Analysis
-
max time kernel
43s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26-03-2023 02:14
Behavioral task
behavioral1
Sample
f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
Resource
win10v2004-20230220-en
General
-
Target
f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
-
Size
4.1MB
-
MD5
cd4839fbc22c6fccab4c3170c845bfdb
-
SHA1
2f0edc79f6248f17c61e86d02be38c6d6b11b75b
-
SHA256
f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4
-
SHA512
2e8a55d8ad8916a9772e73956244d1ec68c35963395fd7d71fd9ae881ab72bb30d04aa39427420fc44460e2a03a39ddc9937b69bebb6ca74835573350b605524
-
SSDEEP
98304:9/4JXInxCzh+jyHbhGYndKYJ/mtnZCYiZ6c+RCHuY:9/4JX0xa+jy5np8nAZ6aHu
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe -
Processes:
resource yara_rule behavioral1/memory/744-54-0x0000000000260000-0x0000000000AD1000-memory.dmp vmprotect behavioral1/memory/744-56-0x0000000000260000-0x0000000000AD1000-memory.dmp vmprotect behavioral1/memory/744-96-0x0000000000260000-0x0000000000AD1000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exedescription ioc process File opened for modification \??\PhysicalDrive0 f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe -
Processes:
f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DOMStorage\virtualhardwares.com\Total = "63" f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DOMStorage\virtualhardwares.com f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DOMStorage f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DOMStorage\virtualhardwares.com\NumberOfSubdomains = "1" f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.virtualhardwares.com\ = "63" f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.virtualhardwares.com f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exepid process 744 f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe 744 f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exedescription pid process Token: SeDebugPrivilege 744 f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exepid process 744 f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe 744 f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe"C:\Users\Admin\AppData\Local\Temp\f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe"1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx