Overview

overview

9

Static

static

FrkarR.exe

windows10_x64

9

Resubmissions

27-07-2021 16:00

210727-9znbap7676 10

27-07-2021 15:56

210727-7ddscz711n 9

27-07-2021 15:53

210727-s128rt44rx 9

Analysis

  • max time kernel
    52s
  • max time network
    62s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    27-07-2021 15:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FrkarR.exe

  • Size

    6.8MB

  • MD5

    f86cfbbb6316becace4efae11cdfd424

  • SHA1

    9a27c693283aa2c9d91cb3a40e1bf392c3d42d51

  • SHA256

    d54358095f37e6a9786a5a8997a5d591a015934acefb9da85f79705d81ccdc6f

  • SHA512

    f0b27d490f5a9ee19a055c62995de035a81754d1201912c4e18a3e1b8a96b98df7395f4a12e7c3654cdade406480a51c3dd08cb2a8ee067a67655b017b0f187c

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 13 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FrkarR.exe
    "C:\Users\Admin\AppData\Local\Temp\FrkarR.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.sfx.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.exe
        "C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:200
  • C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\LockUpdate.jpg" /ForceBootstrapPaint3D
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2620
  • \??\c:\windows\system32\rundll32.exe
    rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh
    1⤵
    • Modifies registry class
    PID:2612
  • C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
    "C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.exe
    MD5

    bdded61f4e676bf27febc09492b55108

    SHA1

    68cabc1095a7f94e6fcbdf04bbe78e61bad097c2

    SHA256

    790fb2ce697a68c7ac3734f345b2779b84100f3613954c5cf1b063bc21c67ab4

    SHA512

    dd81f40e3182ec45f276456655924700f9ff9c81679b8a5a42641b4fca1965d495ef3be50a94e0b6e291e08cbff452d6e18dedceff395e5e04bbd9692253a1fc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.exe
    MD5

    bdded61f4e676bf27febc09492b55108

    SHA1

    68cabc1095a7f94e6fcbdf04bbe78e61bad097c2

    SHA256

    790fb2ce697a68c7ac3734f345b2779b84100f3613954c5cf1b063bc21c67ab4

    SHA512

    dd81f40e3182ec45f276456655924700f9ff9c81679b8a5a42641b4fca1965d495ef3be50a94e0b6e291e08cbff452d6e18dedceff395e5e04bbd9692253a1fc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.sfx.exe
    MD5

    e726f22e50e622b2ca5612e05a247525

    SHA1

    d11541d1f08fb6212ee60a30cb446821d2e36690

    SHA256

    2304084f7a8d97be4c6ae6e5cbac75478a04c4f63093f18bcf713f912a3da5d7

    SHA512

    aafed566df0333f783bc52f19951679a973e3c8396b68cc3dc5acc9f8f95684ceafcf113a27e0376f8531a9ccda3fb601080725109cfcb067b40151049336fad

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\@kitukrit_protected.sfx.exe
    MD5

    e726f22e50e622b2ca5612e05a247525

    SHA1

    d11541d1f08fb6212ee60a30cb446821d2e36690

    SHA256

    2304084f7a8d97be4c6ae6e5cbac75478a04c4f63093f18bcf713f912a3da5d7

    SHA512

    aafed566df0333f783bc52f19951679a973e3c8396b68cc3dc5acc9f8f95684ceafcf113a27e0376f8531a9ccda3fb601080725109cfcb067b40151049336fad

    Download Submit
  • memory/200-131-0x00000000070A0000-0x00000000070A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-121-0x0000000000000000-mapping.dmp
    Download
  • memory/200-125-0x0000000077120000-0x00000000772AE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/200-129-0x0000000001230000-0x0000000001231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-132-0x0000000007BB0000-0x0000000007BB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-133-0x0000000004240000-0x0000000004241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-134-0x0000000004200000-0x0000000004201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-135-0x0000000004330000-0x0000000004331000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-136-0x00000000048F0000-0x00000000048F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-137-0x0000000007770000-0x0000000007771000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-138-0x00000000043E0000-0x00000000043E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2064-116-0x0000000000000000-mapping.dmp
    Download