Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 20:18
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20230220-en
General
-
Target
sample.exe
-
Size
2.6MB
-
MD5
35eb63390faa38437c456a1966d2e51a
-
SHA1
0138a5c885e85ab7960f681f94c552f1cd2b45e9
-
SHA256
314259cc43c8619b5f8e1ec548b34b64d6b8084342cdd6d8a970718c2d791da8
-
SHA512
8abef3dde447c025aa69b1524867513a0ecca523583098407bc18f6462acfa38e6e06d621c1943a6c1f6d88030edfdf71c48c2805fa0f5403183bab22c370048
-
SSDEEP
49152:LxgCKGJaUFxFwTkhnCEtG0vHBsH0PlXSUYo0rI8Jc+UDQ5tBpOTT0cAalxRm:LxLXJtxmTOtNvC/nrhYUrB4TT0chx
Malware Config
Extracted
cryptbot
hevbaw12.top
morgki01.top
-
payload_url
http://kyvihm01.top/download.php?file=brunei.exe
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
sample.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ sample.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
sample.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sample.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/2844-133-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-134-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-135-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-136-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-137-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-240-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-241-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-251-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-254-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-258-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-261-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-264-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-268-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-271-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-274-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-278-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-281-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-285-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-287-0x0000000000C00000-0x00000000012E4000-memory.dmp themida behavioral2/memory/2844-290-0x0000000000C00000-0x00000000012E4000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
sample.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sample.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
sample.exepid process 2844 sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
sample.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sample.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString sample.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
sample.exepid process 2844 sample.exe 2844 sample.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\wSDekUDO\MjngyhLwqnINDA.zipFilesize
51KB
MD570ec9d19468701888ff4c8009e3ddfc9
SHA1bf7ccd2f2fd9c3d22d7fcfdf17b77dc5ad286fc9
SHA25643e0f6755ed38d4a80bb05d3622a2ff54abcfa5cc87b8601d66e6fec51955523
SHA512023bca1cbec1da8423964eba72f74f904c19d4725367e478e7a6b51f5d227c1472bbbd338472954f9997b9dd762974fd9aa04aec1f69430e9559051340495888
-
C:\Users\Admin\AppData\Local\Temp\wSDekUDO\_Files\_Information.txtFilesize
1KB
MD5656e83bc6064e358049128b976074f2f
SHA18a0c5155c52db4ba60fc426215e3f7a2e369d208
SHA256acbd59055f280403e7db40c4eb728a1f12e4d4a750b8590694496eeff3988fb1
SHA51274cb58f0ec5fa47498d33795bdba7fa0496a062bf8440af7c6fe236be1b1591f8e5691dacf2f78ebacdb2fb33aabb321eea9bc926ca79c59c70f57323546c049
-
C:\Users\Admin\AppData\Local\Temp\wSDekUDO\_Files\_Information.txtFilesize
6KB
MD5176f04207e01c9019922e214dac1ba9e
SHA1f73ee88b093f3e59e3a2eb7a2938687858bf459d
SHA2563441e63f0c4eff698ebd5e5dac347fb44b3a1ef60f1b2bf78921a0e65102fede
SHA512656c6e39e46174176f6b7a3491c83ff4defb7e2c9d781d3d31801abcf1725ea83b2b161172cadd79f46be4a3c1af16ff031db80bb3b318311b21fe4cda340297
-
C:\Users\Admin\AppData\Local\Temp\wSDekUDO\_Files\_Information.txtFilesize
6KB
MD5176f04207e01c9019922e214dac1ba9e
SHA1f73ee88b093f3e59e3a2eb7a2938687858bf459d
SHA2563441e63f0c4eff698ebd5e5dac347fb44b3a1ef60f1b2bf78921a0e65102fede
SHA512656c6e39e46174176f6b7a3491c83ff4defb7e2c9d781d3d31801abcf1725ea83b2b161172cadd79f46be4a3c1af16ff031db80bb3b318311b21fe4cda340297
-
C:\Users\Admin\AppData\Local\Temp\wSDekUDO\_Files\_Information.txtFilesize
6KB
MD5176f04207e01c9019922e214dac1ba9e
SHA1f73ee88b093f3e59e3a2eb7a2938687858bf459d
SHA2563441e63f0c4eff698ebd5e5dac347fb44b3a1ef60f1b2bf78921a0e65102fede
SHA512656c6e39e46174176f6b7a3491c83ff4defb7e2c9d781d3d31801abcf1725ea83b2b161172cadd79f46be4a3c1af16ff031db80bb3b318311b21fe4cda340297
-
C:\Users\Admin\AppData\Local\Temp\wSDekUDO\_Files\_Screen_Desktop.jpegFilesize
50KB
MD566d94f0928dfdc4cdfb4fbd1d719373c
SHA1c6fa91f3b354a780712cd60295bf81aef191cfcd
SHA256767872633bf96485e8970606a9ae9624db4355416d8ac65ed0485cc2620e8196
SHA51252c9437ad8b95173fb195f2ed5e61c94547779b5bdcc7682268eb1436b52be2db769cd6e5fccef30a9ef0406913095ffc5020cf815d7e0e6a9d78e638b92a0dd
-
memory/2844-251-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-258-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-136-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-240-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-241-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-135-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-133-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-134-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-254-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-137-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-261-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-264-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-268-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-271-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-274-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-278-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-281-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-285-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-287-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB
-
memory/2844-290-0x0000000000C00000-0x00000000012E4000-memory.dmpFilesize
6.9MB