977ae2b8d
-
SHA256
76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193
-
SHA512
8db363415b7eab22ae5752bc139c981ed036c778d4ad53e3e10755f658bb85f35039a8bfba1afbbe0a9da260e0d31d0f34e4251bc1f315d1b5f180ba3c4da597
Malware Config
Signatures
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SetupX.exe -
Executes dropped EXE 2 IoCs
pid Process 2016 Setup.exe 1884 SetupX.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SetupX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SetupX.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine Setup.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine SetupX.exe -
Loads dropped DLL 7 IoCs
pid Process 1164 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe 1164 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe 1164 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe 2016 Setup.exe 2016 Setup.exe 1884 SetupX.exe 1884 SetupX.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2016 Setup.exe 1884 SetupX.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Busa\database_access.php 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe File created C:\Program Files (x86)\Busa\order.php 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe File created C:\Program Files (x86)\Busa\product.php 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe File created C:\Program Files (x86)\Busa\registration_info.php 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe File created C:\Program Files (x86)\Busa\Setup.exe 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe File created C:\Program Files (x86)\Busa\SetupX.exe 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2016 Setup.exe 1884 SetupX.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 2016 Setup.exe 2016 Setup.exe 2016 Setup.exe 2016 Setup.exe 2016 Setup.exe 2016 Setup.exe 2016 Setup.exe 2016 Setup.exe 2016 Setup.exe 2016 Setup.exe 2016 Setup.exe 2016 Setup.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1164 wrote to memory of 2016 1164 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe 27 PID 1164 wrote to memory of 2016 1164 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe 27 PID 1164 wrote to memory of 2016 1164 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe 27 PID 1164 wrote to memory of 2016 1164 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe 27 PID 1164 wrote to memory of 2016 1164 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe 27 PID 1164 wrote to memory of 2016 1164 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe 27 PID 1164 wrote to memory of 2016 1164 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe 27 PID 1164 wrote to memory of 1884 1164 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe 28 PID 1164 wrote to memory of 1884 1164 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe 28 PID 1164 wrote to memory of 1884 1164 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe 28 PID 1164 wrote to memory of 1884 1164 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe 28 PID 1164 wrote to memory of 1884 1164 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe 28 PID 1164 wrote to memory of 1884 1164 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe 28 PID 1164 wrote to memory of 1884 1164 76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe"C:\Users\Admin\AppData\Local\Temp\76c9ea504ad7755830dea2cc444769c509fe85111ed23d93768883fe23b4a193.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Program Files (x86)\Busa\Setup.exe"C:\Program Files (x86)\Busa\Setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2016
-
-
C:\Program Files (x86)\Busa\SetupX.exe"C:\Program Files (x86)\Busa\SetupX.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1884
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD596f7de62cd081b662357e3617e0b3fd3
SHA1611b41e93c3373469b872b309fe15f68927d7418
SHA256e41202c14467ac53d72be5754802ce73a07c605c7159d4f65e0b9cda1e36a836
SHA512aaee89a90b8b97bb16bbe1c1ef6ee2467f9c158d90d57fbda284259117aea2282788337ab88e2c081efe7bbce7845a72a3c43ffe73c057ebb9d287873932265c
-
Filesize
2.2MB
MD596f7de62cd081b662357e3617e0b3fd3
SHA1611b41e93c3373469b872b309fe15f68927d7418
SHA256e41202c14467ac53d72be5754802ce73a07c605c7159d4f65e0b9cda1e36a836
SHA512aaee89a90b8b97bb16bbe1c1ef6ee2467f9c158d90d57fbda284259117aea2282788337ab88e2c081efe7bbce7845a72a3c43ffe73c057ebb9d287873932265c
-
Filesize
2.1MB
MD58f3c4a9c8fefb93d54c2f8c2c34f6950
SHA19abd23d44a10989573f52170f9d8d099a7438dea
SHA256b836fc72a895a97af35c1bcbfa07e077762179817832835ec7fffaaad8a8ec4c
SHA5128677a05caddea2fa61d90f9820ae9832d620980088676e1d344d86443732aa448a7d251cd38a1799c238da44031b75742cca23daa38705ab1ae126b1f1b76d2b
-
Filesize
2.1MB
MD58f3c4a9c8fefb93d54c2f8c2c34f6950
SHA19abd23d44a10989573f52170f9d8d099a7438dea
SHA256b836fc72a895a97af35c1bcbfa07e077762179817832835ec7fffaaad8a8ec4c
SHA5128677a05caddea2fa61d90f9820ae9832d620980088676e1d344d86443732aa448a7d251cd38a1799c238da44031b75742cca23daa38705ab1ae126b1f1b76d2b
-
Filesize
2.2MB
MD596f7de62cd081b662357e3617e0b3fd3
SHA1611b41e93c3373469b872b309fe15f68927d7418
SHA256e41202c14467ac53d72be5754802ce73a07c605c7159d4f65e0b9cda1e36a836
SHA512aaee89a90b8b97bb16bbe1c1ef6ee2467f9c158d90d57fbda284259117aea2282788337ab88e2c081efe7bbce7845a72a3c43ffe73c057ebb9d287873932265c
-
Filesize
2.2MB
MD596f7de62cd081b662357e3617e0b3fd3
SHA1611b41e93c3373469b872b309fe15f68927d7418
SHA256e41202c14467ac53d72be5754802ce73a07c605c7159d4f65e0b9cda1e36a836
SHA512aaee89a90b8b97bb16bbe1c1ef6ee2467f9c158d90d57fbda284259117aea2282788337ab88e2c081efe7bbce7845a72a3c43ffe73c057ebb9d287873932265c
-
Filesize
2.2MB
MD596f7de62cd081b662357e3617e0b3fd3
SHA1611b41e93c3373469b872b309fe15f68927d7418
SHA256e41202c14467ac53d72be5754802ce73a07c605c7159d4f65e0b9cda1e36a836
SHA512aaee89a90b8b97bb16bbe1c1ef6ee2467f9c158d90d57fbda284259117aea2282788337ab88e2c081efe7bbce7845a72a3c43ffe73c057ebb9d287873932265c
-
Filesize
2.1MB
MD58f3c4a9c8fefb93d54c2f8c2c34f6950
SHA19abd23d44a10989573f52170f9d8d099a7438dea
SHA256b836fc72a895a97af35c1bcbfa07e077762179817832835ec7fffaaad8a8ec4c
SHA5128677a05caddea2fa61d90f9820ae9832d620980088676e1d344d86443732aa448a7d251cd38a1799c238da44031b75742cca23daa38705ab1ae126b1f1b76d2b
-
Filesize
2.1MB
MD58f3c4a9c8fefb93d54c2f8c2c34f6950
SHA19abd23d44a10989573f52170f9d8d099a7438dea
SHA256b836fc72a895a97af35c1bcbfa07e077762179817832835ec7fffaaad8a8ec4c
SHA5128677a05caddea2fa61d90f9820ae9832d620980088676e1d344d86443732aa448a7d251cd38a1799c238da44031b75742cca23daa38705ab1ae126b1f1b76d2b
-
Filesize
2.1MB
MD58f3c4a9c8fefb93d54c2f8c2c34f6950
SHA19abd23d44a10989573f52170f9d8d099a7438dea
SHA256b836fc72a895a97af35c1bcbfa07e077762179817832835ec7fffaaad8a8ec4c
SHA5128677a05caddea2fa61d90f9820ae9832d620980088676e1d344d86443732aa448a7d251cd38a1799c238da44031b75742cca23daa38705ab1ae126b1f1b76d2b
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada