Analysis
-
max time kernel
117s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 01:18
Static task
static1
Behavioral task
behavioral1
Sample
48ad7db5fb10dd9b1c6817d5a9c34865.exe
Resource
win7-20231215-en
General
-
Target
48ad7db5fb10dd9b1c6817d5a9c34865.exe
-
Size
2.2MB
-
MD5
48ad7db5fb10dd9b1c6817d5a9c34865
-
SHA1
2fd68670f13f6335a2361fbdd7ed6c36b9f4863c
-
SHA256
44cf30bb3e4623c4374ab4132bd419d3a63f119b36eaf66f1a5258e36df3b60a
-
SHA512
7782826d586098b94e2c10a801881e0104784406d9d496c98b2932a33b28f2b0724be7eb25f158223f84483795b4bb768f7e2ad15799c9cb4b2577888909c3fb
-
SSDEEP
49152:pSezyzdsk+1US6FOZyj2Zi8kwUP+9uNMYuv+ShQFZS:pSdsk+ySemg2Iw0+YChv+Shx
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/850985103400108043/qMVlcxRCEtOy4d0lLo-ckGGqIgWka8O5mwrGC7NwW7qRJs5beglorhRUk-uRy4jQ1Cbz
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
48ad7db5fb10dd9b1c6817d5a9c34865.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 48ad7db5fb10dd9b1c6817d5a9c34865.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
48ad7db5fb10dd9b1c6817d5a9c34865.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 48ad7db5fb10dd9b1c6817d5a9c34865.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 48ad7db5fb10dd9b1c6817d5a9c34865.exe -
Executes dropped EXE 2 IoCs
Processes:
Insidious — êîïèÿ.exe12312.exepid process 2416 Insidious — êîïèÿ.exe 1236 12312.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
48ad7db5fb10dd9b1c6817d5a9c34865.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine 48ad7db5fb10dd9b1c6817d5a9c34865.exe -
Loads dropped DLL 2 IoCs
Processes:
48ad7db5fb10dd9b1c6817d5a9c34865.exepid process 3052 48ad7db5fb10dd9b1c6817d5a9c34865.exe 3052 48ad7db5fb10dd9b1c6817d5a9c34865.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Processes:
48ad7db5fb10dd9b1c6817d5a9c34865.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 48ad7db5fb10dd9b1c6817d5a9c34865.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 freegeoip.app 2 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
48ad7db5fb10dd9b1c6817d5a9c34865.exepid process 3052 48ad7db5fb10dd9b1c6817d5a9c34865.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Insidious — êîïèÿ.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Insidious — êîïèÿ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Insidious — êîïèÿ.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
48ad7db5fb10dd9b1c6817d5a9c34865.exe12312.exeInsidious — êîïèÿ.exepid process 3052 48ad7db5fb10dd9b1c6817d5a9c34865.exe 1236 12312.exe 2416 Insidious — êîïèÿ.exe 2416 Insidious — êîïèÿ.exe 2416 Insidious — êîïèÿ.exe 2416 Insidious — êîïèÿ.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Insidious — êîïèÿ.exedescription pid process Token: SeDebugPrivilege 2416 Insidious — êîïèÿ.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
48ad7db5fb10dd9b1c6817d5a9c34865.exedescription pid process target process PID 3052 wrote to memory of 2416 3052 48ad7db5fb10dd9b1c6817d5a9c34865.exe Insidious — êîïèÿ.exe PID 3052 wrote to memory of 2416 3052 48ad7db5fb10dd9b1c6817d5a9c34865.exe Insidious — êîïèÿ.exe PID 3052 wrote to memory of 2416 3052 48ad7db5fb10dd9b1c6817d5a9c34865.exe Insidious — êîïèÿ.exe PID 3052 wrote to memory of 2416 3052 48ad7db5fb10dd9b1c6817d5a9c34865.exe Insidious — êîïèÿ.exe PID 3052 wrote to memory of 1236 3052 48ad7db5fb10dd9b1c6817d5a9c34865.exe 12312.exe PID 3052 wrote to memory of 1236 3052 48ad7db5fb10dd9b1c6817d5a9c34865.exe 12312.exe PID 3052 wrote to memory of 1236 3052 48ad7db5fb10dd9b1c6817d5a9c34865.exe 12312.exe PID 3052 wrote to memory of 1236 3052 48ad7db5fb10dd9b1c6817d5a9c34865.exe 12312.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48ad7db5fb10dd9b1c6817d5a9c34865.exe"C:\Users\Admin\AppData\Local\Temp\48ad7db5fb10dd9b1c6817d5a9c34865.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Insidious — êîïèÿ.exe"C:\Users\Admin\AppData\Local\Temp\Insidious — êîïèÿ.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\12312.exe"C:\Users\Admin\AppData\Local\Temp\12312.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\12312.exeFilesize
60KB
MD5f18cf2c76c5e8283a9d81640b198e01b
SHA129d2b98d71a263ee319cc65109e7325604d203d0
SHA256b54d12aafa616be9524995f8df0527848776c08432556c178667e1429744e34d
SHA5129543bd395281d41c7fafc470812bb920cbd70b918c864b3b245451a2b679ab621401c4857c8da000f952ae73e3c3f084aaaf74a15dc91966caf7680b84f1da04
-
C:\Users\Admin\AppData\Local\Temp\Insidious — êîïèÿ.exeFilesize
99KB
MD5004988032f3394e039a0c4dbe71f8fb8
SHA1aeaf78fe612e2e36739d16fda575750bc2fca4f9
SHA256d631435fdf8d005ca6cfa0998072fa50e660282d17a214ca71d17cb55ab3d553
SHA512d5f99c20dbcbee3f71cf738dbf7637e40ea7bf0507c6d356d9874b63152fbf7980fd1e9b3f20c1318140b91f595ac2d7a116c581b0e0147efe64ce9924731fc9
-
C:\Users\Admin\AppData\Local\Temp\Insidious — êîïèÿ.exeFilesize
144KB
MD50a46ca97a46f53213a7c17b436d1c4ec
SHA199959e543f07511e9bfc969c4f5f461b9782ece5
SHA2567ea8e0a81e5983288005ca07aae6f37c974e8401a55e7fd4b1b3498ed784a2e6
SHA512ccb32574b0d42fc566a0851bcc5a21a3d6d621c6d42d4591a99f92e432b562fbfb4b4567f09dc66b5a6a01afbf601781853f23b1e4eb6cd27298243fde5bddb8
-
\Users\Admin\AppData\Local\Temp\12312.exeFilesize
51KB
MD51c3a060404d34c0634d2cc1b3a71060c
SHA13fa6a2623e4ad01a3cb89121dc2114228a3c0b9f
SHA256aaec7f71055e66ad0d86b1e45d3c8ed9dcf8ceb3c61cb4f225f22a606442e1aa
SHA51220c3ef485661c569326b0e0eb511390e9cf624acb1fc87a0473d4e9f1d8499904a16254d0e9eb818005d8685093e2b88fb6cbeba85b0969323022f8c7e28f13a
-
\Users\Admin\AppData\Local\Temp\Insidious — êîïèÿ.exeFilesize
209KB
MD5d7430a5ffd13839637a6849b0706c019
SHA16b9a3a42a50acaf37581ca692fef9b3850598975
SHA256572fe02ca4e18bf6838478c981e50184455729785f88abb265a55e94f6a6dc82
SHA512d5deb78cceead63a5d35ce7bd8220173dfce13ad21f54a2e1456eb45f5c2b89775823bb387f3f4165dc9648f7fb0489fe2852a0bdb7f2b18c500eea24e834153
-
memory/2416-71-0x000007FEF57A0000-0x000007FEF618C000-memory.dmpFilesize
9.9MB
-
memory/2416-22-0x00000000003E0000-0x0000000000460000-memory.dmpFilesize
512KB
-
memory/2416-21-0x000007FEF57A0000-0x000007FEF618C000-memory.dmpFilesize
9.9MB
-
memory/2416-20-0x0000000000A00000-0x0000000000A4A000-memory.dmpFilesize
296KB
-
memory/3052-6-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/3052-4-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/3052-5-0x0000000000930000-0x0000000000931000-memory.dmpFilesize
4KB
-
memory/3052-19-0x0000000000400000-0x000000000092D000-memory.dmpFilesize
5.2MB
-
memory/3052-0-0x0000000000400000-0x000000000092D000-memory.dmpFilesize
5.2MB
-
memory/3052-7-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB
-
memory/3052-3-0x0000000000400000-0x000000000092D000-memory.dmpFilesize
5.2MB
-
memory/3052-1-0x0000000077580000-0x0000000077582000-memory.dmpFilesize
8KB