Resubmissions
15-10-2024 15:36
241015-s1zlzasdkc 1001-07-2024 18:32
240701-w6yteawhmq 1001-07-2024 14:52
240701-r82wmaxdnd 1001-07-2024 14:52
240701-r8syqa1dpp 1011-03-2024 21:22
240311-z8dsssgg58 1001-09-2021 13:18
210901-5bmxjspa5s 1001-09-2021 13:04
210901-te4btfspqa 1001-09-2021 05:12
210901-4wnkwm1p3j 1031-08-2021 21:47
210831-41rp97dma2 1031-08-2021 19:51
210831-359awwatje 10Analysis
-
max time kernel
445s -
max time network
622s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
01-09-2021 05:12
General
-
Target
Setup (19).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 55 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 42 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies system certificate store 2 TTPs 12 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup (19).exe"C:\Users\Admin\AppData\Local\Temp\Setup (19).exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MYPW2n8H6KOHiLlOB6oiVtlC.exe"C:\Users\Admin\Documents\MYPW2n8H6KOHiLlOB6oiVtlC.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\MYPW2n8H6KOHiLlOB6oiVtlC.exe"C:\Users\Admin\Documents\MYPW2n8H6KOHiLlOB6oiVtlC.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Documents\dTPiPdOdwHqAUt27wOGYFm5n.exe"C:\Users\Admin\Documents\dTPiPdOdwHqAUt27wOGYFm5n.exe"2⤵
-
-
C:\Users\Admin\Documents\tixdf3S9U0cIOriKKW6ub28_.exe"C:\Users\Admin\Documents\tixdf3S9U0cIOriKKW6ub28_.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe"C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
C:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exeC:\Users\Admin\Documents\kKkXyQQyson4bmXIZUFUP6gr.exe3⤵
-
-
-
C:\Users\Admin\Documents\4QzlBzSMMob1h7lP2tRim4DQ.exe"C:\Users\Admin\Documents\4QzlBzSMMob1h7lP2tRim4DQ.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\SPWK68Pb8QDlExYdJcXe7u53.exe"C:\Users\Admin\Documents\SPWK68Pb8QDlExYdJcXe7u53.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KBAvfsr.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\KBAvfsr.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FkDS8ej.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\FkDS8ej.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\crtZxQBfWoR3IBSjJ2jb25qM.exe"C:\Users\Admin\Documents\crtZxQBfWoR3IBSjJ2jb25qM.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\eOAVdyf245A4g6CJM9WD9MUn.exe"C:\Users\Admin\Documents\eOAVdyf245A4g6CJM9WD9MUn.exe"2⤵
-
-
C:\Users\Admin\Documents\pq4iTOmbdz5iyJ0r0EfpVSnG.exe"C:\Users\Admin\Documents\pq4iTOmbdz5iyJ0r0EfpVSnG.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\cXodPmXEaHozElUSG5pUmmmc.exe"C:\Users\Admin\Documents\cXodPmXEaHozElUSG5pUmmmc.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\1iG2YyBfFac0fGs8pBgHuX1p.exe"C:\Users\Admin\Documents\1iG2YyBfFac0fGs8pBgHuX1p.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\jyGOXE1n1AVp3Et7Jsc64fxL.exe"C:\Users\Admin\Documents\jyGOXE1n1AVp3Et7Jsc64fxL.exe"2⤵
-
-
C:\Users\Admin\Documents\V8zDrARPQXj9XjrFkDPYdSOA.exe"C:\Users\Admin\Documents\V8zDrARPQXj9XjrFkDPYdSOA.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\B7zQNbEFPQWMoLbsXqpJb6Dg.exe"C:\Users\Admin\Documents\B7zQNbEFPQWMoLbsXqpJb6Dg.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\VCN1SDNDpKqT8PRgsLYIk5Em.exe"C:\Users\Admin\Documents\VCN1SDNDpKqT8PRgsLYIk5Em.exe"2⤵
-
-
C:\Users\Admin\Documents\vv1fOB1fhSrf4tgNn6YIs55s.exe"C:\Users\Admin\Documents\vv1fOB1fhSrf4tgNn6YIs55s.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 8843⤵
- Loads dropped DLL
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Documents\r9s6LoZ8rdob7C0jT3NwdYqv.exe"C:\Users\Admin\Documents\r9s6LoZ8rdob7C0jT3NwdYqv.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\i1U43UXdONoRR7fB36WncUGd.exe"C:\Users\Admin\Documents\i1U43UXdONoRR7fB36WncUGd.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\KIbXihjJzLtf4Jpg48iz8mFI.exe"C:\Users\Admin\Documents\KIbXihjJzLtf4Jpg48iz8mFI.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\Cm2bDK3N_jffRwkvh0MfJU00.exe"C:\Users\Admin\Documents\Cm2bDK3N_jffRwkvh0MfJU00.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies system certificate store
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Documents\BorTicSprxHZwERriZtBQdNL.exe"C:\Users\Admin\Documents\BorTicSprxHZwERriZtBQdNL.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\C5BF.exeC:\Users\Admin\AppData\Local\Temp\C5BF.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\69AC.exeC:\Users\Admin\AppData\Local\Temp\69AC.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Disabling Security Tools
1Install Root Certificate
1Modify Registry
2Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
1.2MB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
820KB
-
Filesize
828KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
8KB