Overview

overview

10

Static

static

Setup (1).exe

windows7_x64

10

Setup (1).exe

windows10_x64

10

Setup (10).exe

windows7_x64

10

Setup (10).exe

windows10_x64

10

Setup (11).exe

windows7_x64

10

Setup (11).exe

windows10_x64

10

Setup (12).exe

windows7_x64

10

Setup (12).exe

windows10_x64

10

Setup (13).exe

windows7_x64

10

Setup (13).exe

windows10_x64

10

Setup (14).exe

windows7_x64

10

Setup (14).exe

windows10_x64

10

Setup (15).exe

windows7_x64

10

Setup (15).exe

windows10_x64

10

Setup (16).exe

windows7_x64

10

Setup (16).exe

windows10_x64

10

Setup (17).exe

windows7_x64

10

Setup (17).exe

windows10_x64

10

Setup (18).exe

windows7_x64

10

Setup (18).exe

windows10_x64

10

Setup (19).exe

windows7_x64

10

Setup (19).exe

windows10_x64

10

Setup (2).exe

windows7_x64

10

Setup (2).exe

windows10_x64

10

Setup (20).exe

windows7_x64

10

Setup (20).exe

windows10_x64

10

Setup (21).exe

windows7_x64

10

Setup (21).exe

windows10_x64

10

Setup (22).exe

windows7_x64

10

Setup (22).exe

windows10_x64

10

Setup (23).exe

windows7_x64

10

Setup (23).exe

windows10_x64

10

Resubmissions

15-10-2024 15:36

241015-s1zlzasdkc 10

01-07-2024 18:32

240701-w6yteawhmq 10

01-07-2024 14:52

240701-r82wmaxdnd 10

01-07-2024 14:52

240701-r8syqa1dpp 10

11-03-2024 21:22

240311-z8dsssgg58 10

01-09-2021 13:18

210901-5bmxjspa5s 10

01-09-2021 13:04

210901-te4btfspqa 10

01-09-2021 05:12

210901-4wnkwm1p3j 10

31-08-2021 21:47

210831-41rp97dma2 10

31-08-2021 19:51

210831-359awwatje 10

Analysis

  • max time kernel
    603s
  • max time network
    636s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    01-09-2021 05:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup (18).exe

  • Size

    631KB

  • MD5

    cb927513ff8ebff4dd52a47f7e42f934

  • SHA1

    0de47c02a8adc4940a6c18621b4e4a619641d029

  • SHA256

    fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f

  • SHA512

    988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Score
10/10
evasionthemidatrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 25 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 43 IoCs
  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Script User-Agent 3 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup (18).exe
    "C:\Users\Admin\AppData\Local\Temp\Setup (18).exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Users\Admin\Documents\HR_I8q_jRCIwUVnHpwBTBzEZ.exe
      "C:\Users\Admin\Documents\HR_I8q_jRCIwUVnHpwBTBzEZ.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Users\Admin\Documents\HR_I8q_jRCIwUVnHpwBTBzEZ.exe
        "C:\Users\Admin\Documents\HR_I8q_jRCIwUVnHpwBTBzEZ.exe"
        3⤵
        • Executes dropped EXE
        PID:1332
    • C:\Users\Admin\Documents\hYeTg7SLXoBhradsZOhsfHs0.exe
      "C:\Users\Admin\Documents\hYeTg7SLXoBhradsZOhsfHs0.exe"
      2⤵
      • Executes dropped EXE
      PID:1404
    • C:\Users\Admin\Documents\c2IispnL0gtNLJYHt6JgxkCp.exe
      "C:\Users\Admin\Documents\c2IispnL0gtNLJYHt6JgxkCp.exe"
      2⤵
      • Executes dropped EXE
      PID:840
    • C:\Users\Admin\Documents\wl_igPoBPJdTagROltDI7Kok.exe
      "C:\Users\Admin\Documents\wl_igPoBPJdTagROltDI7Kok.exe"
      2⤵
      • Executes dropped EXE
      PID:1084
    • C:\Users\Admin\Documents\3ArLbDob_HWhpEVOuYJbrgLB.exe
      "C:\Users\Admin\Documents\3ArLbDob_HWhpEVOuYJbrgLB.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1952
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\KBAvfsr.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KBAvfsr.exe"
        3⤵
          PID:2200
      • C:\Users\Admin\Documents\ThaZAu_Hhq7WWqkMbsu0jKR6.exe
        "C:\Users\Admin\Documents\ThaZAu_Hhq7WWqkMbsu0jKR6.exe"
        2⤵
        • Executes dropped EXE
        PID:1540
      • C:\Users\Admin\Documents\2cZRRXojwhv0hKtYA2jQZCJv.exe
        "C:\Users\Admin\Documents\2cZRRXojwhv0hKtYA2jQZCJv.exe"
        2⤵
          PID:1244
        • C:\Users\Admin\Documents\piNa3eN02lQAOjP6DwGPwheD.exe
          "C:\Users\Admin\Documents\piNa3eN02lQAOjP6DwGPwheD.exe"
          2⤵
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Modifies system certificate store
          • Suspicious use of AdjustPrivilegeToken
          PID:1064
        • C:\Users\Admin\Documents\Ax8Fri3aYWWa7UAkXJIOA0hH.exe
          "C:\Users\Admin\Documents\Ax8Fri3aYWWa7UAkXJIOA0hH.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:564
        • C:\Users\Admin\Documents\dM7aiWa5DqNJ4FXntPjcFwyU.exe
          "C:\Users\Admin\Documents\dM7aiWa5DqNJ4FXntPjcFwyU.exe"
          2⤵
          • Executes dropped EXE
          PID:1752
        • C:\Users\Admin\Documents\E94BzeZeQIO0cE74yKHYez_9.exe
          "C:\Users\Admin\Documents\E94BzeZeQIO0cE74yKHYez_9.exe"
          2⤵
          • Executes dropped EXE
          PID:1812
          • C:\Users\Admin\Documents\E94BzeZeQIO0cE74yKHYez_9.exe
            "C:\Users\Admin\Documents\E94BzeZeQIO0cE74yKHYez_9.exe" -u
            3⤵
            • Executes dropped EXE
            PID:1140
        • C:\Users\Admin\Documents\f7wJDgkXXZF4qIV_VAxr1KzE.exe
          "C:\Users\Admin\Documents\f7wJDgkXXZF4qIV_VAxr1KzE.exe"
          2⤵
          • Executes dropped EXE
          PID:1364
        • C:\Users\Admin\Documents\B1bxbmTMdsrOrdwtyOIxnjHq.exe
          "C:\Users\Admin\Documents\B1bxbmTMdsrOrdwtyOIxnjHq.exe"
          2⤵
            PID:1912
          • C:\Users\Admin\Documents\QoaMKLnnvr5g7bTT3hPxcF4Y.exe
            "C:\Users\Admin\Documents\QoaMKLnnvr5g7bTT3hPxcF4Y.exe"
            2⤵
            • Executes dropped EXE
            PID:1556
          • C:\Users\Admin\Documents\uYwyo5pu4oMFkqbQGyDj8Kc7.exe
            "C:\Users\Admin\Documents\uYwyo5pu4oMFkqbQGyDj8Kc7.exe"
            2⤵
              PID:820
            • C:\Users\Admin\Documents\wLxJo2PdJ6kiHpwFo6JHanx1.exe
              "C:\Users\Admin\Documents\wLxJo2PdJ6kiHpwFo6JHanx1.exe"
              2⤵
              • Executes dropped EXE
              PID:800
            • C:\Users\Admin\Documents\17OyHarYqDiLA_Mo9ElY9Nus.exe
              "C:\Users\Admin\Documents\17OyHarYqDiLA_Mo9ElY9Nus.exe"
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:1368
              • C:\Users\Admin\AppData\Local\Temp\is-2NGCE.tmp\17OyHarYqDiLA_Mo9ElY9Nus.tmp
                "C:\Users\Admin\AppData\Local\Temp\is-2NGCE.tmp\17OyHarYqDiLA_Mo9ElY9Nus.tmp" /SL5="$1016A,138429,56832,C:\Users\Admin\Documents\17OyHarYqDiLA_Mo9ElY9Nus.exe"
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Modifies system certificate store
                • Suspicious use of FindShellTrayWindow
                PID:1324
            • C:\Users\Admin\Documents\jOhEJycyaUHiJPDikp1fnGwE.exe
              "C:\Users\Admin\Documents\jOhEJycyaUHiJPDikp1fnGwE.exe"
              2⤵
              • Executes dropped EXE
              PID:1848
            • C:\Users\Admin\Documents\wfykqoZ0VknSw0BpjTB7SwkQ.exe
              "C:\Users\Admin\Documents\wfykqoZ0VknSw0BpjTB7SwkQ.exe"
              2⤵
              • Executes dropped EXE
              PID:1600
            • C:\Users\Admin\Documents\dzaP_OGxt0YIXugJRefhpL2y.exe
              "C:\Users\Admin\Documents\dzaP_OGxt0YIXugJRefhpL2y.exe"
              2⤵
              • Executes dropped EXE
              PID:980
            • C:\Users\Admin\Documents\QgQWUWA0w7cyjzL0zZphOJ00.exe
              "C:\Users\Admin\Documents\QgQWUWA0w7cyjzL0zZphOJ00.exe"
              2⤵
              • Executes dropped EXE
              PID:2028
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{JWIw-awcgJ-2ax5-yjoPC}\53640396173.exe"
                3⤵
                • Loads dropped DLL
                PID:2284
                • C:\Users\Admin\AppData\Local\Temp\{JWIw-awcgJ-2ax5-yjoPC}\53640396173.exe
                  "C:\Users\Admin\AppData\Local\Temp\{JWIw-awcgJ-2ax5-yjoPC}\53640396173.exe"
                  4⤵
                  • Executes dropped EXE
                  PID:2388
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{JWIw-awcgJ-2ax5-yjoPC}\14796489038.exe" /mix
                3⤵
                • Loads dropped DLL
                PID:2332
                • C:\Users\Admin\AppData\Local\Temp\{JWIw-awcgJ-2ax5-yjoPC}\14796489038.exe
                  "C:\Users\Admin\AppData\Local\Temp\{JWIw-awcgJ-2ax5-yjoPC}\14796489038.exe" /mix
                  4⤵
                  • Executes dropped EXE
                  PID:2424
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{JWIw-awcgJ-2ax5-yjoPC}\03671724379.exe" /mix
                3⤵
                • Loads dropped DLL
                PID:2380
                • C:\Users\Admin\AppData\Local\Temp\{JWIw-awcgJ-2ax5-yjoPC}\03671724379.exe
                  "C:\Users\Admin\AppData\Local\Temp\{JWIw-awcgJ-2ax5-yjoPC}\03671724379.exe" /mix
                  4⤵
                  • Executes dropped EXE
                  PID:2516
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c taskkill /im "QgQWUWA0w7cyjzL0zZphOJ00.exe" /f & erase "C:\Users\Admin\Documents\QgQWUWA0w7cyjzL0zZphOJ00.exe" & exit
                3⤵
                  PID:2532
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /im "QgQWUWA0w7cyjzL0zZphOJ00.exe" /f
                    4⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2604
              • C:\Users\Admin\Documents\6sa7auKa7nJDJwsgzyqZ0Udn.exe
                "C:\Users\Admin\Documents\6sa7auKa7nJDJwsgzyqZ0Udn.exe"
                2⤵
                • Executes dropped EXE
                PID:1784

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/564-188-0x0000000004C50000-0x0000000004D1F000-memory.dmp

              Filesize

              828KB

              Download

            • memory/564-193-0x00000000022B0000-0x00000000022BB000-memory.dmp

              Filesize

              44KB

              Download

            • memory/564-191-0x0000000004A80000-0x0000000004B4D000-memory.dmp

              Filesize

              820KB

              Download

            • memory/980-171-0x0000000000340000-0x0000000000341000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1060-83-0x00000000003A0000-0x00000000003AA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1064-179-0x0000000001060000-0x0000000001061000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1324-175-0x0000000001F50000-0x0000000001F8C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1324-178-0x0000000073F41000-0x0000000073F43000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1332-68-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download

            • memory/1540-107-0x0000000000A50000-0x0000000000A51000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1540-195-0x00000000002C0000-0x00000000002D8000-memory.dmp

              Filesize

              96KB

              Download

            • memory/1752-168-0x0000000000930000-0x0000000000931000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1784-170-0x00000000013C0000-0x00000000013C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1848-146-0x0000000000A20000-0x0000000000A21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1928-60-0x0000000076691000-0x0000000076693000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1928-61-0x0000000003C00000-0x0000000003D3F000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/2028-155-0x0000000001F20000-0x0000000001F4F000-memory.dmp

              Filesize

              188KB

              Download