Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 03:11
General
-
Target
d7782e08a3b44b4ef4610f7833c96b1df8f67de10cf2cb09d55b7685751a898f.exe
-
Size
2.1MB
-
MD5
71d88d948dbbdef44e4cdc018dbfdfaa
-
SHA1
66d413da43d8328b37251bda200e57f93287f9f8
-
SHA256
d7782e08a3b44b4ef4610f7833c96b1df8f67de10cf2cb09d55b7685751a898f
-
SHA512
0ae41e50b8f45504b57967295e1637d08570203286f59b86ff6ea54686dc5ec50765a5005b0bd35701e6a3ab8cf836582aef7f74868232161509983de84f1419
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7782e08a3b44b4ef4610f7833c96b1df8f67de10cf2cb09d55b7685751a898f.exe"C:\Users\Admin\AppData\Local\Temp\d7782e08a3b44b4ef4610f7833c96b1df8f67de10cf2cb09d55b7685751a898f.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Cess\Pub1.exe"C:\Program Files (x86)\Cess\Pub1.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Cess\Pub1.exeFilesize
2.2MB
MD59cf1213de4557dfe29bce1c7f597afa2
SHA186f6898cd6561be8f499e375c78920f7f39d61ee
SHA2560dae26cde7e6fe48ee85c4ac2b70965bf1492524825326fba7acf2b11c452c39
SHA51231c173f013f723c642041b1ecd22a5109ca05495d5d6adfc1f7e3d9297ad9739488ac711acb9a5bb28b3dd7a29ab8916ffa9c160bdef8fc8e452950857b8d0df
-
C:\Users\Admin\AppData\Local\Temp\nsn5DA6.tmp\UAC.dllFilesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/4320-131-0x0000000000000000-mapping.dmp
-
memory/4320-133-0x0000000000400000-0x000000000095D000-memory.dmpFilesize
5.4MB
-
memory/4320-134-0x0000000000400000-0x000000000095D000-memory.dmpFilesize
5.4MB
-
memory/4320-135-0x00000000770A0000-0x0000000077243000-memory.dmpFilesize
1.6MB
-
memory/4320-136-0x0000000000400000-0x000000000095D000-memory.dmpFilesize
5.4MB
-
memory/4320-137-0x00000000770A0000-0x0000000077243000-memory.dmpFilesize
1.6MB
-
memory/4320-138-0x0000000000400000-0x000000000095D000-memory.dmpFilesize
5.4MB