Analysis

  • max time kernel
    55s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-03-2023 14:38

General

  • Target

    ccfd30e42f2dbb38fa3ad9528c74c6ecf6cc45ab167838200331ecf903230db1.exe

  • Size

    3.4MB

  • MD5

    588cd06833601b361f843c87056fd5a9

  • SHA1

    36fd19550588e46b7ae12639421e9768f6172f0a

  • SHA256

    ccfd30e42f2dbb38fa3ad9528c74c6ecf6cc45ab167838200331ecf903230db1

  • SHA512

    74ca11d07f98dcbae852fb94fd3fa5fb641a73917c6e85b1e2e0f49c5e8f604a14ea3deaf146ce23d4814f3daf2082d3c90d72d2759507d51cf45284f50fc979

  • SSDEEP

    98304:cPMHpHh81TVkOjPdBx425wr7MARYza/PnrHT86b4GGsVJxz:cUrkTiOjPn76hCa/PrHlrVJxz

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 22 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • AutoIT Executable 20 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ccfd30e42f2dbb38fa3ad9528c74c6ecf6cc45ab167838200331ecf903230db1.exe
    "C:\Users\Admin\AppData\Local\Temp\ccfd30e42f2dbb38fa3ad9528c74c6ecf6cc45ab167838200331ecf903230db1.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:4436
    • C:\Windows\SysWOW64\WSCript.exe
      WSCript C:\Users\Admin\AppData\Local\Temp\JYEVXV.vbs
      2⤵
        PID:1396

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Modify Registry

    1
    T1112

    Discovery

    Query Registry

    2
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    3
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\JYEVXV.vbs
      Filesize

      948B

      MD5

      e377d9b5b2474a563460a88b5413459f

      SHA1

      663a481a328d5b98ad8d4c020414843c5d58151a

      SHA256

      0a13ce71c73f3f7e9d1ac4b4a55e233dbe5c0fd0c4b56abf9035e668c9f68fcb

      SHA512

      c1074e33c0e9554ae4a3e2c0c7dbc6f15de4528e9caeff9c6841728afcd33cb8f30ba6978cd2fb76f070fd35362023a08acaa14b2f1f44defda254e1e057f47b

    • memory/4436-143-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-136-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-149-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-137-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-138-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-139-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-140-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-141-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-150-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-133-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-159-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-135-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-142-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-151-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-152-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-153-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-154-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-155-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-156-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-157-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-158-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB

    • memory/4436-134-0x0000000000BC0000-0x00000000013A5000-memory.dmp
      Filesize

      7.9MB