Analysis
-
max time kernel
152s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 21:25
General
-
Target
401820b4dccc59b2d201143456aa3cd68c6baf3a64d9486838226884d5b95353.exe
-
Size
2.9MB
-
MD5
3f36796fa139f6d5011418bfad4bf706
-
SHA1
28a74adbc61b00135dfb97026d5d14bc6e02640e
-
SHA256
401820b4dccc59b2d201143456aa3cd68c6baf3a64d9486838226884d5b95353
-
SHA512
f21d94dbeabf9dce4f30a145dc39b3890beb63d7e399ffe27d3d07606ac881e769397d5ef78b6d94c8ec4ae564e4a3ddf71c9e875872e4eb0dc5c0753d65cad2
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Themida packer 12 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\401820b4dccc59b2d201143456aa3cd68c6baf3a64d9486838226884d5b95353.exe"C:\Users\Admin\AppData\Local\Temp\401820b4dccc59b2d201143456aa3cd68c6baf3a64d9486838226884d5b95353.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Electron.exeFilesize
8.1MB
MD52615188ba622b1d6f33c1214f7cf239b
SHA1b2d5d8058017a8102ddd01936b2ca5e8f79cf31e
SHA25677ec29684b288410406f713f984a5f1c7ccacf5e223b9ff4ede43f8f1387d091
SHA5126fe972326e0fc13d9249f3287ff43b59a0e189d64ce7d37441f3988207b0cf967a88bd962e9336ef51cbb562b08ff696b9b6df2813600d6f2f99cb2e0495ef4c
-
C:\Users\Admin\AppData\Local\Temp\Electron.exeFilesize
8.1MB
MD52615188ba622b1d6f33c1214f7cf239b
SHA1b2d5d8058017a8102ddd01936b2ca5e8f79cf31e
SHA25677ec29684b288410406f713f984a5f1c7ccacf5e223b9ff4ede43f8f1387d091
SHA5126fe972326e0fc13d9249f3287ff43b59a0e189d64ce7d37441f3988207b0cf967a88bd962e9336ef51cbb562b08ff696b9b6df2813600d6f2f99cb2e0495ef4c
-
memory/2700-152-0x0000000077310000-0x00000000774B3000-memory.dmpFilesize
1.6MB
-
memory/2700-139-0x0000000000000000-mapping.dmp
-
memory/2700-162-0x00000000076A0000-0x00000000076BC000-memory.dmpFilesize
112KB
-
memory/2700-161-0x00000000078E0000-0x00000000080B2000-memory.dmpFilesize
7.8MB
-
memory/2700-159-0x00000000068A0000-0x000000000693E000-memory.dmpFilesize
632KB
-
memory/2700-154-0x0000000010000000-0x00000000100B0000-memory.dmpFilesize
704KB
-
memory/2700-149-0x00000000002A0000-0x00000000018CE000-memory.dmpFilesize
22.2MB
-
memory/2700-163-0x000000000D920000-0x000000000D958000-memory.dmpFilesize
224KB
-
memory/2700-164-0x000000000D8F0000-0x000000000D8FE000-memory.dmpFilesize
56KB
-
memory/2700-165-0x000000000DF90000-0x000000000E534000-memory.dmpFilesize
5.6MB
-
memory/2700-151-0x00000000002A0000-0x00000000018CE000-memory.dmpFilesize
22.2MB
-
memory/2700-150-0x00000000002A0000-0x00000000018CE000-memory.dmpFilesize
22.2MB
-
memory/2700-144-0x00000000002A0000-0x00000000018CE000-memory.dmpFilesize
22.2MB
-
memory/2700-145-0x0000000077310000-0x00000000774B3000-memory.dmpFilesize
1.6MB
-
memory/3236-136-0x0000000000DC0000-0x00000000015E8000-memory.dmpFilesize
8.2MB
-
memory/3236-143-0x0000000077310000-0x00000000774B3000-memory.dmpFilesize
1.6MB
-
memory/3236-142-0x0000000000DC0000-0x00000000015E8000-memory.dmpFilesize
8.2MB
-
memory/3236-138-0x0000000077310000-0x00000000774B3000-memory.dmpFilesize
1.6MB
-
memory/3236-137-0x0000000000DC0000-0x00000000015E8000-memory.dmpFilesize
8.2MB
-
memory/3236-130-0x0000000000DC0000-0x00000000015E8000-memory.dmpFilesize
8.2MB
-
memory/3236-135-0x0000000077310000-0x00000000774B3000-memory.dmpFilesize
1.6MB
-
memory/3236-134-0x0000000000DC0000-0x00000000015E8000-memory.dmpFilesize
8.2MB
-
memory/3236-133-0x0000000000DC0000-0x00000000015E8000-memory.dmpFilesize
8.2MB
-
memory/3236-132-0x0000000000DC0000-0x00000000015E8000-memory.dmpFilesize
8.2MB
-
memory/3236-131-0x0000000000DC0000-0x00000000015E8000-memory.dmpFilesize
8.2MB