Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
submitted
20-09-2022 15:37
Static task
static1
Behavioral task
behavioral1
Sample
51190e0dc5495766f83213fd34009af5.exe
Resource
win7-20220812-en
General
-
Target
51190e0dc5495766f83213fd34009af5.exe
-
Size
2.5MB
-
MD5
51190e0dc5495766f83213fd34009af5
-
SHA1
69d9b3995105cdfb7a86f3bbf9386ef214fb1290
-
SHA256
af0403b7c12d7b7fa9c487eb4a6e68705e9247abf7bc542f77168bd4ed3408fb
-
SHA512
fc5e535f3329e5042546b7f491a652152293bfeafedef2e06e0eba5706a16cc946c64f130d34879be6de6a740ae520fc65143910e29ab5bb3f48ffb63a8a5b28
-
SSDEEP
24576:YoqqcSy2wbUXoArd8SFErUYZ+uNrLFW5CPNWqo0N4IJpsqbMFGf0gAF0NPHyO034:CqcJdiq+WZdgGf6RuyVJi
Malware Config
Extracted
cryptbot
http://dixuip12.top/gate.php
-
payload_url
http://luedil01.top/bhutan.dat
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
DpEditor.exebhutan.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DpEditor.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bhutan.exe -
Executes dropped EXE 2 IoCs
Processes:
bhutan.exeDpEditor.exepid process 364 bhutan.exe 1120 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
bhutan.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bhutan.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bhutan.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 468 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exebhutan.exepid process 1460 cmd.exe 364 bhutan.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\AF34AFB69E0AD18E\bhutan.exe themida C:\Users\Admin\AppData\Roaming\AF34AFB69E0AD18E\bhutan.exe themida C:\Users\Admin\AppData\Roaming\AF34AFB69E0AD18E\bhutan.exe themida behavioral1/memory/364-66-0x0000000001140000-0x000000000182E000-memory.dmp themida behavioral1/memory/364-67-0x0000000001140000-0x000000000182E000-memory.dmp themida behavioral1/memory/364-68-0x0000000001140000-0x000000000182E000-memory.dmp themida behavioral1/memory/364-69-0x0000000001140000-0x000000000182E000-memory.dmp themida behavioral1/memory/364-71-0x0000000001140000-0x000000000182E000-memory.dmp themida \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/364-76-0x0000000001140000-0x000000000182E000-memory.dmp themida behavioral1/memory/1120-78-0x0000000000D50000-0x000000000143E000-memory.dmp themida behavioral1/memory/1120-79-0x0000000000D50000-0x000000000143E000-memory.dmp themida behavioral1/memory/1120-80-0x0000000000D50000-0x000000000143E000-memory.dmp themida behavioral1/memory/1120-81-0x0000000000D50000-0x000000000143E000-memory.dmp themida behavioral1/memory/1120-82-0x0000000000D50000-0x000000000143E000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
bhutan.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bhutan.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
51190e0dc5495766f83213fd34009af5.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 51190e0dc5495766f83213fd34009af5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\ProductId 51190e0dc5495766f83213fd34009af5.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
bhutan.exeDpEditor.exepid process 364 bhutan.exe 1120 DpEditor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
51190e0dc5495766f83213fd34009af5.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 51190e0dc5495766f83213fd34009af5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 51190e0dc5495766f83213fd34009af5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 51190e0dc5495766f83213fd34009af5.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 336 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 1120 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
51190e0dc5495766f83213fd34009af5.exebhutan.exeDpEditor.exepid process 1884 51190e0dc5495766f83213fd34009af5.exe 364 bhutan.exe 1120 DpEditor.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
51190e0dc5495766f83213fd34009af5.execmd.execmd.exebhutan.exedescription pid process target process PID 1884 wrote to memory of 1460 1884 51190e0dc5495766f83213fd34009af5.exe cmd.exe PID 1884 wrote to memory of 1460 1884 51190e0dc5495766f83213fd34009af5.exe cmd.exe PID 1884 wrote to memory of 1460 1884 51190e0dc5495766f83213fd34009af5.exe cmd.exe PID 1884 wrote to memory of 1460 1884 51190e0dc5495766f83213fd34009af5.exe cmd.exe PID 1884 wrote to memory of 468 1884 51190e0dc5495766f83213fd34009af5.exe cmd.exe PID 1884 wrote to memory of 468 1884 51190e0dc5495766f83213fd34009af5.exe cmd.exe PID 1884 wrote to memory of 468 1884 51190e0dc5495766f83213fd34009af5.exe cmd.exe PID 1884 wrote to memory of 468 1884 51190e0dc5495766f83213fd34009af5.exe cmd.exe PID 1460 wrote to memory of 364 1460 cmd.exe bhutan.exe PID 1460 wrote to memory of 364 1460 cmd.exe bhutan.exe PID 1460 wrote to memory of 364 1460 cmd.exe bhutan.exe PID 1460 wrote to memory of 364 1460 cmd.exe bhutan.exe PID 468 wrote to memory of 336 468 cmd.exe timeout.exe PID 468 wrote to memory of 336 468 cmd.exe timeout.exe PID 468 wrote to memory of 336 468 cmd.exe timeout.exe PID 468 wrote to memory of 336 468 cmd.exe timeout.exe PID 364 wrote to memory of 1120 364 bhutan.exe DpEditor.exe PID 364 wrote to memory of 1120 364 bhutan.exe DpEditor.exe PID 364 wrote to memory of 1120 364 bhutan.exe DpEditor.exe PID 364 wrote to memory of 1120 364 bhutan.exe DpEditor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\51190e0dc5495766f83213fd34009af5.exe"C:\Users\Admin\AppData\Local\Temp\51190e0dc5495766f83213fd34009af5.exe"1⤵
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\AF34AFB69E0AD18E\bhutan.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Roaming\AF34AFB69E0AD18E\bhutan.exeC:\Users\Admin\AppData\Roaming\AF34AFB69E0AD18E\bhutan.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1120
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\51190e0dc5495766f83213fd34009af5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\timeout.exetimeout -t 53⤵
- Delays execution with timeout.exe
PID:336
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5d47d413547e7ce9bf6b452439f3866a6
SHA16a795e52652fabb79680c6e6469f18eb007547aa
SHA256ca1b9cf687917d780931d2c1b38fac9342167535bdd0ef96d1b8984efa4e0ff4
SHA51229561e52da7689c8c8c5e6a185d89f433663e478a7646de4d0c969097b931473570b8ecf27b42e185e7d7a7755ec7d80dfe585f40df748416bda1cc4c147836b
-
Filesize
2.7MB
MD5d47d413547e7ce9bf6b452439f3866a6
SHA16a795e52652fabb79680c6e6469f18eb007547aa
SHA256ca1b9cf687917d780931d2c1b38fac9342167535bdd0ef96d1b8984efa4e0ff4
SHA51229561e52da7689c8c8c5e6a185d89f433663e478a7646de4d0c969097b931473570b8ecf27b42e185e7d7a7755ec7d80dfe585f40df748416bda1cc4c147836b
-
Filesize
2.7MB
MD5d47d413547e7ce9bf6b452439f3866a6
SHA16a795e52652fabb79680c6e6469f18eb007547aa
SHA256ca1b9cf687917d780931d2c1b38fac9342167535bdd0ef96d1b8984efa4e0ff4
SHA51229561e52da7689c8c8c5e6a185d89f433663e478a7646de4d0c969097b931473570b8ecf27b42e185e7d7a7755ec7d80dfe585f40df748416bda1cc4c147836b
-
Filesize
2.7MB
MD5d47d413547e7ce9bf6b452439f3866a6
SHA16a795e52652fabb79680c6e6469f18eb007547aa
SHA256ca1b9cf687917d780931d2c1b38fac9342167535bdd0ef96d1b8984efa4e0ff4
SHA51229561e52da7689c8c8c5e6a185d89f433663e478a7646de4d0c969097b931473570b8ecf27b42e185e7d7a7755ec7d80dfe585f40df748416bda1cc4c147836b
-
Filesize
2.7MB
MD5d47d413547e7ce9bf6b452439f3866a6
SHA16a795e52652fabb79680c6e6469f18eb007547aa
SHA256ca1b9cf687917d780931d2c1b38fac9342167535bdd0ef96d1b8984efa4e0ff4
SHA51229561e52da7689c8c8c5e6a185d89f433663e478a7646de4d0c969097b931473570b8ecf27b42e185e7d7a7755ec7d80dfe585f40df748416bda1cc4c147836b