Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25/06/2022, 09:45
Static task
static1
Behavioral task
behavioral1
Sample
686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe
Resource
win7-20220414-en
General
-
Target
686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe
-
Size
5.6MB
-
MD5
b7d25aa4393b4d7fe46b458546c58fe5
-
SHA1
fd395148fc1f4c15467e3b2d90c94bbcff8c656e
-
SHA256
686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8
-
SHA512
3d228f5303feeb5d13df2cfa46cd4e701e0d44a53c36c4b14f0cf9c08f1f1e454558c6419a048ac05970364885c4c79d7cfa7c828f93e83f8444ee1917f27c45
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ lang.exe -
Blocklisted process makes network request 3 IoCs
flow pid Process 4 4004 CScript.exe 6 4004 CScript.exe 8 4004 CScript.exe -
Executes dropped EXE 3 IoCs
pid Process 1336 setup.exe 2364 7z1900-x64.exe 2108 lang.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lang.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion lang.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine setup.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine lang.exe -
Loads dropped DLL 2 IoCs
pid Process 1200 686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe 1200 686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1336 setup.exe 2108 lang.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Krontal\for_win\setup.exe 686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe File created C:\Program Files (x86)\Krontal\for_win\Two.vbs 686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe File created C:\Program Files (x86)\Krontal\for_win\lang.exe 686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe File created C:\Program Files (x86)\Krontal\for_win\7z1900-x64.exe 686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1336 setup.exe 1336 setup.exe 2108 lang.exe 2108 lang.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 1336 setup.exe 1336 setup.exe 1336 setup.exe 1336 setup.exe 1336 setup.exe 1336 setup.exe 1336 setup.exe 1336 setup.exe 1336 setup.exe 1336 setup.exe 1336 setup.exe 1336 setup.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1200 wrote to memory of 1336 1200 686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe 81 PID 1200 wrote to memory of 1336 1200 686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe 81 PID 1200 wrote to memory of 1336 1200 686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe 81 PID 1200 wrote to memory of 4004 1200 686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe 82 PID 1200 wrote to memory of 4004 1200 686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe 82 PID 1200 wrote to memory of 4004 1200 686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe 82 PID 1200 wrote to memory of 2364 1200 686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe 84 PID 1200 wrote to memory of 2364 1200 686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe 84 PID 1200 wrote to memory of 2364 1200 686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe 84 PID 1200 wrote to memory of 2108 1200 686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe 85 PID 1200 wrote to memory of 2108 1200 686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe 85 PID 1200 wrote to memory of 2108 1200 686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe"C:\Users\Admin\AppData\Local\Temp\686865bdb53d411324e68b0f9142778c09e5a68a0bb0399b4e715ab8effcaac8.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Program Files (x86)\Krontal\for_win\setup.exe"C:\Program Files (x86)\Krontal\for_win\setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1336
-
-
C:\Windows\SysWOW64\CScript.exe"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Krontal\for_win\Two.vbs" //e:vbscript //B //NOLOGO2⤵
- Blocklisted process makes network request
PID:4004
-
-
C:\Program Files (x86)\Krontal\for_win\7z1900-x64.exe"C:\Program Files (x86)\Krontal\for_win\7z1900-x64.exe"2⤵
- Executes dropped EXE
PID:2364
-
-
C:\Program Files (x86)\Krontal\for_win\lang.exe"C:\Program Files (x86)\Krontal\for_win\lang.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2108
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5d7b20f933be6cdae41efbe75548eba5f
SHA19fa11a63b43f83980e0b48dc9ba2cb59d545a4e8
SHA2560f5d4dbbe5e55b7aa31b91e5925ed901fdf46a367491d81381846f05ad54c45e
SHA512af8f38679e16c996ffac152cac49369cf4b609abbd2cad07f49a114a82c6b5e564be29630c0fd2418110cf1a3d0ef3c9cc12f9164a69a575c91d9b98ce0df1a9
-
Filesize
120B
MD5dce4476454d12f8906cfa1db72722e2d
SHA14437a74ae0fcf7a4a636c04b7c0b80880871816a
SHA25653908a91a2c298fcfd2cd278d4e273ecd55a3b5c81f10775307352aca5e211e8
SHA5125a13b419813e768be03069332d3f655609221391b7faab5ed8c90ea57a7a26861ed0b5a256619ce9b8e62579e9e3ef9b0e8a37d6a688cb3795c62ea8cd55786f
-
Filesize
2.1MB
MD53e81339d8ba9eef1da63fa9f70947ef8
SHA102b369df2fed69a810737125e232faced0b1961e
SHA256a15eb140a5b7a7d6293764941095d91416347bc4fbe4d88dfa135e8796f7b930
SHA512ee9225c0fd6edba92829357038e7fb5e246416e8e7d7424d8010c742a480c4adf2fb4ca8041a26809468f64efcd8f7adafea795afd8deb36288c198c9358f012
-
Filesize
2.1MB
MD5e02665c346be06a879290d963e924174
SHA1f9ca2876a0ea298d6c745fca7887d4bbb4284dd8
SHA2562df20e3b1de29cd7dc70019017592b353a2e087766294ae051a8cbd0c5428ae8
SHA512782b39a831eeb9989655560a28e41b573a3a94beab223a5c1933ac39d427cad964648aef0ee3c770bf5ced96e775f950cb6055b67850436ac7a058ce6db86c9c
-
Filesize
2.1MB
MD5e02665c346be06a879290d963e924174
SHA1f9ca2876a0ea298d6c745fca7887d4bbb4284dd8
SHA2562df20e3b1de29cd7dc70019017592b353a2e087766294ae051a8cbd0c5428ae8
SHA512782b39a831eeb9989655560a28e41b573a3a94beab223a5c1933ac39d427cad964648aef0ee3c770bf5ced96e775f950cb6055b67850436ac7a058ce6db86c9c
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
Filesize
6KB
MD5132e6153717a7f9710dcea4536f364cd
SHA1e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA5129aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1