Analysis
-
max time kernel
180s -
max time network
194s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25/06/2022, 09:47
Static task
static1
Behavioral task
behavioral1
Sample
506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe
Resource
win7-20220414-en
General
-
Target
506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe
-
Size
4.3MB
-
MD5
c31ce115e24879d104584b8f6550f3a7
-
SHA1
410f23d51ee44ef4aede2343a175baf3f731b3da
-
SHA256
506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c
-
SHA512
f182e51290eb7f7e10e55df1c36c8d81852352c3998bdc66241dfa8386c119d0513dc7949d7ab5d0bc73d889c00fb21cc475aa29829e174b6a9d18e33d6965b2
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ osn.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 5 1704 CScript.exe 6 1704 CScript.exe 7 1704 CScript.exe 8 1704 CScript.exe -
Executes dropped EXE 2 IoCs
pid Process 1836 Setup.exe 1412 osn.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion osn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion osn.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Wine Setup.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Wine osn.exe -
Loads dropped DLL 8 IoCs
pid Process 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 1836 Setup.exe 1836 Setup.exe 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 1412 osn.exe 1412 osn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1836 Setup.exe 1412 osn.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Der\Supr\config.model.xml 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe File created C:\Program Files (x86)\Der\Supr\shortcuts.xml 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe File created C:\Program Files (x86)\Der\Supr\NppShell_06.dll 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe File created C:\Program Files (x86)\Der\Supr\osn.exe 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe File created C:\Program Files (x86)\Der\Supr\Setup.exe 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe File created C:\Program Files (x86)\Der\Supr\Two.vbs 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1836 Setup.exe 1412 osn.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 1836 Setup.exe 1836 Setup.exe 1836 Setup.exe 1836 Setup.exe 1836 Setup.exe 1836 Setup.exe 1836 Setup.exe 1836 Setup.exe 1836 Setup.exe 1836 Setup.exe 1836 Setup.exe 1836 Setup.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2004 wrote to memory of 1836 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 27 PID 2004 wrote to memory of 1836 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 27 PID 2004 wrote to memory of 1836 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 27 PID 2004 wrote to memory of 1836 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 27 PID 2004 wrote to memory of 1836 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 27 PID 2004 wrote to memory of 1836 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 27 PID 2004 wrote to memory of 1836 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 27 PID 2004 wrote to memory of 1704 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 28 PID 2004 wrote to memory of 1704 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 28 PID 2004 wrote to memory of 1704 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 28 PID 2004 wrote to memory of 1704 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 28 PID 2004 wrote to memory of 1704 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 28 PID 2004 wrote to memory of 1704 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 28 PID 2004 wrote to memory of 1704 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 28 PID 2004 wrote to memory of 1412 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 32 PID 2004 wrote to memory of 1412 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 32 PID 2004 wrote to memory of 1412 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 32 PID 2004 wrote to memory of 1412 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 32 PID 2004 wrote to memory of 1412 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 32 PID 2004 wrote to memory of 1412 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 32 PID 2004 wrote to memory of 1412 2004 506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe"C:\Users\Admin\AppData\Local\Temp\506a4853f982fc68041318fe8178eaf69035062a071319c9b23ba1194653949c.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Program Files (x86)\Der\Supr\Setup.exe"C:\Program Files (x86)\Der\Supr\Setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1836
-
-
C:\Windows\SysWOW64\CScript.exe"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Der\Supr\Two.vbs" //e:vbscript //B //NOLOGO2⤵
- Blocklisted process makes network request
PID:1704
-
-
C:\Program Files (x86)\Der\Supr\osn.exe"C:\Program Files (x86)\Der\Supr\osn.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1412
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD561abdad69e2b1ff354e13754b2c37543
SHA1de59ef8dcad183bd4ee0e5b2249b1a921c12c057
SHA2564bc2aee22a5e3ba9613803018ee5d01680587577bf343914e7e1a372cf1a8c92
SHA5123d09b1c3148b679fef1f52fe60615cd1a98fc1e5a4eca18514ecb49a884514cac8bc235beb397014c811353a835e42f099bb048fe7a11bca3f15327ceaf7d65f
-
Filesize
2.2MB
MD561abdad69e2b1ff354e13754b2c37543
SHA1de59ef8dcad183bd4ee0e5b2249b1a921c12c057
SHA2564bc2aee22a5e3ba9613803018ee5d01680587577bf343914e7e1a372cf1a8c92
SHA5123d09b1c3148b679fef1f52fe60615cd1a98fc1e5a4eca18514ecb49a884514cac8bc235beb397014c811353a835e42f099bb048fe7a11bca3f15327ceaf7d65f
-
Filesize
126B
MD5c6362e3c5585f24a9e9a2712c00c52ff
SHA19259b9609313386f004328d2c306820eae01a587
SHA256184ca5b2737175e0828f3546d483778c95e23720f1375deac0090c2fe415e208
SHA51259ac94fdb6f41d6dc5cbea1855897759f35032ac922b936a0b39a21b6aafb0c862c5d419afa31c0b81f106f2ce06b2909cdb5fb713534fbe36202c5a4fedfeaa
-
Filesize
2.1MB
MD5431e839da7498b4e54026e5a265d0e65
SHA112e5ff2315f01e1076ca46265eb8967bdce5a216
SHA25641a0c4badc094d146411775ec7d6e92f4d30f4a48d5f95958746e9e7b3ac7f1c
SHA5120bd398b0b86775e5c7664f3e7d46263c31b6525ad760519a525eaf77d7c16f911ef46eb6e444bb15c1c9bef273e8d603b631fd4a0a26c86627555a5140ca16b5
-
Filesize
2.1MB
MD5431e839da7498b4e54026e5a265d0e65
SHA112e5ff2315f01e1076ca46265eb8967bdce5a216
SHA25641a0c4badc094d146411775ec7d6e92f4d30f4a48d5f95958746e9e7b3ac7f1c
SHA5120bd398b0b86775e5c7664f3e7d46263c31b6525ad760519a525eaf77d7c16f911ef46eb6e444bb15c1c9bef273e8d603b631fd4a0a26c86627555a5140ca16b5
-
Filesize
2.2MB
MD561abdad69e2b1ff354e13754b2c37543
SHA1de59ef8dcad183bd4ee0e5b2249b1a921c12c057
SHA2564bc2aee22a5e3ba9613803018ee5d01680587577bf343914e7e1a372cf1a8c92
SHA5123d09b1c3148b679fef1f52fe60615cd1a98fc1e5a4eca18514ecb49a884514cac8bc235beb397014c811353a835e42f099bb048fe7a11bca3f15327ceaf7d65f
-
Filesize
2.2MB
MD561abdad69e2b1ff354e13754b2c37543
SHA1de59ef8dcad183bd4ee0e5b2249b1a921c12c057
SHA2564bc2aee22a5e3ba9613803018ee5d01680587577bf343914e7e1a372cf1a8c92
SHA5123d09b1c3148b679fef1f52fe60615cd1a98fc1e5a4eca18514ecb49a884514cac8bc235beb397014c811353a835e42f099bb048fe7a11bca3f15327ceaf7d65f
-
Filesize
2.2MB
MD561abdad69e2b1ff354e13754b2c37543
SHA1de59ef8dcad183bd4ee0e5b2249b1a921c12c057
SHA2564bc2aee22a5e3ba9613803018ee5d01680587577bf343914e7e1a372cf1a8c92
SHA5123d09b1c3148b679fef1f52fe60615cd1a98fc1e5a4eca18514ecb49a884514cac8bc235beb397014c811353a835e42f099bb048fe7a11bca3f15327ceaf7d65f
-
Filesize
2.1MB
MD5431e839da7498b4e54026e5a265d0e65
SHA112e5ff2315f01e1076ca46265eb8967bdce5a216
SHA25641a0c4badc094d146411775ec7d6e92f4d30f4a48d5f95958746e9e7b3ac7f1c
SHA5120bd398b0b86775e5c7664f3e7d46263c31b6525ad760519a525eaf77d7c16f911ef46eb6e444bb15c1c9bef273e8d603b631fd4a0a26c86627555a5140ca16b5
-
Filesize
2.1MB
MD5431e839da7498b4e54026e5a265d0e65
SHA112e5ff2315f01e1076ca46265eb8967bdce5a216
SHA25641a0c4badc094d146411775ec7d6e92f4d30f4a48d5f95958746e9e7b3ac7f1c
SHA5120bd398b0b86775e5c7664f3e7d46263c31b6525ad760519a525eaf77d7c16f911ef46eb6e444bb15c1c9bef273e8d603b631fd4a0a26c86627555a5140ca16b5
-
Filesize
2.1MB
MD5431e839da7498b4e54026e5a265d0e65
SHA112e5ff2315f01e1076ca46265eb8967bdce5a216
SHA25641a0c4badc094d146411775ec7d6e92f4d30f4a48d5f95958746e9e7b3ac7f1c
SHA5120bd398b0b86775e5c7664f3e7d46263c31b6525ad760519a525eaf77d7c16f911ef46eb6e444bb15c1c9bef273e8d603b631fd4a0a26c86627555a5140ca16b5
-
Filesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
Filesize
6KB
MD5132e6153717a7f9710dcea4536f364cd
SHA1e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA5129aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1