Analysis
-
max time kernel
60s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
17-02-2023 18:48
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
2.9MB
-
MD5
a27435d71d3c86e923a81fd66d5118bf
-
SHA1
9d4ed8fb149d0dc4de28e41e66ac17b849b8fcbd
-
SHA256
ca0c0ca69ece78e8d1dcb7b1064a8d76a95a50025b2ea82d907dd9e27b532b8d
-
SHA512
670b7ef2f6a139cd01909e3f385ddf855fb61589b9ec0d6aa001abbe773705e8e4b10edd9bc23734ae61e8b0e8d7e8e13e9011e0c22979a1dc5a20b91715a890
-
SSDEEP
49152:yUwJvVQThRGeWlW6Bj68c5xI5hH0sIacQXfJgiE5VmJsQQlObhPk0zzxcXG+ojxo:nwzQT7obB3hDJpEmJwU1PXzqXx
Malware Config
Extracted
vidar
2.5
813
-
profile_id
813
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe -
Executes dropped EXE 1 IoCs
Processes:
17125333403547803972.exepid process 768 17125333403547803972.exe -
Loads dropped DLL 6 IoCs
Processes:
jsc.exepid process 1128 jsc.exe 1128 jsc.exe 1128 jsc.exe 1128 jsc.exe 1128 jsc.exe 1128 jsc.exe -
Processes:
resource yara_rule behavioral1/memory/1784-54-0x0000000000390000-0x00000000009D2000-memory.dmp themida behavioral1/memory/1784-62-0x0000000000390000-0x00000000009D2000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Processes:
file.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
file.exepid process 1784 file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 1784 set thread context of 1128 1784 file.exe jsc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 jsc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString jsc.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1248 timeout.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
file.exejsc.exepid process 1784 file.exe 1784 file.exe 1128 jsc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
file.exedescription pid process Token: SeDebugPrivilege 1784 file.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
file.exejsc.execmd.exedescription pid process target process PID 1784 wrote to memory of 1120 1784 file.exe mscorsvw.exe PID 1784 wrote to memory of 1120 1784 file.exe mscorsvw.exe PID 1784 wrote to memory of 1120 1784 file.exe mscorsvw.exe PID 1784 wrote to memory of 1128 1784 file.exe jsc.exe PID 1784 wrote to memory of 1128 1784 file.exe jsc.exe PID 1784 wrote to memory of 1128 1784 file.exe jsc.exe PID 1784 wrote to memory of 1128 1784 file.exe jsc.exe PID 1784 wrote to memory of 1128 1784 file.exe jsc.exe PID 1784 wrote to memory of 1128 1784 file.exe jsc.exe PID 1784 wrote to memory of 1128 1784 file.exe jsc.exe PID 1784 wrote to memory of 1128 1784 file.exe jsc.exe PID 1784 wrote to memory of 1128 1784 file.exe jsc.exe PID 1784 wrote to memory of 1128 1784 file.exe jsc.exe PID 1784 wrote to memory of 1128 1784 file.exe jsc.exe PID 1128 wrote to memory of 768 1128 jsc.exe 17125333403547803972.exe PID 1128 wrote to memory of 768 1128 jsc.exe 17125333403547803972.exe PID 1128 wrote to memory of 768 1128 jsc.exe 17125333403547803972.exe PID 1128 wrote to memory of 768 1128 jsc.exe 17125333403547803972.exe PID 1128 wrote to memory of 904 1128 jsc.exe cmd.exe PID 1128 wrote to memory of 904 1128 jsc.exe cmd.exe PID 1128 wrote to memory of 904 1128 jsc.exe cmd.exe PID 1128 wrote to memory of 904 1128 jsc.exe cmd.exe PID 904 wrote to memory of 1248 904 cmd.exe timeout.exe PID 904 wrote to memory of 1248 904 cmd.exe timeout.exe PID 904 wrote to memory of 1248 904 cmd.exe timeout.exe PID 904 wrote to memory of 1248 904 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\17125333403547803972.exe"C:\ProgramData\17125333403547803972.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\17125333403547803972.exeFilesize
6.6MB
MD5900d27e6128c54af6b69cf16612ef16b
SHA1e21cfcd4e5767612b050ae2fed4868480af4ea1a
SHA25601e388da881c2c5b5689b1c9919ee092ffd24b269e5760159c75b5478d1e4b58
SHA512d4e7feedbe5294093ca4bab47c1285e3bfec493e4fd93289b355e2e056b486fe3addaa132cb03d9db86367a24d8b9129a172d1588c3bbe6abed4cbbbf67ddc5f
-
\ProgramData\17125333403547803972.exeFilesize
6.6MB
MD5900d27e6128c54af6b69cf16612ef16b
SHA1e21cfcd4e5767612b050ae2fed4868480af4ea1a
SHA25601e388da881c2c5b5689b1c9919ee092ffd24b269e5760159c75b5478d1e4b58
SHA512d4e7feedbe5294093ca4bab47c1285e3bfec493e4fd93289b355e2e056b486fe3addaa132cb03d9db86367a24d8b9129a172d1588c3bbe6abed4cbbbf67ddc5f
-
\ProgramData\17125333403547803972.exeFilesize
6.6MB
MD5900d27e6128c54af6b69cf16612ef16b
SHA1e21cfcd4e5767612b050ae2fed4868480af4ea1a
SHA25601e388da881c2c5b5689b1c9919ee092ffd24b269e5760159c75b5478d1e4b58
SHA512d4e7feedbe5294093ca4bab47c1285e3bfec493e4fd93289b355e2e056b486fe3addaa132cb03d9db86367a24d8b9129a172d1588c3bbe6abed4cbbbf67ddc5f
-
\ProgramData\17125333403547803972.exeFilesize
6.6MB
MD5900d27e6128c54af6b69cf16612ef16b
SHA1e21cfcd4e5767612b050ae2fed4868480af4ea1a
SHA25601e388da881c2c5b5689b1c9919ee092ffd24b269e5760159c75b5478d1e4b58
SHA512d4e7feedbe5294093ca4bab47c1285e3bfec493e4fd93289b355e2e056b486fe3addaa132cb03d9db86367a24d8b9129a172d1588c3bbe6abed4cbbbf67ddc5f
-
\ProgramData\17125333403547803972.exeFilesize
6.6MB
MD5900d27e6128c54af6b69cf16612ef16b
SHA1e21cfcd4e5767612b050ae2fed4868480af4ea1a
SHA25601e388da881c2c5b5689b1c9919ee092ffd24b269e5760159c75b5478d1e4b58
SHA512d4e7feedbe5294093ca4bab47c1285e3bfec493e4fd93289b355e2e056b486fe3addaa132cb03d9db86367a24d8b9129a172d1588c3bbe6abed4cbbbf67ddc5f
-
\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
memory/768-91-0x0000000000000000-mapping.dmp
-
memory/904-93-0x0000000000000000-mapping.dmp
-
memory/1128-61-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1128-58-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1128-66-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1128-67-0x00000000511D0000-0x00000000512C3000-memory.dmpFilesize
972KB
-
memory/1128-64-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1128-94-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1128-65-0x0000000074DA1000-0x0000000074DA3000-memory.dmpFilesize
8KB
-
memory/1128-59-0x0000000000432A3C-mapping.dmp
-
memory/1248-95-0x0000000000000000-mapping.dmp
-
memory/1784-54-0x0000000000390000-0x00000000009D2000-memory.dmpFilesize
6.3MB
-
memory/1784-57-0x000000001C250000-0x000000001C314000-memory.dmpFilesize
784KB
-
memory/1784-56-0x000007FEFB641000-0x000007FEFB643000-memory.dmpFilesize
8KB
-
memory/1784-55-0x0000000076DC0000-0x0000000076F69000-memory.dmpFilesize
1.7MB
-
memory/1784-62-0x0000000000390000-0x00000000009D2000-memory.dmpFilesize
6.3MB
-
memory/1784-63-0x0000000076DC0000-0x0000000076F69000-memory.dmpFilesize
1.7MB