Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 21:25
General
-
Target
401820b4dccc59b2d201143456aa3cd68c6baf3a64d9486838226884d5b95353.exe
-
Size
2.9MB
-
MD5
3f36796fa139f6d5011418bfad4bf706
-
SHA1
28a74adbc61b00135dfb97026d5d14bc6e02640e
-
SHA256
401820b4dccc59b2d201143456aa3cd68c6baf3a64d9486838226884d5b95353
-
SHA512
f21d94dbeabf9dce4f30a145dc39b3890beb63d7e399ffe27d3d07606ac881e769397d5ef78b6d94c8ec4ae564e4a3ddf71c9e875872e4eb0dc5c0753d65cad2
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 2 IoCs
-
Themida packer 8 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\401820b4dccc59b2d201143456aa3cd68c6baf3a64d9486838226884d5b95353.exe"C:\Users\Admin\AppData\Local\Temp\401820b4dccc59b2d201143456aa3cd68c6baf3a64d9486838226884d5b95353.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.io/EJIT3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1232 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
60KB
MD5589c442fc7a0c70dca927115a700d41e
SHA166a07dace3afbfd1aa07a47e6875beab62c4bb31
SHA2562e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a
SHA5121b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
340B
MD5c3ce1b32e43f126b09b7e4be6863a00c
SHA1955302044b7c74eb26d233e4d9482fc80722c8b3
SHA256b101b66563d33f6e745d6370c10131e13eced07325f5204ee7f6d7c4d0b5d7f4
SHA5125da33a425757e807b1c4b41d7fc6ef327979d62aaa6423b1dd119bdd8c8ead52a093c5260d6e360cf64a78b4b99f35fe407b8dfa74169f3a4e5733a20a3b9e8a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD548af6a25e5bb4e64225e1bc7a03790b0
SHA1930f1a648623f97a256aaf88f45651135d2667b6
SHA256611a9ab42c9150006b201173f927af945b29d0f55255e18509e27b223d25a0df
SHA512cd21ea2125aed5ea61e51cb5fa55c26bb449f87fd23dc572fd7c8ef31c5bea8d9e45d295bdd80bbfb1a8f11a9e1c54489c0d8287f21e6ea0c5c03ad47bbfa03a
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ezmz917\imagestore.datFilesize
66KB
MD5d716f11e5478c4290db04bd6cf3d24f5
SHA1b973d1dcf9585fd4974c76a851e68e8b3b805da0
SHA256881b65502777c47f13bfb8bc036e044bd08520514811e054e05e95adc1cc07e7
SHA5125fa54fa6072ddd865a124e50ac1f44a946f1a280e4db9d9971ffbabdb9a612630cc4fe8220738ba5a7da57fa97808d95540ad5ee2374d11f3fe5fcf0e2c45dc7
-
C:\Users\Admin\AppData\Local\Temp\Electron.exeFilesize
3.9MB
MD5abb9bbcfedda4bdb764857f404f37270
SHA1df376fa1c76f3d812058c4d5ea35f84623c5ea0a
SHA2567b8680f0d9730378ccb3f6c7f8ec5d59b6206a25c059f97833f29dcf8d2a9849
SHA512cdfd2231c7721f8da161f3a4cbb368808b4321f3b25b7b332edf5192598335f722eebd3cef87751cd1958409c307f655878be6ea545efaeb5069e4f1be69a32d
-
C:\Users\Admin\AppData\Local\Temp\Electron.exeFilesize
3.9MB
MD5abb9bbcfedda4bdb764857f404f37270
SHA1df376fa1c76f3d812058c4d5ea35f84623c5ea0a
SHA2567b8680f0d9730378ccb3f6c7f8ec5d59b6206a25c059f97833f29dcf8d2a9849
SHA512cdfd2231c7721f8da161f3a4cbb368808b4321f3b25b7b332edf5192598335f722eebd3cef87751cd1958409c307f655878be6ea545efaeb5069e4f1be69a32d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\H9IQUKLA.txtFilesize
601B
MD546c75e5ed6bc5c61cb1a10009c322e6d
SHA13b4a9f8853bb658c139ce4472fdff6809f322f07
SHA256e16a1df5b62762588c8fe6f008b512b60966f80a3e405cf5eae9433407cf7fff
SHA512e7aa249543701f8b26c76908a322a4c368dbabe936735423c891b3f5397ef0142cd96ea71b13a6288e11ddfbec7c07f1ad48129dba157b678d58856b963efbed
-
\Users\Admin\AppData\Local\Temp\Electron.exeFilesize
3.9MB
MD5abb9bbcfedda4bdb764857f404f37270
SHA1df376fa1c76f3d812058c4d5ea35f84623c5ea0a
SHA2567b8680f0d9730378ccb3f6c7f8ec5d59b6206a25c059f97833f29dcf8d2a9849
SHA512cdfd2231c7721f8da161f3a4cbb368808b4321f3b25b7b332edf5192598335f722eebd3cef87751cd1958409c307f655878be6ea545efaeb5069e4f1be69a32d
-
\Users\Admin\AppData\Local\Temp\ScintillaNET\3.6.3\x86\SciLexer.dllFilesize
943KB
MD52ff7acfa80647ee46cc3c0e446327108
SHA1c994820d03af722c244b046d1ee0967f1b5bc478
SHA25608f0cbbc5162f236c37166772be2c9b8ffd465d32df17ea9d45626c4ed2c911d
SHA51250a9e20c5851d3a50f69651bc770885672ff4f97de32dfda55bf7488abd39a11e990525ec9152d250072acaad0c12a484155c31083d751668eb01addea5570cd
-
memory/332-69-0x0000000000390000-0x00000000009B2000-memory.dmpFilesize
6.1MB
-
memory/332-64-0x0000000000000000-mapping.dmp
-
memory/332-74-0x000000000DC80000-0x000000000DDD4000-memory.dmpFilesize
1.3MB
-
memory/332-73-0x0000000000C00000-0x0000000000CA0000-memory.dmpFilesize
640KB
-
memory/1624-67-0x0000000001190000-0x00000000019B8000-memory.dmpFilesize
8.2MB
-
memory/1624-68-0x0000000077010000-0x0000000077190000-memory.dmpFilesize
1.5MB
-
memory/1624-62-0x0000000001190000-0x00000000019B8000-memory.dmpFilesize
8.2MB
-
memory/1624-61-0x0000000001190000-0x00000000019B8000-memory.dmpFilesize
8.2MB
-
memory/1624-54-0x0000000075C71000-0x0000000075C73000-memory.dmpFilesize
8KB
-
memory/1624-58-0x0000000001190000-0x00000000019B8000-memory.dmpFilesize
8.2MB
-
memory/1624-60-0x0000000077010000-0x0000000077190000-memory.dmpFilesize
1.5MB
-
memory/1624-59-0x0000000001190000-0x00000000019B8000-memory.dmpFilesize
8.2MB
-
memory/1624-57-0x0000000001190000-0x00000000019B8000-memory.dmpFilesize
8.2MB
-
memory/1624-56-0x0000000001190000-0x00000000019B8000-memory.dmpFilesize
8.2MB
-
memory/1624-55-0x0000000001190000-0x00000000019B8000-memory.dmpFilesize
8.2MB