517c6f4aad96b59020c6c736521a3084b2c625c5d7ce4f637634839b98b28c11

Analysis

max time kernel
146s
max time network
152s
platform
windows10_x64
resource
win10-en-20210920
submitted
22-10-2021 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cfa1c74d3410705daf7055374b56f2f.exe
Size

68KB
MD5

5cfa1c74d3410705daf7055374b56f2f
SHA1

6943644e7c6e52324353770e13ede9b78e3036a9
SHA256

517c6f4aad96b59020c6c736521a3084b2c625c5d7ce4f637634839b98b28c11
SHA512

ec513614e02f6b69224adc17284581069aae97269518d41a0b9a451ab2fdc5f12ae74900853d6794c67407fc5e8294543a49b1658f102ff23d76d1308a4aaae7

Score

9^/10

discovery evasion persistence spyware stealer themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 7 IoCs

Processes:

7751739.exe643842.exe7448350.exe5233174.exe4419515.exe5831092.exeWinHoster.exe

pid process

4388 7751739.exe
4576 643842.exe
700 7448350.exe
1564 5233174.exe
2500 4419515.exe
3884 5831092.exe
4940 WinHoster.exe

pid	process
4388	7751739.exe
4576	643842.exe
700	7448350.exe
1564	5233174.exe
2500	4419515.exe
3884	5831092.exe
4940	WinHoster.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5233174.exe7448350.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5233174.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7448350.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7448350.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5233174.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\7448350.exe	themida
C:\Users\Admin\AppData\Roaming\7448350.exe	themida
behavioral2/memory/700-151-0x0000000000B20000-0x0000000000B21000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\5233174.exe	themida
C:\Users\Admin\AppData\Roaming\5233174.exe	themida
behavioral2/memory/1564-172-0x0000000000860000-0x0000000000861000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4419515.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	4419515.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

7448350.exe5233174.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7448350.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5233174.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

7448350.exe5233174.exe

pid process

700 7448350.exe
1564 5233174.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

7751739.exe643842.exe7448350.exe5233174.exe5831092.exe

pid process

4388 7751739.exe
4576 643842.exe
4388 7751739.exe
700 7448350.exe
700 7448350.exe
1564 5233174.exe
1564 5233174.exe
3884 5831092.exe
3884 5831092.exe

pid	process
700	7448350.exe
1564	5233174.exe

pid	process
4388	7751739.exe
4576	643842.exe
4388	7751739.exe
700	7448350.exe
700	7448350.exe
1564	5233174.exe
1564	5233174.exe
3884	5831092.exe
3884	5831092.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

5cfa1c74d3410705daf7055374b56f2f.exe7751739.exe643842.exe5831092.exe

description	pid	process
Token: SeDebugPrivilege	704	5cfa1c74d3410705daf7055374b56f2f.exe
Token: SeDebugPrivilege	4388	7751739.exe
Token: SeDebugPrivilege	4576	643842.exe
Token: SeDebugPrivilege	3884	5831092.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

5cfa1c74d3410705daf7055374b56f2f.exe4419515.exe

description	pid	process	target process
PID 704 wrote to memory of 4388	704	5cfa1c74d3410705daf7055374b56f2f.exe	7751739.exe
PID 704 wrote to memory of 4388	704	5cfa1c74d3410705daf7055374b56f2f.exe	7751739.exe
PID 704 wrote to memory of 4388	704	5cfa1c74d3410705daf7055374b56f2f.exe	7751739.exe
PID 704 wrote to memory of 4576	704	5cfa1c74d3410705daf7055374b56f2f.exe	643842.exe
PID 704 wrote to memory of 4576	704	5cfa1c74d3410705daf7055374b56f2f.exe	643842.exe
PID 704 wrote to memory of 4576	704	5cfa1c74d3410705daf7055374b56f2f.exe	643842.exe
PID 704 wrote to memory of 700	704	5cfa1c74d3410705daf7055374b56f2f.exe	7448350.exe
PID 704 wrote to memory of 700	704	5cfa1c74d3410705daf7055374b56f2f.exe	7448350.exe
PID 704 wrote to memory of 700	704	5cfa1c74d3410705daf7055374b56f2f.exe	7448350.exe
PID 704 wrote to memory of 1564	704	5cfa1c74d3410705daf7055374b56f2f.exe	5233174.exe
PID 704 wrote to memory of 1564	704	5cfa1c74d3410705daf7055374b56f2f.exe	5233174.exe
PID 704 wrote to memory of 1564	704	5cfa1c74d3410705daf7055374b56f2f.exe	5233174.exe
PID 704 wrote to memory of 2500	704	5cfa1c74d3410705daf7055374b56f2f.exe	4419515.exe
PID 704 wrote to memory of 2500	704	5cfa1c74d3410705daf7055374b56f2f.exe	4419515.exe
PID 704 wrote to memory of 2500	704	5cfa1c74d3410705daf7055374b56f2f.exe	4419515.exe
PID 704 wrote to memory of 3884	704	5cfa1c74d3410705daf7055374b56f2f.exe	5831092.exe
PID 704 wrote to memory of 3884	704	5cfa1c74d3410705daf7055374b56f2f.exe	5831092.exe
PID 704 wrote to memory of 3884	704	5cfa1c74d3410705daf7055374b56f2f.exe	5831092.exe
PID 2500 wrote to memory of 4940	2500	4419515.exe	WinHoster.exe
PID 2500 wrote to memory of 4940	2500	4419515.exe	WinHoster.exe
PID 2500 wrote to memory of 4940	2500	4419515.exe	WinHoster.exe

C:\Users\Admin\AppData\Local\Temp\5cfa1c74d3410705daf7055374b56f2f.exe
"C:\Users\Admin\AppData\Local\Temp\5cfa1c74d3410705daf7055374b56f2f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:704

C:\Users\Admin\AppData\Roaming\7751739.exe
"C:\Users\Admin\AppData\Roaming\7751739.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Users\Admin\AppData\Roaming\643842.exe
"C:\Users\Admin\AppData\Roaming\643842.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Users\Admin\AppData\Roaming\7448350.exe
"C:\Users\Admin\AppData\Roaming\7448350.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:700

C:\Users\Admin\AppData\Roaming\5233174.exe
"C:\Users\Admin\AppData\Roaming\5233174.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1564

C:\Users\Admin\AppData\Roaming\4419515.exe
"C:\Users\Admin\AppData\Roaming\4419515.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2500

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
3⤵
- Executes dropped EXE
PID:4940

C:\Users\Admin\AppData\Roaming\5831092.exe
"C:\Users\Admin\AppData\Roaming\5831092.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4419515.exe
MD5
a20e32791806c7b29070b95226b0e480

SHA1
8f2bac75ffabbe45770076047ded99f243622e5f

SHA256
df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

SHA512
6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

Download Submit
C:\Users\Admin\AppData\Roaming\4419515.exe
MD5
a20e32791806c7b29070b95226b0e480

SHA1
8f2bac75ffabbe45770076047ded99f243622e5f

SHA256
df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

SHA512
6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

Download Submit
C:\Users\Admin\AppData\Roaming\5233174.exe
MD5
a983f21830995c68472ebfa937acf4ca

SHA1
37b652cdf432a14d658ace5447c51d6954fc8fdb

SHA256
8ad9e5bb76241b55016fcc32dfed84d2fe80d64463f781d408e2eb51c8beb3c0

SHA512
cd2c0c4b833d85a0e7cd1627d9a3fc9332b2c65821ea5f1982fde85568d4f008b263826210c6912222b98e6207268cde467f1010f775b77fa9633b51280494e3

Download Submit
C:\Users\Admin\AppData\Roaming\5233174.exe
MD5
a983f21830995c68472ebfa937acf4ca

SHA1
37b652cdf432a14d658ace5447c51d6954fc8fdb

SHA256
8ad9e5bb76241b55016fcc32dfed84d2fe80d64463f781d408e2eb51c8beb3c0

SHA512
cd2c0c4b833d85a0e7cd1627d9a3fc9332b2c65821ea5f1982fde85568d4f008b263826210c6912222b98e6207268cde467f1010f775b77fa9633b51280494e3

Download Submit
C:\Users\Admin\AppData\Roaming\5831092.exe
MD5
d4afd6e583d54a75f39bf4934b99c684

SHA1
c9262e240a4a503d426b47b90c7b6fe6ed8bed9e

SHA256
0dca699c7d1729954372be2fe70f5da34521de4aa0e5b504a0f6a1c27b12c3f9

SHA512
87a29ea404583acf4eef5b4fe2feab8f16483af0cbe8cdfbc3e96ee41836f48e2e9456d54db734c150e6003d42596f8760e3500ec7ffefb50015b44c854a528f

Download Submit
C:\Users\Admin\AppData\Roaming\5831092.exe
MD5
d4afd6e583d54a75f39bf4934b99c684

SHA1
c9262e240a4a503d426b47b90c7b6fe6ed8bed9e

SHA256
0dca699c7d1729954372be2fe70f5da34521de4aa0e5b504a0f6a1c27b12c3f9

SHA512
87a29ea404583acf4eef5b4fe2feab8f16483af0cbe8cdfbc3e96ee41836f48e2e9456d54db734c150e6003d42596f8760e3500ec7ffefb50015b44c854a528f

Download Submit
C:\Users\Admin\AppData\Roaming\643842.exe
MD5
333024944f87b82e5df1ea3afe91c944

SHA1
4ee5639fe6d5793829fed37fde062a109e4514c0

SHA256
69faddccc223439585a2dfd73cff7d14b17c17f1cb1a13091e9a306c2ffcd525

SHA512
d6026809c240f424390f8341a5c8d546eaaddbfff527385cb89cda38e3e3f6a96962c0a502ed3e5465f5440fdad42028f4028860e810d4c7413b3a0abdb68644

Download Submit
C:\Users\Admin\AppData\Roaming\643842.exe
MD5
333024944f87b82e5df1ea3afe91c944

SHA1
4ee5639fe6d5793829fed37fde062a109e4514c0

SHA256
69faddccc223439585a2dfd73cff7d14b17c17f1cb1a13091e9a306c2ffcd525

SHA512
d6026809c240f424390f8341a5c8d546eaaddbfff527385cb89cda38e3e3f6a96962c0a502ed3e5465f5440fdad42028f4028860e810d4c7413b3a0abdb68644

Download Submit
C:\Users\Admin\AppData\Roaming\7448350.exe
MD5
afb53e37a817304cb9ebd143418159c1

SHA1
eb5db5e0a6755c0aed544d2a037ac22928bcdc8b

SHA256
17849797ee055a10567c6ca129583db58386385a978f74cd19c9c662f1dc1726

SHA512
475466219bc1b7d9451478969385997656a5cc367a9bc1e6d5b26f0e6559b529ba7452e6825a9de4587278af9c52c80bb1dbdca35ebf35d68a2ed7a98b2e261a

Download Submit
C:\Users\Admin\AppData\Roaming\7448350.exe
MD5
afb53e37a817304cb9ebd143418159c1

SHA1
eb5db5e0a6755c0aed544d2a037ac22928bcdc8b

SHA256
17849797ee055a10567c6ca129583db58386385a978f74cd19c9c662f1dc1726

SHA512
475466219bc1b7d9451478969385997656a5cc367a9bc1e6d5b26f0e6559b529ba7452e6825a9de4587278af9c52c80bb1dbdca35ebf35d68a2ed7a98b2e261a

Download Submit
C:\Users\Admin\AppData\Roaming\7751739.exe
MD5
665db314ea52d4331c8f0dd49cc0c9e5

SHA1
65fc408b35d057bad6c55ea7d06edbd5001bdcc1

SHA256
dd43e6de713f9b199855a8d101069560121223bd5c5cea999a80a96bd84f4b4a

SHA512
6b1d41db7e50c32f01c2b4d5b3851adc37816fcf8d8b3cbcb0f2602d3a10652a82a9376379bb437439d29292d6a48e6c0ae785a7fda93d2b604c84d3293068fc

Download Submit
C:\Users\Admin\AppData\Roaming\7751739.exe
MD5
665db314ea52d4331c8f0dd49cc0c9e5

SHA1
65fc408b35d057bad6c55ea7d06edbd5001bdcc1

SHA256
dd43e6de713f9b199855a8d101069560121223bd5c5cea999a80a96bd84f4b4a

SHA512
6b1d41db7e50c32f01c2b4d5b3851adc37816fcf8d8b3cbcb0f2602d3a10652a82a9376379bb437439d29292d6a48e6c0ae785a7fda93d2b604c84d3293068fc

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
a20e32791806c7b29070b95226b0e480

SHA1
8f2bac75ffabbe45770076047ded99f243622e5f

SHA256
df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

SHA512
6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
a20e32791806c7b29070b95226b0e480

SHA1
8f2bac75ffabbe45770076047ded99f243622e5f

SHA256
df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

SHA512
6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

Download Submit
memory/700-156-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/700-159-0x0000000003870000-0x0000000003871000-memory.dmp

Filesize
4KB

Download
memory/700-158-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/700-157-0x0000000077240000-0x00000000773CE000-memory.dmp

Filesize
1.6MB

Download
memory/700-155-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

Filesize
4KB

Download
memory/700-154-0x0000000003830000-0x0000000003831000-memory.dmp

Filesize
4KB

Download
memory/700-153-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/700-151-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/700-146-0x0000000000000000-mapping.dmp

Download
memory/704-118-0x000000001B8A0000-0x000000001B8A2000-memory.dmp

Filesize
8KB

Download
memory/704-115-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/704-117-0x0000000001550000-0x0000000001551000-memory.dmp

Filesize
4KB

Download
memory/1564-172-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/1564-160-0x0000000000000000-mapping.dmp

Download
memory/1564-181-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/1564-180-0x0000000077240000-0x00000000773CE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-178-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/2500-168-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/2500-166-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2500-163-0x0000000000000000-mapping.dmp

Download
memory/3884-185-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3884-192-0x0000000009D90000-0x0000000009DD8000-memory.dmp

Filesize
288KB

Download
memory/3884-188-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/3884-179-0x0000000000000000-mapping.dmp

Download
memory/3884-201-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/3884-194-0x000000000D2F0000-0x000000000D2F1000-memory.dmp

Filesize
4KB

Download
memory/4388-131-0x0000000004BB0000-0x0000000004BF9000-memory.dmp

Filesize
292KB

Download
memory/4388-132-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/4388-137-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/4388-119-0x0000000000000000-mapping.dmp

Download
memory/4388-122-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/4388-139-0x0000000008080000-0x0000000008081000-memory.dmp

Filesize
4KB

Download
memory/4388-129-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/4388-135-0x0000000007980000-0x0000000007981000-memory.dmp

Filesize
4KB

Download
memory/4388-142-0x0000000007B50000-0x0000000007B51000-memory.dmp

Filesize
4KB

Download
memory/4576-130-0x00000000019C0000-0x00000000019C1000-memory.dmp

Filesize
4KB

Download
memory/4576-124-0x0000000000000000-mapping.dmp

Download
memory/4576-141-0x000000000E300000-0x000000000E301000-memory.dmp

Filesize
4KB

Download
memory/4576-140-0x000000000E260000-0x000000000E261000-memory.dmp

Filesize
4KB

Download
memory/4576-127-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/4576-138-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/4576-134-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/4576-136-0x000000000E700000-0x000000000E701000-memory.dmp

Filesize
4KB

Download
memory/4576-133-0x000000000AC80000-0x000000000ACC3000-memory.dmp

Filesize
268KB

Download
memory/4940-187-0x0000000000000000-mapping.dmp

Download
memory/4940-202-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/4940-203-0x000000000A6E0000-0x000000000A6E1000-memory.dmp

Filesize
4KB

Download