Analysis
-
max time kernel
150s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220414-es -
submitted
29-06-2022 16:32
Static task
static1
Behavioral task
behavioral1
Sample
aspack.dll
Resource
win7-20220414-es
Behavioral task
behavioral2
Sample
aspack.dll
Resource
win10v2004-20220414-es
Behavioral task
behavioral3
Sample
fat-0455056058.exe
Resource
win7-20220414-es
Behavioral task
behavioral4
Sample
fat-0455056058.exe
Resource
win10v2004-20220414-es
General
-
Target
fat-0455056058.exe
-
Size
557KB
-
MD5
e33bcdd61d70a1961df2c6d7f0c18351
-
SHA1
958ff5402b7e05be694b00bb760f124b79fe0c7d
-
SHA256
b1aad17f65fbdb5fb75e13a00bd3b1db6e5168f8e4419e57b13fb34dc48c4ba4
-
SHA512
d4bb02140173417986d559b7ab96b3388478a4494ce652ac01e6a84297f86d772408aa6591ace45e75cce589298ee3a9a7864624a25a0cbd7d1ced197bd4946b
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
fat-0455056058.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fat-0455056058.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
fat-0455056058.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fat-0455056058.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fat-0455056058.exe -
Drops startup file 2 IoCs
Processes:
fat-0455056058.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.lnk fat-0455056058.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adminfypvybakcd.vbs fat-0455056058.exe -
Processes:
resource yara_rule behavioral3/memory/112-56-0x0000000000550000-0x000000000307E000-memory.dmp themida behavioral3/memory/112-57-0x0000000000550000-0x000000000307E000-memory.dmp themida behavioral3/memory/112-58-0x0000000000550000-0x000000000307E000-memory.dmp themida behavioral3/memory/112-59-0x0000000000550000-0x000000000307E000-memory.dmp themida behavioral3/memory/112-60-0x0000000000550000-0x000000000307E000-memory.dmp themida behavioral3/memory/112-61-0x0000000000550000-0x000000000307E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fat-0455056058.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\fat-0455056058.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fat-0455056058.exe" fat-0455056058.exe -
Processes:
fat-0455056058.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fat-0455056058.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
fat-0455056058.exepid process 112 fat-0455056058.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fat-0455056058.exepid process 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe 112 fat-0455056058.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fat-0455056058.exe"C:\Users\Admin\AppData\Local\Temp\fat-0455056058.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/112-54-0x00000000759D1000-0x00000000759D3000-memory.dmpFilesize
8KB
-
memory/112-55-0x0000000077320000-0x00000000774A0000-memory.dmpFilesize
1.5MB
-
memory/112-56-0x0000000000550000-0x000000000307E000-memory.dmpFilesize
43.2MB
-
memory/112-57-0x0000000000550000-0x000000000307E000-memory.dmpFilesize
43.2MB
-
memory/112-58-0x0000000000550000-0x000000000307E000-memory.dmpFilesize
43.2MB
-
memory/112-59-0x0000000000550000-0x000000000307E000-memory.dmpFilesize
43.2MB
-
memory/112-60-0x0000000000550000-0x000000000307E000-memory.dmpFilesize
43.2MB
-
memory/112-61-0x0000000000550000-0x000000000307E000-memory.dmpFilesize
43.2MB
-
memory/112-62-0x0000000077320000-0x00000000774A0000-memory.dmpFilesize
1.5MB