Overview

overview

10

Static

static

a3736e8036...1e.exe

windows7_x64

10

a3736e8036...1e.exe

windows10-2004_x64

9

Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-07-2022 03:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a3736e8036b25f3b0da484b06b57d0081f2d1ff76c51d805743d28cb8e9fd71e.exe

  • Size

    8.5MB

  • MD5

    3c64e67e668e97022a0e312a4e25124c

  • SHA1

    73e851f280090cf099cea3b21318bcc45b9df52d

  • SHA256

    a3736e8036b25f3b0da484b06b57d0081f2d1ff76c51d805743d28cb8e9fd71e

  • SHA512

    b57fd475215196fd678cd9fe74138e9c418378bc33db8a329f0bc4fb7b3bcdde5f6e5094f3a5d0eca18a81fe8c9c4379489c6ec7500d0a51f9fe7d60175e878b

Score
9/10
evasion

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 52 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3736e8036b25f3b0da484b06b57d0081f2d1ff76c51d805743d28cb8e9fd71e.exe
    "C:\Users\Admin\AppData\Local\Temp\a3736e8036b25f3b0da484b06b57d0081f2d1ff76c51d805743d28cb8e9fd71e.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3356
    • C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\vpnpro.exe
      "C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\vpnpro.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\vpnpro.exe
    Filesize

    2.0MB

    MD5

    b3847e3b1906fedcfa724557a17743d2

    SHA1

    6c227db04f629c5f7d7d896747608fc366544ad0

    SHA256

    d7eef1c0546d720665339224eef5a9477fdf936d0ba747395abc008890f811a7

    SHA512

    a5da7385143ebf5d592b0cce7f6da891d755b826897046cc03a6e8ca3a78cca5e72556e8792e86ed3cb0a379cabefcf608706de49a4011dae17a5834a361ad44

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsu6F0B.tmp\UAC.dll
    Filesize

    14KB

    MD5

    adb29e6b186daa765dc750128649b63d

    SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

    SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

    Download Submit
  • memory/1920-131-0x0000000000000000-mapping.dmp
    Download
  • memory/1920-133-0x0000000000400000-0x000000000090C000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1920-135-0x0000000077AC0000-0x0000000077C63000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1920-134-0x0000000000400000-0x000000000090C000-memory.dmp
    Filesize

    5.0MB

    Download