Analysis
-
max time kernel
130s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2022 15:30
Behavioral task
behavioral1
Sample
a4ee9f4729596748dec32a90e27547c0.exe
Resource
win7-20220812-en
General
-
Target
a4ee9f4729596748dec32a90e27547c0.exe
-
Size
6.1MB
-
MD5
a4ee9f4729596748dec32a90e27547c0
-
SHA1
d8bf8f8e877babd4ee74a63a02e866b8f5e7fd6f
-
SHA256
250e065988da19ed97e3a9ea5c185059688fbe3c9c240f207dc518377ec53ef9
-
SHA512
a09a930fed406e2affdbddc725a48405032a02ef877d1c8a3fe50e9344339955b5b4511c6107e430a13e2d2cbd5c7eb636c9e729f6232c9e6f9fa9b2f3e59631
-
SSDEEP
98304:+Mu3f/jr6blqCtAZhO0oNtHjgKPUbzSTcLYUkwf8M2m51AjLrLrQ/J:+Vf/v6bl3tNXtoQcLs/M2mDAjPLA
Malware Config
Extracted
systembc
89.22.225.242:4193
195.2.93.22:4193
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
a4ee9f4729596748dec32a90e27547c0.exeDllResource.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a4ee9f4729596748dec32a90e27547c0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DllResource.exe -
Executes dropped EXE 1 IoCs
Processes:
DllResource.exepid process 1040 DllResource.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a4ee9f4729596748dec32a90e27547c0.exeDllResource.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a4ee9f4729596748dec32a90e27547c0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a4ee9f4729596748dec32a90e27547c0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DllResource.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DllResource.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a4ee9f4729596748dec32a90e27547c0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation a4ee9f4729596748dec32a90e27547c0.exe -
Processes:
resource yara_rule behavioral2/memory/4420-132-0x0000000000400000-0x0000000001022000-memory.dmp themida behavioral2/memory/4420-136-0x0000000000400000-0x0000000001022000-memory.dmp themida C:\Users\Admin\TypeRes\DllResource.exe themida C:\Users\Admin\TypeRes\DllResource.exe themida behavioral2/memory/1040-144-0x0000000000400000-0x0000000001022000-memory.dmp themida behavioral2/memory/4420-147-0x0000000000400000-0x0000000001022000-memory.dmp themida behavioral2/memory/1040-153-0x0000000000400000-0x0000000001022000-memory.dmp themida -
Processes:
a4ee9f4729596748dec32a90e27547c0.exeDllResource.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a4ee9f4729596748dec32a90e27547c0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DllResource.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
a4ee9f4729596748dec32a90e27547c0.exeDllResource.exepid process 4420 a4ee9f4729596748dec32a90e27547c0.exe 1040 DllResource.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
a4ee9f4729596748dec32a90e27547c0.exeDllResource.exepid process 4420 a4ee9f4729596748dec32a90e27547c0.exe 4420 a4ee9f4729596748dec32a90e27547c0.exe 4420 a4ee9f4729596748dec32a90e27547c0.exe 4420 a4ee9f4729596748dec32a90e27547c0.exe 4420 a4ee9f4729596748dec32a90e27547c0.exe 4420 a4ee9f4729596748dec32a90e27547c0.exe 4420 a4ee9f4729596748dec32a90e27547c0.exe 4420 a4ee9f4729596748dec32a90e27547c0.exe 4420 a4ee9f4729596748dec32a90e27547c0.exe 4420 a4ee9f4729596748dec32a90e27547c0.exe 4420 a4ee9f4729596748dec32a90e27547c0.exe 4420 a4ee9f4729596748dec32a90e27547c0.exe 1040 DllResource.exe 1040 DllResource.exe 1040 DllResource.exe 1040 DllResource.exe 1040 DllResource.exe 1040 DllResource.exe 1040 DllResource.exe 1040 DllResource.exe 1040 DllResource.exe 1040 DllResource.exe 1040 DllResource.exe 1040 DllResource.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
a4ee9f4729596748dec32a90e27547c0.execmd.exedescription pid process target process PID 4420 wrote to memory of 4592 4420 a4ee9f4729596748dec32a90e27547c0.exe schtasks.exe PID 4420 wrote to memory of 4592 4420 a4ee9f4729596748dec32a90e27547c0.exe schtasks.exe PID 4420 wrote to memory of 4592 4420 a4ee9f4729596748dec32a90e27547c0.exe schtasks.exe PID 4420 wrote to memory of 1040 4420 a4ee9f4729596748dec32a90e27547c0.exe DllResource.exe PID 4420 wrote to memory of 1040 4420 a4ee9f4729596748dec32a90e27547c0.exe DllResource.exe PID 4420 wrote to memory of 1040 4420 a4ee9f4729596748dec32a90e27547c0.exe DllResource.exe PID 4420 wrote to memory of 1596 4420 a4ee9f4729596748dec32a90e27547c0.exe cmd.exe PID 4420 wrote to memory of 1596 4420 a4ee9f4729596748dec32a90e27547c0.exe cmd.exe PID 4420 wrote to memory of 1596 4420 a4ee9f4729596748dec32a90e27547c0.exe cmd.exe PID 1596 wrote to memory of 3300 1596 cmd.exe chcp.com PID 1596 wrote to memory of 3300 1596 cmd.exe chcp.com PID 1596 wrote to memory of 3300 1596 cmd.exe chcp.com PID 1596 wrote to memory of 4544 1596 cmd.exe PING.EXE PID 1596 wrote to memory of 4544 1596 cmd.exe PING.EXE PID 1596 wrote to memory of 4544 1596 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4ee9f4729596748dec32a90e27547c0.exe"C:\Users\Admin\AppData\Local\Temp\a4ee9f4729596748dec32a90e27547c0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\TypeRes\DllResource.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\TypeRes\DllResource.exe"C:\Users\Admin\TypeRes\DllResource.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a4ee9f4729596748dec32a90e27547c0.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\TypeRes\DllResource.exeFilesize
681.4MB
MD5fd938c2ce3f8676c4a658a62e3df2b37
SHA1075f8e8e0173c4b0a8c6d63824907f05c22e9873
SHA2565dcda98fa043bdb57d11a1efdd1bc353ce23f6726d4612a6c3d603d82bf2451a
SHA512ac5ffaf665033489c9a1b8c77f428a54bb97298c8bd14e5ef9d94254170e434824d4597dca63c5e9609b2b5e0df36fe1e3725f51c4f76406852df8ab40860a9b
-
C:\Users\Admin\TypeRes\DllResource.exeFilesize
672.4MB
MD5101f6a7e8225dd60863b1536dd79e009
SHA111b5acd9793f4d797e33005328c32bc9c49dfeb0
SHA256a88d2ccbcfab970e92d37478189b4785abf9a7a72dc62b5015a0a1d5195ad123
SHA5120c6e2e6325702f728c749c30cc9260f6cd89cf5bab8db96118da2f695bc82ec2b87f49eab7bac1d76bcf608f93beb38d48fa2b1e22c6da590b975ce8898b46c8
-
memory/1040-154-0x0000000077BD0000-0x0000000077D73000-memory.dmpFilesize
1.6MB
-
memory/1040-141-0x0000000000000000-mapping.dmp
-
memory/1040-158-0x00000000011D0000-0x0000000001261000-memory.dmpFilesize
580KB
-
memory/1040-157-0x0000000003A64000-0x0000000003BE3000-memory.dmpFilesize
1.5MB
-
memory/1040-156-0x00000000032CA000-0x0000000003A5A000-memory.dmpFilesize
7.6MB
-
memory/1040-155-0x0000000003A64000-0x0000000003BE3000-memory.dmpFilesize
1.5MB
-
memory/1040-149-0x0000000077BD0000-0x0000000077D73000-memory.dmpFilesize
1.6MB
-
memory/1040-159-0x00000000011D0000-0x0000000001261000-memory.dmpFilesize
580KB
-
memory/1040-160-0x0000000001110000-0x0000000001117000-memory.dmpFilesize
28KB
-
memory/1040-163-0x00000000011D0000-0x0000000001261000-memory.dmpFilesize
580KB
-
memory/1040-144-0x0000000000400000-0x0000000001022000-memory.dmpFilesize
12.1MB
-
memory/1040-152-0x00000000032CA000-0x0000000003A5A000-memory.dmpFilesize
7.6MB
-
memory/1040-153-0x0000000000400000-0x0000000001022000-memory.dmpFilesize
12.1MB
-
memory/1596-145-0x0000000000000000-mapping.dmp
-
memory/3300-150-0x0000000000000000-mapping.dmp
-
memory/4420-139-0x0000000003AFA000-0x0000000003C79000-memory.dmpFilesize
1.5MB
-
memory/4420-148-0x0000000003AFA000-0x0000000003C79000-memory.dmpFilesize
1.5MB
-
memory/4420-147-0x0000000000400000-0x0000000001022000-memory.dmpFilesize
12.1MB
-
memory/4420-146-0x0000000077BD0000-0x0000000077D73000-memory.dmpFilesize
1.6MB
-
memory/4420-132-0x0000000000400000-0x0000000001022000-memory.dmpFilesize
12.1MB
-
memory/4420-138-0x0000000003350000-0x0000000003AE0000-memory.dmpFilesize
7.6MB
-
memory/4420-137-0x0000000077BD0000-0x0000000077D73000-memory.dmpFilesize
1.6MB
-
memory/4420-136-0x0000000000400000-0x0000000001022000-memory.dmpFilesize
12.1MB
-
memory/4420-135-0x0000000003AFA000-0x0000000003C79000-memory.dmpFilesize
1.5MB
-
memory/4420-134-0x0000000003350000-0x0000000003AE0000-memory.dmpFilesize
7.6MB
-
memory/4420-133-0x0000000077BD0000-0x0000000077D73000-memory.dmpFilesize
1.6MB
-
memory/4544-151-0x0000000000000000-mapping.dmp
-
memory/4592-140-0x0000000000000000-mapping.dmp