4c269e43d99dbd557bd75b79ddf1ca143d006de9b096936403e75b1178751f66

Resubmissions

07-09-2021 18:08

210907-wq7rdadba9 10

07-09-2021 17:57

210907-wjxylagcfn 10

Analysis

max time kernel
320s
max time network
1719s
platform
windows10_x64
resource
win10v20210408
submitted
07-09-2021 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

keygen-step-4/ss.exe
Size

100KB
MD5

9a6071c1a67be3fb247f857fe5903bbf
SHA1

4a2e14763c51537e8695014007eceaf391a3f600
SHA256

01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c
SHA512

c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68

Score

9^/10

discovery evasion persistence spyware stealer themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 4 IoCs

Processes:

8163737.exe3669655.exe4912294.exeWinHoster.exe

pid process

3960 8163737.exe
3976 3669655.exe
824 4912294.exe
2132 WinHoster.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4912294.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4912294.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4912294.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\ProgramData\4912294.exe	themida
C:\ProgramData\4912294.exe	themida
behavioral23/memory/824-136-0x0000000000A10000-0x0000000000A11000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3669655.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	3669655.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

4912294.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4912294.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

4912294.exe

pid process

824 4912294.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

676 3960 WerFault.exe 8163737.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4912294.exe

pid	process
824	4912294.exe

pid	pid_target	process	target process
676	3960	WerFault.exe	8163737.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

8163737.exeWerFault.exe4912294.exe

pid	process
3960	8163737.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
676	WerFault.exe
824	4912294.exe
824	4912294.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ss.exe8163737.exeWerFault.exe4912294.exe

description	pid	process
Token: SeDebugPrivilege	396	ss.exe
Token: SeDebugPrivilege	3960	8163737.exe
Token: SeDebugPrivilege	676	WerFault.exe
Token: SeDebugPrivilege	824	4912294.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

ss.exe3669655.exe

description	pid	process	target process
PID 396 wrote to memory of 3960	396	ss.exe	8163737.exe
PID 396 wrote to memory of 3960	396	ss.exe	8163737.exe
PID 396 wrote to memory of 3976	396	ss.exe	3669655.exe
PID 396 wrote to memory of 3976	396	ss.exe	3669655.exe
PID 396 wrote to memory of 3976	396	ss.exe	3669655.exe
PID 396 wrote to memory of 824	396	ss.exe	4912294.exe
PID 396 wrote to memory of 824	396	ss.exe	4912294.exe
PID 396 wrote to memory of 824	396	ss.exe	4912294.exe
PID 3976 wrote to memory of 2132	3976	3669655.exe	WinHoster.exe
PID 3976 wrote to memory of 2132	3976	3669655.exe	WinHoster.exe
PID 3976 wrote to memory of 2132	3976	3669655.exe	WinHoster.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396

C:\ProgramData\8163737.exe
"C:\ProgramData\8163737.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3960 -s 2036
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\ProgramData\3669655.exe
"C:\ProgramData\3669655.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3976

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
3⤵
- Executes dropped EXE
PID:2132

C:\ProgramData\4912294.exe
"C:\ProgramData\4912294.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\3669655.exe
MD5
b9295c5e9138ccf15d67771f3726c778

SHA1
40cd9d94e9913a52877f09f340a5c2604030409c

SHA256
8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

SHA512
4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

Download Submit
C:\ProgramData\3669655.exe
MD5
b9295c5e9138ccf15d67771f3726c778

SHA1
40cd9d94e9913a52877f09f340a5c2604030409c

SHA256
8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

SHA512
4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

Download Submit
C:\ProgramData\4912294.exe
MD5
e443b3cad80895e17ec69b07afe14297

SHA1
193afa9c566dd40a62504e20d96f6f710eca6cf9

SHA256
358ad170b159e399c0086fce075d56abe680835b60e6c4c2e2ecc4e0caf1fa65

SHA512
d3391a01768b5651703c51ef3c6f73c822735a2b00c125f15316c428f7ea9079e14f00eb5c23ded937be64bb4283f24c0f0ff6d1cef2a8ad5016725c5016a0e9

Download Submit
C:\ProgramData\4912294.exe
MD5
e443b3cad80895e17ec69b07afe14297

SHA1
193afa9c566dd40a62504e20d96f6f710eca6cf9

SHA256
358ad170b159e399c0086fce075d56abe680835b60e6c4c2e2ecc4e0caf1fa65

SHA512
d3391a01768b5651703c51ef3c6f73c822735a2b00c125f15316c428f7ea9079e14f00eb5c23ded937be64bb4283f24c0f0ff6d1cef2a8ad5016725c5016a0e9

Download Submit
C:\ProgramData\8163737.exe
MD5
6452958f87d648cf539894e38e360832

SHA1
39e3b6b452edaaddeb2d76949e970794221f790e

SHA256
8798d0b92a795f695ccd661417d824bf5044dcfc948e9c1ccee5b345bbbcb074

SHA512
6d3788447dba7002a29784de66f37b9a913d3eb06955bdf6478c8866c7cc5cad45e8ab911a82801cc069de4e856e4c34ca3581a6e48f7287cf6a0419d5e99350

Download Submit
C:\ProgramData\8163737.exe
MD5
6452958f87d648cf539894e38e360832

SHA1
39e3b6b452edaaddeb2d76949e970794221f790e

SHA256
8798d0b92a795f695ccd661417d824bf5044dcfc948e9c1ccee5b345bbbcb074

SHA512
6d3788447dba7002a29784de66f37b9a913d3eb06955bdf6478c8866c7cc5cad45e8ab911a82801cc069de4e856e4c34ca3581a6e48f7287cf6a0419d5e99350

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
b9295c5e9138ccf15d67771f3726c778

SHA1
40cd9d94e9913a52877f09f340a5c2604030409c

SHA256
8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

SHA512
4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
b9295c5e9138ccf15d67771f3726c778

SHA1
40cd9d94e9913a52877f09f340a5c2604030409c

SHA256
8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

SHA512
4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

Download Submit
memory/396-116-0x00000000007F0000-0x0000000000805000-memory.dmp

Filesize
84KB

Download
memory/396-117-0x0000000000820000-0x0000000000822000-memory.dmp

Filesize
8KB

Download
memory/396-114-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/824-166-0x00000000079E0000-0x00000000079E1000-memory.dmp

Filesize
4KB

Download
memory/824-143-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/824-129-0x0000000000000000-mapping.dmp

Download
memory/824-164-0x00000000075D0000-0x00000000075D1000-memory.dmp

Filesize
4KB

Download
memory/824-162-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/824-147-0x0000000005B30000-0x0000000006136000-memory.dmp

Filesize
6.0MB

Download
memory/824-133-0x00000000776B0000-0x000000007783E000-memory.dmp

Filesize
1.6MB

Download
memory/824-136-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/824-169-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

Filesize
4KB

Download
memory/824-160-0x0000000005C90000-0x0000000005C91000-memory.dmp

Filesize
4KB

Download
memory/824-145-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/824-151-0x0000000005C50000-0x0000000005C51000-memory.dmp

Filesize
4KB

Download
memory/824-142-0x0000000006140000-0x0000000006141000-memory.dmp

Filesize
4KB

Download
memory/824-163-0x0000000007D50000-0x0000000007D51000-memory.dmp

Filesize
4KB

Download
memory/824-168-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/2132-159-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/2132-161-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/2132-148-0x0000000000000000-mapping.dmp

Download
memory/3960-126-0x00000000013E0000-0x000000000142B000-memory.dmp

Filesize
300KB

Download
memory/3960-131-0x000000001BC30000-0x000000001BC32000-memory.dmp

Filesize
8KB

Download
memory/3960-127-0x00000000016C0000-0x00000000016C1000-memory.dmp

Filesize
4KB

Download
memory/3960-125-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download
memory/3960-121-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3960-118-0x0000000000000000-mapping.dmp

Download
memory/3976-146-0x000000000A0C0000-0x000000000A0C1000-memory.dmp

Filesize
4KB

Download
memory/3976-144-0x000000000A0D0000-0x000000000A0D1000-memory.dmp

Filesize
4KB

Download
memory/3976-141-0x000000000A530000-0x000000000A531000-memory.dmp

Filesize
4KB

Download
memory/3976-140-0x00000000025F0000-0x00000000025FC000-memory.dmp

Filesize
48KB

Download
memory/3976-139-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3976-135-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/3976-122-0x0000000000000000-mapping.dmp

Download