3e66be1ab42337c8396e71b2068484c3cf786bfefccc3c50114330ff5c080f23

Analysis

max time kernel
121s
max time network
126s
platform
windows10_x64
resource
win10-en-20210920
submitted
19-10-2021 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c01455f045fa249acdce26fe6ed630ef.exe
Size

66KB
MD5

c01455f045fa249acdce26fe6ed630ef
SHA1

ff8cb5803b53e0b6e41a33a62b69bbdf2d525f7d
SHA256

3e66be1ab42337c8396e71b2068484c3cf786bfefccc3c50114330ff5c080f23
SHA512

64c589836f8fa27c57b2fddd2541a056e3fac9cc87fbfc246fdb8567b3b6a09da97ec09584b7e448282eaf6e709cd45ba84627d9abe788923267cbb10fdf0b32

Score

9^/10

discovery evasion persistence spyware stealer themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 6 IoCs

Processes:

7751035.exe5722620.exe624921.exe5291840.exe1723049.exeWinHoster.exe

pid process

864 7751035.exe
3068 5722620.exe
1804 624921.exe
712 5291840.exe
1648 1723049.exe
2680 WinHoster.exe

pid	process
864	7751035.exe
3068	5722620.exe
1804	624921.exe
712	5291840.exe
1648	1723049.exe
2680	WinHoster.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5722620.exe624921.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5722620.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5722620.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	624921.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	624921.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\5722620.exe	themida
C:\Users\Admin\AppData\Roaming\5722620.exe	themida
behavioral2/memory/3068-139-0x0000000000EF0000-0x0000000000EF1000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\624921.exe	themida
C:\Users\Admin\AppData\Roaming\624921.exe	themida
behavioral2/memory/1804-162-0x0000000001200000-0x0000000001201000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5291840.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	5291840.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

5722620.exe624921.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5722620.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	624921.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

5722620.exe624921.exe

pid process

3068 5722620.exe
1804 624921.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

7751035.exe5722620.exe624921.exe1723049.exe

pid process

864 7751035.exe
3068 5722620.exe
3068 5722620.exe
864 7751035.exe
1804 624921.exe
1804 624921.exe
1648 1723049.exe
1648 1723049.exe
1804 624921.exe

pid	process
3068	5722620.exe
1804	624921.exe

pid	process
864	7751035.exe
3068	5722620.exe
3068	5722620.exe
864	7751035.exe
1804	624921.exe
1804	624921.exe
1648	1723049.exe
1648	1723049.exe
1804	624921.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

c01455f045fa249acdce26fe6ed630ef.exe7751035.exe1723049.exe5722620.exe624921.exe

description	pid	process
Token: SeDebugPrivilege	1576	c01455f045fa249acdce26fe6ed630ef.exe
Token: SeDebugPrivilege	864	7751035.exe
Token: SeDebugPrivilege	1648	1723049.exe
Token: SeDebugPrivilege	3068	5722620.exe
Token: SeDebugPrivilege	1804	624921.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

c01455f045fa249acdce26fe6ed630ef.exe5291840.exe

description	pid	process	target process
PID 1576 wrote to memory of 864	1576	c01455f045fa249acdce26fe6ed630ef.exe	7751035.exe
PID 1576 wrote to memory of 864	1576	c01455f045fa249acdce26fe6ed630ef.exe	7751035.exe
PID 1576 wrote to memory of 864	1576	c01455f045fa249acdce26fe6ed630ef.exe	7751035.exe
PID 1576 wrote to memory of 3068	1576	c01455f045fa249acdce26fe6ed630ef.exe	5722620.exe
PID 1576 wrote to memory of 3068	1576	c01455f045fa249acdce26fe6ed630ef.exe	5722620.exe
PID 1576 wrote to memory of 3068	1576	c01455f045fa249acdce26fe6ed630ef.exe	5722620.exe
PID 1576 wrote to memory of 1804	1576	c01455f045fa249acdce26fe6ed630ef.exe	624921.exe
PID 1576 wrote to memory of 1804	1576	c01455f045fa249acdce26fe6ed630ef.exe	624921.exe
PID 1576 wrote to memory of 1804	1576	c01455f045fa249acdce26fe6ed630ef.exe	624921.exe
PID 1576 wrote to memory of 712	1576	c01455f045fa249acdce26fe6ed630ef.exe	5291840.exe
PID 1576 wrote to memory of 712	1576	c01455f045fa249acdce26fe6ed630ef.exe	5291840.exe
PID 1576 wrote to memory of 712	1576	c01455f045fa249acdce26fe6ed630ef.exe	5291840.exe
PID 1576 wrote to memory of 1648	1576	c01455f045fa249acdce26fe6ed630ef.exe	1723049.exe
PID 1576 wrote to memory of 1648	1576	c01455f045fa249acdce26fe6ed630ef.exe	1723049.exe
PID 1576 wrote to memory of 1648	1576	c01455f045fa249acdce26fe6ed630ef.exe	1723049.exe
PID 712 wrote to memory of 2680	712	5291840.exe	WinHoster.exe
PID 712 wrote to memory of 2680	712	5291840.exe	WinHoster.exe
PID 712 wrote to memory of 2680	712	5291840.exe	WinHoster.exe

C:\Users\Admin\AppData\Local\Temp\c01455f045fa249acdce26fe6ed630ef.exe
"C:\Users\Admin\AppData\Local\Temp\c01455f045fa249acdce26fe6ed630ef.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Roaming\7751035.exe
"C:\Users\Admin\AppData\Roaming\7751035.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Users\Admin\AppData\Roaming\5722620.exe
"C:\Users\Admin\AppData\Roaming\5722620.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Users\Admin\AppData\Roaming\624921.exe
"C:\Users\Admin\AppData\Roaming\624921.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Users\Admin\AppData\Roaming\5291840.exe
"C:\Users\Admin\AppData\Roaming\5291840.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:712

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
3⤵
- Executes dropped EXE
PID:2680

C:\Users\Admin\AppData\Roaming\1723049.exe
"C:\Users\Admin\AppData\Roaming\1723049.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1723049.exe
MD5
bae62464dcabed11f92664a980b25a8d

SHA1
45d9d713c1d0415f73b224f42fa80f772f8ad434

SHA256
63a1722ff99b52778675943c9462258e13349469ebd0977aaf5aec471fbfb1b2

SHA512
f2a5fdd5fc21e4fde6e26bbb87e43171517cf214e186268f0c52341ba7e3554a64f6982ddb57731f3ebf67fd3ab4be0c3fd5135f6e52ef887df70662bc9c5f68

Download Submit
C:\Users\Admin\AppData\Roaming\1723049.exe
MD5
bae62464dcabed11f92664a980b25a8d

SHA1
45d9d713c1d0415f73b224f42fa80f772f8ad434

SHA256
63a1722ff99b52778675943c9462258e13349469ebd0977aaf5aec471fbfb1b2

SHA512
f2a5fdd5fc21e4fde6e26bbb87e43171517cf214e186268f0c52341ba7e3554a64f6982ddb57731f3ebf67fd3ab4be0c3fd5135f6e52ef887df70662bc9c5f68

Download Submit
C:\Users\Admin\AppData\Roaming\5291840.exe
MD5
9ec6ecf38cb040515dd99edc3e964c10

SHA1
96013003c9055983f9e9411613364d6c29169738

SHA256
80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168

SHA512
1a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323

Download Submit
C:\Users\Admin\AppData\Roaming\5291840.exe
MD5
9ec6ecf38cb040515dd99edc3e964c10

SHA1
96013003c9055983f9e9411613364d6c29169738

SHA256
80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168

SHA512
1a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323

Download Submit
C:\Users\Admin\AppData\Roaming\5722620.exe
MD5
c9480f159f75bcac7884e27751b0447a

SHA1
4d253e87f294b23b205753f7aa900b5c853d08c1

SHA256
2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0

SHA512
dc3b1728bc036f5b37910ef31b6e5d7ea0fffeba326dfa4e4bb6f90172bb1bea90f76c07bb098ed9e8da5c23393484b9bfd25d2900d1c9343fe591d02d3c3404

Download Submit
C:\Users\Admin\AppData\Roaming\5722620.exe
MD5
c9480f159f75bcac7884e27751b0447a

SHA1
4d253e87f294b23b205753f7aa900b5c853d08c1

SHA256
2d950b55304ad25f6e513d0d995a6b401f3121dfb26d1a9659c2daa06c83f3b0

SHA512
dc3b1728bc036f5b37910ef31b6e5d7ea0fffeba326dfa4e4bb6f90172bb1bea90f76c07bb098ed9e8da5c23393484b9bfd25d2900d1c9343fe591d02d3c3404

Download Submit
C:\Users\Admin\AppData\Roaming\624921.exe
MD5
7b02c8c409875e573df30c0d6ba41f32

SHA1
6153e93cf304d7a01c14c3d000d7acf99869ca3c

SHA256
f430f969b29f02eb51dabf223bf91dea6a3bf790af55fe49d5e36073cdd342e8

SHA512
29f4ab0bd8b343d95aee94ec3e411fe6dde85d50d980bcbe8c0ae2aea0c9b1f6fb4822bb1622c8fe4c3fde26c9c91985e44cbaf7e8f6a15fbed60952fbfbb181

Download Submit
C:\Users\Admin\AppData\Roaming\624921.exe
MD5
7b02c8c409875e573df30c0d6ba41f32

SHA1
6153e93cf304d7a01c14c3d000d7acf99869ca3c

SHA256
f430f969b29f02eb51dabf223bf91dea6a3bf790af55fe49d5e36073cdd342e8

SHA512
29f4ab0bd8b343d95aee94ec3e411fe6dde85d50d980bcbe8c0ae2aea0c9b1f6fb4822bb1622c8fe4c3fde26c9c91985e44cbaf7e8f6a15fbed60952fbfbb181

Download Submit
C:\Users\Admin\AppData\Roaming\7751035.exe
MD5
7ad230c26830e20381757f41bc4b70ac

SHA1
c0624601e6f92cc75ffd9b6bad718358b92ebc3f

SHA256
c234fec6829e93fc69b390373b9d7bcea9ed5772f3674b842a4e943c3edbf320

SHA512
b7c2357597ff991ec71db8ddc6aa9911814444a34bb39802ae16c472271e7a60ebd6434927e0bd8be7f067f6ebb6e26a9807d9832499dd3e05474fbc4db86ce4

Download Submit
C:\Users\Admin\AppData\Roaming\7751035.exe
MD5
7ad230c26830e20381757f41bc4b70ac

SHA1
c0624601e6f92cc75ffd9b6bad718358b92ebc3f

SHA256
c234fec6829e93fc69b390373b9d7bcea9ed5772f3674b842a4e943c3edbf320

SHA512
b7c2357597ff991ec71db8ddc6aa9911814444a34bb39802ae16c472271e7a60ebd6434927e0bd8be7f067f6ebb6e26a9807d9832499dd3e05474fbc4db86ce4

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
9ec6ecf38cb040515dd99edc3e964c10

SHA1
96013003c9055983f9e9411613364d6c29169738

SHA256
80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168

SHA512
1a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
9ec6ecf38cb040515dd99edc3e964c10

SHA1
96013003c9055983f9e9411613364d6c29169738

SHA256
80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168

SHA512
1a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323

Download Submit
memory/712-154-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/712-156-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/712-151-0x0000000000000000-mapping.dmp

Download
memory/864-131-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/864-127-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/864-130-0x000000000DCD0000-0x000000000DCD1000-memory.dmp

Filesize
4KB

Download
memory/864-135-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/864-129-0x000000000E160000-0x000000000E161000-memory.dmp

Filesize
4KB

Download
memory/864-128-0x000000000DA60000-0x000000000DA61000-memory.dmp

Filesize
4KB

Download
memory/864-119-0x0000000000000000-mapping.dmp

Download
memory/864-132-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/864-126-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/864-125-0x0000000004D10000-0x0000000004D56000-memory.dmp

Filesize
280KB

Download
memory/864-124-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/864-122-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1576-115-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1576-118-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/1576-117-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1648-165-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/1648-158-0x0000000000000000-mapping.dmp

Download
memory/1648-190-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/1648-173-0x00000000018A0000-0x00000000018A1000-memory.dmp

Filesize
4KB

Download
memory/1648-170-0x00000000056F0000-0x0000000005738000-memory.dmp

Filesize
288KB

Download
memory/1648-168-0x0000000001730000-0x0000000001731000-memory.dmp

Filesize
4KB

Download
memory/1804-191-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/1804-169-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/1804-162-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/1804-208-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

Filesize
4KB

Download
memory/1804-148-0x0000000000000000-mapping.dmp

Download
memory/2680-175-0x0000000000000000-mapping.dmp

Download
memory/2680-192-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/2680-193-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/3068-143-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download
memory/3068-144-0x0000000005DC0000-0x0000000005DC1000-memory.dmp

Filesize
4KB

Download
memory/3068-139-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/3068-133-0x0000000000000000-mapping.dmp

Download
memory/3068-147-0x0000000005E00000-0x0000000005E01000-memory.dmp

Filesize
4KB

Download
memory/3068-141-0x0000000006390000-0x0000000006391000-memory.dmp

Filesize
4KB

Download
memory/3068-146-0x0000000005D70000-0x0000000005D71000-memory.dmp

Filesize
4KB

Download
memory/3068-145-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/3068-198-0x0000000007A50000-0x0000000007A51000-memory.dmp

Filesize
4KB

Download
memory/3068-200-0x0000000007B60000-0x0000000007B61000-memory.dmp

Filesize
4KB

Download
memory/3068-142-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download