Analysis
-
max time kernel
95s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
submitted
20-09-2022 15:37
Static task
static1
Behavioral task
behavioral1
Sample
51190e0dc5495766f83213fd34009af5.exe
Resource
win7-20220812-en
General
-
Target
51190e0dc5495766f83213fd34009af5.exe
-
Size
2.5MB
-
MD5
51190e0dc5495766f83213fd34009af5
-
SHA1
69d9b3995105cdfb7a86f3bbf9386ef214fb1290
-
SHA256
af0403b7c12d7b7fa9c487eb4a6e68705e9247abf7bc542f77168bd4ed3408fb
-
SHA512
fc5e535f3329e5042546b7f491a652152293bfeafedef2e06e0eba5706a16cc946c64f130d34879be6de6a740ae520fc65143910e29ab5bb3f48ffb63a8a5b28
-
SSDEEP
24576:YoqqcSy2wbUXoArd8SFErUYZ+uNrLFW5CPNWqo0N4IJpsqbMFGf0gAF0NPHyO034:CqcJdiq+WZdgGf6RuyVJi
Malware Config
Extracted
cryptbot
http://dixuip12.top/gate.php
-
payload_url
http://luedil01.top/bhutan.dat
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bhutan.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DpEditor.exe -
Executes dropped EXE 2 IoCs
pid Process 1560 bhutan.exe 4332 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bhutan.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bhutan.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 51190e0dc5495766f83213fd34009af5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x0007000000022f6e-139.dat themida behavioral2/files/0x0007000000022f6e-140.dat themida behavioral2/memory/1560-141-0x0000000000DA0000-0x000000000148E000-memory.dmp themida behavioral2/memory/1560-143-0x0000000000DA0000-0x000000000148E000-memory.dmp themida behavioral2/memory/1560-144-0x0000000000DA0000-0x000000000148E000-memory.dmp themida behavioral2/memory/1560-146-0x0000000000DA0000-0x000000000148E000-memory.dmp themida behavioral2/memory/1560-147-0x0000000000DA0000-0x000000000148E000-memory.dmp themida behavioral2/files/0x0007000000022f8c-150.dat themida behavioral2/files/0x0007000000022f8c-151.dat themida behavioral2/memory/1560-152-0x0000000000DA0000-0x000000000148E000-memory.dmp themida behavioral2/memory/4332-155-0x00000000003A0000-0x0000000000A8E000-memory.dmp themida behavioral2/memory/4332-156-0x00000000003A0000-0x0000000000A8E000-memory.dmp themida behavioral2/memory/4332-157-0x00000000003A0000-0x0000000000A8E000-memory.dmp themida behavioral2/memory/4332-158-0x00000000003A0000-0x0000000000A8E000-memory.dmp themida behavioral2/memory/4332-159-0x00000000003A0000-0x0000000000A8E000-memory.dmp themida behavioral2/memory/4332-161-0x00000000003A0000-0x0000000000A8E000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bhutan.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 51190e0dc5495766f83213fd34009af5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\ProductId 51190e0dc5495766f83213fd34009af5.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1560 bhutan.exe 4332 DpEditor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 51190e0dc5495766f83213fd34009af5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 51190e0dc5495766f83213fd34009af5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 51190e0dc5495766f83213fd34009af5.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4680 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4332 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 520 51190e0dc5495766f83213fd34009af5.exe 520 51190e0dc5495766f83213fd34009af5.exe 1560 bhutan.exe 1560 bhutan.exe 4332 DpEditor.exe 4332 DpEditor.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 520 wrote to memory of 312 520 51190e0dc5495766f83213fd34009af5.exe 84 PID 520 wrote to memory of 312 520 51190e0dc5495766f83213fd34009af5.exe 84 PID 520 wrote to memory of 312 520 51190e0dc5495766f83213fd34009af5.exe 84 PID 520 wrote to memory of 3016 520 51190e0dc5495766f83213fd34009af5.exe 86 PID 520 wrote to memory of 3016 520 51190e0dc5495766f83213fd34009af5.exe 86 PID 520 wrote to memory of 3016 520 51190e0dc5495766f83213fd34009af5.exe 86 PID 3016 wrote to memory of 4680 3016 cmd.exe 88 PID 3016 wrote to memory of 4680 3016 cmd.exe 88 PID 3016 wrote to memory of 4680 3016 cmd.exe 88 PID 312 wrote to memory of 1560 312 cmd.exe 89 PID 312 wrote to memory of 1560 312 cmd.exe 89 PID 312 wrote to memory of 1560 312 cmd.exe 89 PID 1560 wrote to memory of 4332 1560 bhutan.exe 93 PID 1560 wrote to memory of 4332 1560 bhutan.exe 93 PID 1560 wrote to memory of 4332 1560 bhutan.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\51190e0dc5495766f83213fd34009af5.exe"C:\Users\Admin\AppData\Local\Temp\51190e0dc5495766f83213fd34009af5.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\8EA9694A506A8239\bhutan.exe2⤵
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Users\Admin\AppData\Roaming\8EA9694A506A8239\bhutan.exeC:\Users\Admin\AppData\Roaming\8EA9694A506A8239\bhutan.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:4332
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\51190e0dc5495766f83213fd34009af5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\timeout.exetimeout -t 53⤵
- Delays execution with timeout.exe
PID:4680
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5d47d413547e7ce9bf6b452439f3866a6
SHA16a795e52652fabb79680c6e6469f18eb007547aa
SHA256ca1b9cf687917d780931d2c1b38fac9342167535bdd0ef96d1b8984efa4e0ff4
SHA51229561e52da7689c8c8c5e6a185d89f433663e478a7646de4d0c969097b931473570b8ecf27b42e185e7d7a7755ec7d80dfe585f40df748416bda1cc4c147836b
-
Filesize
2.7MB
MD5d47d413547e7ce9bf6b452439f3866a6
SHA16a795e52652fabb79680c6e6469f18eb007547aa
SHA256ca1b9cf687917d780931d2c1b38fac9342167535bdd0ef96d1b8984efa4e0ff4
SHA51229561e52da7689c8c8c5e6a185d89f433663e478a7646de4d0c969097b931473570b8ecf27b42e185e7d7a7755ec7d80dfe585f40df748416bda1cc4c147836b
-
Filesize
2.7MB
MD5d47d413547e7ce9bf6b452439f3866a6
SHA16a795e52652fabb79680c6e6469f18eb007547aa
SHA256ca1b9cf687917d780931d2c1b38fac9342167535bdd0ef96d1b8984efa4e0ff4
SHA51229561e52da7689c8c8c5e6a185d89f433663e478a7646de4d0c969097b931473570b8ecf27b42e185e7d7a7755ec7d80dfe585f40df748416bda1cc4c147836b
-
Filesize
2.7MB
MD5d47d413547e7ce9bf6b452439f3866a6
SHA16a795e52652fabb79680c6e6469f18eb007547aa
SHA256ca1b9cf687917d780931d2c1b38fac9342167535bdd0ef96d1b8984efa4e0ff4
SHA51229561e52da7689c8c8c5e6a185d89f433663e478a7646de4d0c969097b931473570b8ecf27b42e185e7d7a7755ec7d80dfe585f40df748416bda1cc4c147836b