Analysis
-
max time kernel
95s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17-02-2023 18:48
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
2.9MB
-
MD5
a27435d71d3c86e923a81fd66d5118bf
-
SHA1
9d4ed8fb149d0dc4de28e41e66ac17b849b8fcbd
-
SHA256
ca0c0ca69ece78e8d1dcb7b1064a8d76a95a50025b2ea82d907dd9e27b532b8d
-
SHA512
670b7ef2f6a139cd01909e3f385ddf855fb61589b9ec0d6aa001abbe773705e8e4b10edd9bc23734ae61e8b0e8d7e8e13e9011e0c22979a1dc5a20b91715a890
-
SSDEEP
49152:yUwJvVQThRGeWlW6Bj68c5xI5hH0sIacQXfJgiE5VmJsQQlObhPk0zzxcXG+ojxo:nwzQT7obB3hDJpEmJwU1PXzqXx
Malware Config
Extracted
vidar
2.5
813
-
profile_id
813
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe -
Executes dropped EXE 1 IoCs
Processes:
56862045761583084284.exepid process 4860 56862045761583084284.exe -
Loads dropped DLL 7 IoCs
Processes:
jsc.exe56862045761583084284.exepid process 788 jsc.exe 788 jsc.exe 4860 56862045761583084284.exe 4860 56862045761583084284.exe 4860 56862045761583084284.exe 4860 56862045761583084284.exe 4860 56862045761583084284.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/2352-134-0x0000000000340000-0x0000000000982000-memory.dmp themida behavioral2/memory/2352-142-0x0000000000340000-0x0000000000982000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
file.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
file.exepid process 2352 file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 2352 set thread context of 788 2352 file.exe jsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 jsc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString jsc.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3136 timeout.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
file.exejsc.exe56862045761583084284.exepid process 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 2352 file.exe 788 jsc.exe 788 jsc.exe 4860 56862045761583084284.exe 4860 56862045761583084284.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
file.exedescription pid process Token: SeDebugPrivilege 2352 file.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
file.exejsc.execmd.exedescription pid process target process PID 2352 wrote to memory of 5032 2352 file.exe InstallUtil.exe PID 2352 wrote to memory of 5032 2352 file.exe InstallUtil.exe PID 2352 wrote to memory of 384 2352 file.exe Microsoft.Workflow.Compiler.exe PID 2352 wrote to memory of 384 2352 file.exe Microsoft.Workflow.Compiler.exe PID 2352 wrote to memory of 408 2352 file.exe ilasm.exe PID 2352 wrote to memory of 408 2352 file.exe ilasm.exe PID 2352 wrote to memory of 4684 2352 file.exe aspnet_regiis.exe PID 2352 wrote to memory of 4684 2352 file.exe aspnet_regiis.exe PID 2352 wrote to memory of 3064 2352 file.exe cvtres.exe PID 2352 wrote to memory of 3064 2352 file.exe cvtres.exe PID 2352 wrote to memory of 1596 2352 file.exe aspnet_compiler.exe PID 2352 wrote to memory of 1596 2352 file.exe aspnet_compiler.exe PID 2352 wrote to memory of 1652 2352 file.exe aspnet_regsql.exe PID 2352 wrote to memory of 1652 2352 file.exe aspnet_regsql.exe PID 2352 wrote to memory of 1684 2352 file.exe RegSvcs.exe PID 2352 wrote to memory of 1684 2352 file.exe RegSvcs.exe PID 2352 wrote to memory of 2272 2352 file.exe AppLaunch.exe PID 2352 wrote to memory of 2272 2352 file.exe AppLaunch.exe PID 2352 wrote to memory of 4964 2352 file.exe aspnet_regbrowsers.exe PID 2352 wrote to memory of 4964 2352 file.exe aspnet_regbrowsers.exe PID 2352 wrote to memory of 4948 2352 file.exe ServiceModelReg.exe PID 2352 wrote to memory of 4948 2352 file.exe ServiceModelReg.exe PID 2352 wrote to memory of 1240 2352 file.exe CasPol.exe PID 2352 wrote to memory of 1240 2352 file.exe CasPol.exe PID 2352 wrote to memory of 2972 2352 file.exe MSBuild.exe PID 2352 wrote to memory of 2972 2352 file.exe MSBuild.exe PID 2352 wrote to memory of 3152 2352 file.exe aspnet_state.exe PID 2352 wrote to memory of 3152 2352 file.exe aspnet_state.exe PID 2352 wrote to memory of 380 2352 file.exe SMSvcHost.exe PID 2352 wrote to memory of 380 2352 file.exe SMSvcHost.exe PID 2352 wrote to memory of 788 2352 file.exe jsc.exe PID 2352 wrote to memory of 788 2352 file.exe jsc.exe PID 2352 wrote to memory of 788 2352 file.exe jsc.exe PID 2352 wrote to memory of 788 2352 file.exe jsc.exe PID 2352 wrote to memory of 788 2352 file.exe jsc.exe PID 2352 wrote to memory of 788 2352 file.exe jsc.exe PID 2352 wrote to memory of 788 2352 file.exe jsc.exe PID 2352 wrote to memory of 788 2352 file.exe jsc.exe PID 2352 wrote to memory of 788 2352 file.exe jsc.exe PID 2352 wrote to memory of 788 2352 file.exe jsc.exe PID 788 wrote to memory of 4860 788 jsc.exe 56862045761583084284.exe PID 788 wrote to memory of 4860 788 jsc.exe 56862045761583084284.exe PID 788 wrote to memory of 4860 788 jsc.exe 56862045761583084284.exe PID 788 wrote to memory of 4620 788 jsc.exe cmd.exe PID 788 wrote to memory of 4620 788 jsc.exe cmd.exe PID 788 wrote to memory of 4620 788 jsc.exe cmd.exe PID 4620 wrote to memory of 3136 4620 cmd.exe timeout.exe PID 4620 wrote to memory of 3136 4620 cmd.exe timeout.exe PID 4620 wrote to memory of 3136 4620 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\56862045761583084284.exe"C:\ProgramData\56862045761583084284.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\56862045761583084284.exeFilesize
6.6MB
MD5900d27e6128c54af6b69cf16612ef16b
SHA1e21cfcd4e5767612b050ae2fed4868480af4ea1a
SHA25601e388da881c2c5b5689b1c9919ee092ffd24b269e5760159c75b5478d1e4b58
SHA512d4e7feedbe5294093ca4bab47c1285e3bfec493e4fd93289b355e2e056b486fe3addaa132cb03d9db86367a24d8b9129a172d1588c3bbe6abed4cbbbf67ddc5f
-
C:\ProgramData\56862045761583084284.exeFilesize
6.6MB
MD5900d27e6128c54af6b69cf16612ef16b
SHA1e21cfcd4e5767612b050ae2fed4868480af4ea1a
SHA25601e388da881c2c5b5689b1c9919ee092ffd24b269e5760159c75b5478d1e4b58
SHA512d4e7feedbe5294093ca4bab47c1285e3bfec493e4fd93289b355e2e056b486fe3addaa132cb03d9db86367a24d8b9129a172d1588c3bbe6abed4cbbbf67ddc5f
-
C:\ProgramData\MSVCP140.dllFilesize
439KB
MD55ff1fca37c466d6723ec67be93b51442
SHA134cc4e158092083b13d67d6d2bc9e57b798a303b
SHA2565136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA5124802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546
-
C:\ProgramData\VCRUNTIME140.dllFilesize
78KB
MD5a37ee36b536409056a86f50e67777dd7
SHA11cafa159292aa736fc595fc04e16325b27cd6750
SHA2568934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA5123a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\msvcp140.dllFilesize
439KB
MD55ff1fca37c466d6723ec67be93b51442
SHA134cc4e158092083b13d67d6d2bc9e57b798a303b
SHA2565136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA5124802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\ProgramData\vcruntime140.dllFilesize
78KB
MD5a37ee36b536409056a86f50e67777dd7
SHA11cafa159292aa736fc595fc04e16325b27cd6750
SHA2568934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA5123a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356
-
C:\Users\Admin\AppData\LocalLow\nss3.dllFilesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
C:\Users\Admin\AppData\LocalLow\sqlite3.dllFilesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
memory/788-169-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/788-143-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/788-136-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/788-137-0x0000000000432A3C-mapping.dmp
-
memory/788-138-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/788-144-0x00000000518A0000-0x0000000051993000-memory.dmpFilesize
972KB
-
memory/788-167-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/788-139-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2352-140-0x00007FFE53930000-0x00007FFE543F1000-memory.dmpFilesize
10.8MB
-
memory/2352-134-0x0000000000340000-0x0000000000982000-memory.dmpFilesize
6.3MB
-
memory/2352-133-0x00007FFE71930000-0x00007FFE71B25000-memory.dmpFilesize
2.0MB
-
memory/2352-135-0x00007FFE53930000-0x00007FFE543F1000-memory.dmpFilesize
10.8MB
-
memory/2352-132-0x0000000000340000-0x0000000000982000-memory.dmpFilesize
6.3MB
-
memory/2352-142-0x0000000000340000-0x0000000000982000-memory.dmpFilesize
6.3MB
-
memory/2352-141-0x00007FFE71930000-0x00007FFE71B25000-memory.dmpFilesize
2.0MB
-
memory/3136-170-0x0000000000000000-mapping.dmp
-
memory/4620-168-0x0000000000000000-mapping.dmp
-
memory/4860-164-0x0000000000000000-mapping.dmp
-
memory/4860-172-0x0000000000400000-0x0000000000E35000-memory.dmpFilesize
10.2MB
-
memory/4860-171-0x0000000000400000-0x0000000000E35000-memory.dmpFilesize
10.2MB
-
memory/4860-181-0x0000000000400000-0x0000000000E35000-memory.dmpFilesize
10.2MB
-
memory/4860-182-0x0000000000400000-0x0000000000E35000-memory.dmpFilesize
10.2MB