Overview

overview

9

Static

static

7

f6c7094a8d...fb.exe

windows7_x64

9

f6c7094a8d...fb.exe

windows10_x64

9

Analysis

  • max time kernel
    37s
  • max time network
    113s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    12-10-2021 17:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6c7094a8d1a917f7375de9f466f6afb.exe

  • Size

    3.0MB

  • MD5

    f6c7094a8d1a917f7375de9f466f6afb

  • SHA1

    9c0077b6543b975dbf3d52a3134a208713577843

  • SHA256

    3e77eb721848c685f2910aee6a00042d95ddcfb7da721cc61bf7b269857645a7

  • SHA512

    5c74b7fe6d998fe957c381350e830e507779ab1ec12c147ba8e9d7d86ae3b51cfecba8e6c0b405435d3d9af3968efff71f04161a39e51d2e141612cc41573989

Score
9/10
discoveryevasionspywarestealerthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6c7094a8d1a917f7375de9f466f6afb.exe
    "C:\Users\Admin\AppData\Local\Temp\f6c7094a8d1a917f7375de9f466f6afb.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4000

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4000-116-0x0000000076E80000-0x000000007700E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4000-117-0x0000000001270000-0x0000000001271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-119-0x0000000006400000-0x0000000006401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-120-0x0000000005DA0000-0x0000000005DA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-121-0x0000000005F00000-0x0000000005F01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-122-0x0000000005E30000-0x0000000005E31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-123-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-124-0x0000000005E70000-0x0000000005E71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-125-0x0000000007580000-0x0000000007581000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-126-0x0000000007C80000-0x0000000007C81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-127-0x00000000081B0000-0x00000000081B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-128-0x0000000007470000-0x0000000007471000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-129-0x00000000077F0000-0x00000000077F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-130-0x0000000007770000-0x0000000007771000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-131-0x0000000007A50000-0x0000000007A51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-132-0x0000000007C30000-0x0000000007C31000-memory.dmp

    Filesize

    4KB

    Download