f96d569b07088f8b53df94b43059d301ef7bc743e48951430f8ee2dc17c0bc54

Analysis

max time kernel
150s
max time network
135s
platform
windows10_x64
resource
win10-en-20210920
submitted
20-10-2021 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b02dcfc796c6c7bb6b8a685c1caf5f05.exe
Size

2.8MB
MD5

b02dcfc796c6c7bb6b8a685c1caf5f05
SHA1

497a37d73c784984ab491c2ca8a7842ca54bfca0
SHA256

f96d569b07088f8b53df94b43059d301ef7bc743e48951430f8ee2dc17c0bc54
SHA512

5d5639855fe450a6ed09e30513bb70049e931e4e0f766b678e699b83da5b1ca6b6acebe32f47a97372081baba0c5b0a2a7f79434e23730d4d7ed5cbd9e117670

Score

9^/10

discovery evasion spyware stealer themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

6666.exeHaemotoxic.exeservices64.exesihost64.exe

pid process

1016 6666.exe
1084 Haemotoxic.exe
1128 services64.exe
3696 sihost64.exe

pid	process
1016	6666.exe
1084	Haemotoxic.exe
1128	services64.exe
3696	sihost64.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b02dcfc796c6c7bb6b8a685c1caf5f05.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b02dcfc796c6c7bb6b8a685c1caf5f05.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b02dcfc796c6c7bb6b8a685c1caf5f05.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3716-117-0x0000000000F30000-0x0000000000F31000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

b02dcfc796c6c7bb6b8a685c1caf5f05.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b02dcfc796c6c7bb6b8a685c1caf5f05.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

b02dcfc796c6c7bb6b8a685c1caf5f05.exe

pid process

3716 b02dcfc796c6c7bb6b8a685c1caf5f05.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4156 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

b02dcfc796c6c7bb6b8a685c1caf5f05.execonhost.execonhost.exe

pid process

3716 b02dcfc796c6c7bb6b8a685c1caf5f05.exe
3716 b02dcfc796c6c7bb6b8a685c1caf5f05.exe
3552 conhost.exe
2176 conhost.exe
2176 conhost.exe

pid	process
3716	b02dcfc796c6c7bb6b8a685c1caf5f05.exe

pid	process
4156	schtasks.exe

pid	process
3716	b02dcfc796c6c7bb6b8a685c1caf5f05.exe
3716	b02dcfc796c6c7bb6b8a685c1caf5f05.exe
3552	conhost.exe
2176	conhost.exe
2176	conhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

b02dcfc796c6c7bb6b8a685c1caf5f05.exeHaemotoxic.execonhost.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	3716	b02dcfc796c6c7bb6b8a685c1caf5f05.exe
Token: SeDebugPrivilege	1084	Haemotoxic.exe
Token: SeDebugPrivilege	3552	conhost.exe
Token: SeDebugPrivilege	2176	conhost.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

b02dcfc796c6c7bb6b8a685c1caf5f05.exe6666.execonhost.execmd.execmd.exeservices64.execonhost.exe

description	pid	process	target process
PID 3716 wrote to memory of 1016	3716	b02dcfc796c6c7bb6b8a685c1caf5f05.exe	6666.exe
PID 3716 wrote to memory of 1016	3716	b02dcfc796c6c7bb6b8a685c1caf5f05.exe	6666.exe
PID 3716 wrote to memory of 1084	3716	b02dcfc796c6c7bb6b8a685c1caf5f05.exe	Haemotoxic.exe
PID 3716 wrote to memory of 1084	3716	b02dcfc796c6c7bb6b8a685c1caf5f05.exe	Haemotoxic.exe
PID 1016 wrote to memory of 3552	1016	6666.exe	conhost.exe
PID 1016 wrote to memory of 3552	1016	6666.exe	conhost.exe
PID 1016 wrote to memory of 3552	1016	6666.exe	conhost.exe
PID 3552 wrote to memory of 4160	3552	conhost.exe	cmd.exe
PID 3552 wrote to memory of 4160	3552	conhost.exe	cmd.exe
PID 4160 wrote to memory of 4156	4160	cmd.exe	schtasks.exe
PID 4160 wrote to memory of 4156	4160	cmd.exe	schtasks.exe
PID 3552 wrote to memory of 4932	3552	conhost.exe	cmd.exe
PID 3552 wrote to memory of 4932	3552	conhost.exe	cmd.exe
PID 4932 wrote to memory of 1128	4932	cmd.exe	services64.exe
PID 4932 wrote to memory of 1128	4932	cmd.exe	services64.exe
PID 1128 wrote to memory of 2176	1128	services64.exe	conhost.exe
PID 1128 wrote to memory of 2176	1128	services64.exe	conhost.exe
PID 1128 wrote to memory of 2176	1128	services64.exe	conhost.exe
PID 2176 wrote to memory of 3696	2176	conhost.exe	sihost64.exe
PID 2176 wrote to memory of 3696	2176	conhost.exe	sihost64.exe

C:\Users\Admin\AppData\Local\Temp\b02dcfc796c6c7bb6b8a685c1caf5f05.exe
"C:\Users\Admin\AppData\Local\Temp\b02dcfc796c6c7bb6b8a685c1caf5f05.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Users\Admin\AppData\Local\Temp\6666.exe
  "C:\Users\Admin\AppData\Local\Temp\6666.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\6666.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\System32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4160
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:4156
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4932
    - - C:\Users\Admin\AppData\Local\Temp\services64.exe
        
        C:\Users\Admin\AppData\Local\Temp\services64.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1128
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        7⤵
        Executes dropped EXE
        
        PID:3696
- C:\Users\Admin\AppData\Local\Temp\Haemotoxic.exe
  "C:\Users\Admin\AppData\Local\Temp\Haemotoxic.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
C:\Users\Admin\AppData\Local\Temp\6666.exe

MD5
f95a35e8c3f3f57b3f347bd6c8180bee

SHA1
8357c6b1dbb03a5ff598ec29f3832155caa9e8d2

SHA256
369b61bc5522ec08fe546958192325de94d7f70d4f8c2cee16ec62be03bc54ca

SHA512
544cc4599fea21da67248a809bd30e066e7f07a0b0e20f811d24fa514bd72c3fb0964d5c2f4b5cf4d2b7ef4cd3245aacba5ded39538742f991712dca680dfdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\6666.exe

MD5
f95a35e8c3f3f57b3f347bd6c8180bee

SHA1
8357c6b1dbb03a5ff598ec29f3832155caa9e8d2

SHA256
369b61bc5522ec08fe546958192325de94d7f70d4f8c2cee16ec62be03bc54ca

SHA512
544cc4599fea21da67248a809bd30e066e7f07a0b0e20f811d24fa514bd72c3fb0964d5c2f4b5cf4d2b7ef4cd3245aacba5ded39538742f991712dca680dfdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Haemotoxic.exe

MD5
d1e1314df994a83001db3650d969b629

SHA1
ec259d83c2f749af81d6fc4387e2e2667c4b46df

SHA256
992cda549f3eb223d1fd87a860ca50370cd74fae3f7b3cd3b5e5db4495c67319

SHA512
44c86ed830802183a9d771ad337df0355f2973055a523d073207a61495a78aad99c96c62bd5f812adb533aaa418d11fbc595add6725590b39bd0179190b66fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Haemotoxic.exe

MD5
d1e1314df994a83001db3650d969b629

SHA1
ec259d83c2f749af81d6fc4387e2e2667c4b46df

SHA256
992cda549f3eb223d1fd87a860ca50370cd74fae3f7b3cd3b5e5db4495c67319

SHA512
44c86ed830802183a9d771ad337df0355f2973055a523d073207a61495a78aad99c96c62bd5f812adb533aaa418d11fbc595add6725590b39bd0179190b66fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\services64.exe

MD5
f95a35e8c3f3f57b3f347bd6c8180bee

SHA1
8357c6b1dbb03a5ff598ec29f3832155caa9e8d2

SHA256
369b61bc5522ec08fe546958192325de94d7f70d4f8c2cee16ec62be03bc54ca

SHA512
544cc4599fea21da67248a809bd30e066e7f07a0b0e20f811d24fa514bd72c3fb0964d5c2f4b5cf4d2b7ef4cd3245aacba5ded39538742f991712dca680dfdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\services64.exe

MD5
f95a35e8c3f3f57b3f347bd6c8180bee

SHA1
8357c6b1dbb03a5ff598ec29f3832155caa9e8d2

SHA256
369b61bc5522ec08fe546958192325de94d7f70d4f8c2cee16ec62be03bc54ca

SHA512
544cc4599fea21da67248a809bd30e066e7f07a0b0e20f811d24fa514bd72c3fb0964d5c2f4b5cf4d2b7ef4cd3245aacba5ded39538742f991712dca680dfdca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5
1f88c4258f73d6b14dcb92dd6cc68d11

SHA1
fdcfdee8671895974de7a615886f2c2fa926289d

SHA256
99e6f9f570f7d401de9fd417595adeabe4a0a5d4a9093e51c99437596e1fb2d1

SHA512
a235d17555a352492f7ffc8308c1a8ff89da0475bd6ef0dc8799f59887986056eae0a1a720c2b2f5d5a418e0eba9d31027fd10d60f4f598eae08a4e5e7459f77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5
1f88c4258f73d6b14dcb92dd6cc68d11

SHA1
fdcfdee8671895974de7a615886f2c2fa926289d

SHA256
99e6f9f570f7d401de9fd417595adeabe4a0a5d4a9093e51c99437596e1fb2d1

SHA512
a235d17555a352492f7ffc8308c1a8ff89da0475bd6ef0dc8799f59887986056eae0a1a720c2b2f5d5a418e0eba9d31027fd10d60f4f598eae08a4e5e7459f77

Download Submit
memory/1016-133-0x0000000000000000-mapping.dmp

Download
memory/1016-136-0x0000000000400000-0x0000000000D00000-memory.dmp

Filesize
9.0MB

Download
memory/1084-147-0x000002AC76C75000-0x000002AC76C77000-memory.dmp

Filesize
8KB

Download
memory/1084-144-0x000002AC76C70000-0x000002AC76C72000-memory.dmp

Filesize
8KB

Download
memory/1084-148-0x000002AC18000000-0x000002AC1832D000-memory.dmp

Filesize
3.2MB

Download
memory/1084-151-0x000002AC18610000-0x000002AC18611000-memory.dmp

Filesize
4KB

Download
memory/1084-150-0x000002AC18AC0000-0x000002AC18AC1000-memory.dmp

Filesize
4KB

Download
memory/1084-137-0x0000000000000000-mapping.dmp

Download
memory/1084-146-0x000002AC76C74000-0x000002AC76C75000-memory.dmp

Filesize
4KB

Download
memory/1084-149-0x000002AC18330000-0x000002AC18592000-memory.dmp

Filesize
2.4MB

Download
memory/1084-145-0x000002AC76C72000-0x000002AC76C74000-memory.dmp

Filesize
8KB

Download
memory/1084-141-0x000002AC741E0000-0x000002AC741E1000-memory.dmp

Filesize
4KB

Download
memory/1084-143-0x000002AC76C80000-0x000002AC76FB9000-memory.dmp

Filesize
3.2MB

Download
memory/1128-169-0x0000000000000000-mapping.dmp

Download
memory/1128-172-0x0000000000400000-0x0000000000D00000-memory.dmp

Filesize
9.0MB

Download
memory/2176-181-0x0000016149B80000-0x0000016149B82000-memory.dmp

Filesize
8KB

Download
memory/2176-177-0x0000016149B80000-0x0000016149B82000-memory.dmp

Filesize
8KB

Download
memory/2176-185-0x000001614BA73000-0x000001614BA75000-memory.dmp

Filesize
8KB

Download
memory/2176-186-0x000001614BA76000-0x000001614BA77000-memory.dmp

Filesize
4KB

Download
memory/2176-184-0x000001614BA70000-0x000001614BA72000-memory.dmp

Filesize
8KB

Download
memory/2176-175-0x0000016149B80000-0x0000016149B82000-memory.dmp

Filesize
8KB

Download
memory/2176-187-0x0000016149B80000-0x0000016149B82000-memory.dmp

Filesize
8KB

Download
memory/2176-176-0x0000016149B80000-0x0000016149B82000-memory.dmp

Filesize
8KB

Download
memory/2176-183-0x0000016149B80000-0x0000016149B82000-memory.dmp

Filesize
8KB

Download
memory/2176-178-0x0000016149B80000-0x0000016149B82000-memory.dmp

Filesize
8KB

Download
memory/3552-155-0x000001D95FEC0000-0x000001D95FEC2000-memory.dmp

Filesize
8KB

Download
memory/3552-152-0x000001D95FEC0000-0x000001D95FEC2000-memory.dmp

Filesize
8KB

Download
memory/3552-154-0x000001D95FEC0000-0x000001D95FEC2000-memory.dmp

Filesize
8KB

Download
memory/3552-158-0x000001D95FEC0000-0x000001D95FEC2000-memory.dmp

Filesize
8KB

Download
memory/3552-160-0x000001D95FEC0000-0x000001D95FEC2000-memory.dmp

Filesize
8KB

Download
memory/3552-156-0x000001D97A460000-0x000001D97A67C000-memory.dmp

Filesize
2.1MB

Download
memory/3552-153-0x000001D95FEC0000-0x000001D95FEC2000-memory.dmp

Filesize
8KB

Download
memory/3552-164-0x000001D95FF10000-0x000001D95FF12000-memory.dmp

Filesize
8KB

Download
memory/3552-165-0x000001D95FF13000-0x000001D95FF15000-memory.dmp

Filesize
8KB

Download
memory/3552-163-0x000001D95FA40000-0x000001D95FC60000-memory.dmp

Filesize
2.1MB

Download
memory/3552-166-0x000001D95FF16000-0x000001D95FF17000-memory.dmp

Filesize
4KB

Download
memory/3552-168-0x000001D95FEC0000-0x000001D95FEC2000-memory.dmp

Filesize
8KB

Download
memory/3696-191-0x0000000000000000-mapping.dmp

Download
memory/3716-122-0x00000000776F0000-0x000000007787E000-memory.dmp

Filesize
1.6MB

Download
memory/3716-131-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/3716-117-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/3716-126-0x0000000006C90000-0x0000000006C91000-memory.dmp

Filesize
4KB

Download
memory/3716-119-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/3716-127-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/3716-128-0x0000000006B40000-0x0000000006B41000-memory.dmp

Filesize
4KB

Download
memory/3716-130-0x0000000007DC0000-0x0000000007DC1000-memory.dmp

Filesize
4KB

Download
memory/3716-121-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/3716-125-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/3716-123-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/3716-124-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/3716-132-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/3716-120-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/3716-129-0x0000000006E60000-0x0000000006E61000-memory.dmp

Filesize
4KB

Download
memory/4156-162-0x0000000000000000-mapping.dmp

Download
memory/4160-161-0x0000000000000000-mapping.dmp

Download
memory/4932-167-0x0000000000000000-mapping.dmp

Download