Analysis
-
max time kernel
41s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
02-08-2022 12:53
Behavioral task
behavioral1
Sample
e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe
Resource
win7-20220718-en
General
-
Target
e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe
-
Size
5.7MB
-
MD5
840a3679e1935d3cae1e5eff9ba0ccee
-
SHA1
349d7eb53e524c3512c9b75fdd28f2dd3aa22af6
-
SHA256
e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c
-
SHA512
6ce353a6f5c089916e3c2d9587055b9161b282da9cf71be402d3476959632df1945b11ce5113a13521f179b56f9448308edae2e88c0754736a2275b82303b584
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe -
Loads dropped DLL 2 IoCs
Processes:
e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exepid process 1332 e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe 1332 e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe -
Processes:
resource yara_rule behavioral1/memory/1332-55-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/memory/1332-56-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/memory/1332-58-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/memory/1332-60-0x0000000000400000-0x0000000000A13000-memory.dmp themida behavioral1/memory/1332-61-0x0000000000400000-0x0000000000A13000-memory.dmp themida -
Processes:
e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe"C:\Users\Admin\AppData\Local\Temp\e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nstFA0A.tmp\INetC.dllFilesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
\Users\Admin\AppData\Local\Temp\nstFA0A.tmp\xml.dllFilesize
1.4MB
MD5344a3eccd7312bf880de26de35548cdf
SHA15b32e373e2471f9cda003ef6bdb797a6145984eb
SHA256b86f5d992123abdc592cc9f7703aeaaefd73e7d977899647453b8d203e1ac1bc
SHA512c8c3c100eb0b1daa830328ab54d56c295373ef0866bcec4b799a101e280fabac5779c9356d56baa80986ccb74581cfb9116828895efb7cfff115edea291e69bc
-
memory/1332-54-0x00000000756B1000-0x00000000756B3000-memory.dmpFilesize
8KB
-
memory/1332-55-0x0000000000400000-0x0000000000A13000-memory.dmpFilesize
6.1MB
-
memory/1332-56-0x0000000000400000-0x0000000000A13000-memory.dmpFilesize
6.1MB
-
memory/1332-58-0x0000000000400000-0x0000000000A13000-memory.dmpFilesize
6.1MB
-
memory/1332-60-0x0000000000400000-0x0000000000A13000-memory.dmpFilesize
6.1MB
-
memory/1332-61-0x0000000000400000-0x0000000000A13000-memory.dmpFilesize
6.1MB