Analysis
-
max time kernel
79s -
max time network
114s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09/11/2022, 05:42
Static task
static1
Behavioral task
behavioral1
Sample
ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exe
Resource
win7-20220812-en
General
-
Target
ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exe
-
Size
2.0MB
-
MD5
dd758f1956ddeadd5da9c395939b8397
-
SHA1
1629d97a0cb060d1f9955aaf33c8ed3136cb0467
-
SHA256
ecf263506efdc83d3911e931d59dce6b9e9d6fe0c05695c040c57f724ef79efc
-
SHA512
c1cbab287b4572c806a1f199e75385774e6b56cbbcc8329b6bceb2a356ef566cb81bb48b73b899be7831cc46e6aa274636ea783155cc3544bff07fed3340e765
-
SSDEEP
49152:ffCFy+sgiEBVX+KwLA+/dhGgTgPH3oS0MT/oMNif:ffCs6BJ+dM+/dhGKoaeif
Malware Config
Extracted
systembc
n20b28tu.info:4248
n20b28tu88.info:4248
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Wine ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1228 ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exe 1532 ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\wow64.job ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exe File opened for modification C:\Windows\Tasks\wow64.job ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1228 ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exe 1532 ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 280 wrote to memory of 1532 280 taskeng.exe 28 PID 280 wrote to memory of 1532 280 taskeng.exe 28 PID 280 wrote to memory of 1532 280 taskeng.exe 28 PID 280 wrote to memory of 1532 280 taskeng.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exe"C:\Users\Admin\AppData\Local\Temp\ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1228
-
C:\Windows\system32\taskeng.exetaskeng.exe {E8CC419B-80D0-4D2C-BAF1-BEBF59834F7F} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Users\Admin\AppData\Local\Temp\ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exeC:\Users\Admin\AppData\Local\Temp\ECF263506EFDC83D3911E931D59DCE6B9E9D6FE0C0569.exe start2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1532
-