Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-es -
submitted
29-06-2022 16:32
Static task
static1
Behavioral task
behavioral1
Sample
aspack.dll
Resource
win7-20220414-es
Behavioral task
behavioral2
Sample
aspack.dll
Resource
win10v2004-20220414-es
Behavioral task
behavioral3
Sample
fat-0455056058.exe
Resource
win7-20220414-es
Behavioral task
behavioral4
Sample
fat-0455056058.exe
Resource
win10v2004-20220414-es
General
-
Target
fat-0455056058.exe
-
Size
557KB
-
MD5
e33bcdd61d70a1961df2c6d7f0c18351
-
SHA1
958ff5402b7e05be694b00bb760f124b79fe0c7d
-
SHA256
b1aad17f65fbdb5fb75e13a00bd3b1db6e5168f8e4419e57b13fb34dc48c4ba4
-
SHA512
d4bb02140173417986d559b7ab96b3388478a4494ce652ac01e6a84297f86d772408aa6591ace45e75cce589298ee3a9a7864624a25a0cbd7d1ced197bd4946b
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
fat-0455056058.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fat-0455056058.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
fat-0455056058.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fat-0455056058.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fat-0455056058.exe -
Drops startup file 2 IoCs
Processes:
fat-0455056058.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.lnk fat-0455056058.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adminriapgxgclw.vbs fat-0455056058.exe -
Processes:
resource yara_rule behavioral4/memory/2296-131-0x0000000000AF0000-0x000000000361E000-memory.dmp themida behavioral4/memory/2296-133-0x0000000000AF0000-0x000000000361E000-memory.dmp themida behavioral4/memory/2296-134-0x0000000000AF0000-0x000000000361E000-memory.dmp themida behavioral4/memory/2296-135-0x0000000000AF0000-0x000000000361E000-memory.dmp themida behavioral4/memory/2296-136-0x0000000000AF0000-0x000000000361E000-memory.dmp themida behavioral4/memory/2296-137-0x0000000000AF0000-0x000000000361E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fat-0455056058.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fat-0455056058.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fat-0455056058.exe" fat-0455056058.exe -
Processes:
fat-0455056058.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fat-0455056058.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
fat-0455056058.exepid process 2296 fat-0455056058.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fat-0455056058.exepid process 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe 2296 fat-0455056058.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fat-0455056058.exe"C:\Users\Admin\AppData\Local\Temp\fat-0455056058.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2296-130-0x0000000000400000-0x0000000000544000-memory.dmpFilesize
1.3MB
-
memory/2296-132-0x0000000077530000-0x00000000776D3000-memory.dmpFilesize
1.6MB
-
memory/2296-131-0x0000000000AF0000-0x000000000361E000-memory.dmpFilesize
43.2MB
-
memory/2296-133-0x0000000000AF0000-0x000000000361E000-memory.dmpFilesize
43.2MB
-
memory/2296-134-0x0000000000AF0000-0x000000000361E000-memory.dmpFilesize
43.2MB
-
memory/2296-135-0x0000000000AF0000-0x000000000361E000-memory.dmpFilesize
43.2MB
-
memory/2296-136-0x0000000000AF0000-0x000000000361E000-memory.dmpFilesize
43.2MB
-
memory/2296-137-0x0000000000AF0000-0x000000000361E000-memory.dmpFilesize
43.2MB
-
memory/2296-138-0x0000000077530000-0x00000000776D3000-memory.dmpFilesize
1.6MB