Overview

overview

10

Static

static

Fri0575b7d...f8.exe

windows7_x64

9

Fri0575b7d...f8.exe

windows7_x64

9

Fri0575b7d...f8.exe

windows7_x64

9

Fri0575b7d...f8.exe

windows11_x64

8

Fri0575b7d...f8.exe

windows10_x64

10

Fri0575b7d...f8.exe

windows10_x64

9

Fri0575b7d...f8.exe

windows10_x64

6

Analysis

  • max time kernel
    176s
  • max time network
    185s
  • platform
    windows10_x64
  • resource
    win10-ja-20211014
  • submitted
    22-10-2021 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fri0575b7d291a755f8.exe

  • Size

    75KB

  • MD5

    3399436f50fad870cade4f68de68a76d

  • SHA1

    a690dd92fa2902ec5881b1ed55b1bb7316f48b70

  • SHA256

    9e9519db3a55dd28cc85ddb8e02990758fa23d0f387e006de073e30277bce862

  • SHA512

    c558ca8b467e3375d9f5e5db9801ce400cd5d0ce86b53ec4fe0d2452284afb32b642d915e6c89d9ec34bda1f81a75ad19c3aced770732573a0f55bfd0de6de03

Score
10/10
discoveryevasionpersistencespywarestealerthemidatrojan

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs
    persistence
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 6 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 23 IoCs
  • Modifies registry class 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fri0575b7d291a755f8.exe
    "C:\Users\Admin\AppData\Local\Temp\Fri0575b7d291a755f8.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Users\Admin\AppData\Roaming\5655798.exe
      "C:\Users\Admin\AppData\Roaming\5655798.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3732
    • C:\Users\Admin\AppData\Roaming\7165786.exe
      "C:\Users\Admin\AppData\Roaming\7165786.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1864
    • C:\Users\Admin\AppData\Roaming\3440622.exe
      "C:\Users\Admin\AppData\Roaming\3440622.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1856
    • C:\Users\Admin\AppData\Roaming\7420569.exe
      "C:\Users\Admin\AppData\Roaming\7420569.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2324
      • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        3⤵
        • Executes dropped EXE
        PID:3944
    • C:\Users\Admin\AppData\Roaming\342357.exe
      "C:\Users\Admin\AppData\Roaming\342357.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1684
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe"
    1⤵
    • Modifies registry class
    PID:1188
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\342357.exe
    MD5

    d4afd6e583d54a75f39bf4934b99c684

    SHA1

    c9262e240a4a503d426b47b90c7b6fe6ed8bed9e

    SHA256

    0dca699c7d1729954372be2fe70f5da34521de4aa0e5b504a0f6a1c27b12c3f9

    SHA512

    87a29ea404583acf4eef5b4fe2feab8f16483af0cbe8cdfbc3e96ee41836f48e2e9456d54db734c150e6003d42596f8760e3500ec7ffefb50015b44c854a528f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\342357.exe
    MD5

    d4afd6e583d54a75f39bf4934b99c684

    SHA1

    c9262e240a4a503d426b47b90c7b6fe6ed8bed9e

    SHA256

    0dca699c7d1729954372be2fe70f5da34521de4aa0e5b504a0f6a1c27b12c3f9

    SHA512

    87a29ea404583acf4eef5b4fe2feab8f16483af0cbe8cdfbc3e96ee41836f48e2e9456d54db734c150e6003d42596f8760e3500ec7ffefb50015b44c854a528f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\3440622.exe
    MD5

    a983f21830995c68472ebfa937acf4ca

    SHA1

    37b652cdf432a14d658ace5447c51d6954fc8fdb

    SHA256

    8ad9e5bb76241b55016fcc32dfed84d2fe80d64463f781d408e2eb51c8beb3c0

    SHA512

    cd2c0c4b833d85a0e7cd1627d9a3fc9332b2c65821ea5f1982fde85568d4f008b263826210c6912222b98e6207268cde467f1010f775b77fa9633b51280494e3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\3440622.exe
    MD5

    a983f21830995c68472ebfa937acf4ca

    SHA1

    37b652cdf432a14d658ace5447c51d6954fc8fdb

    SHA256

    8ad9e5bb76241b55016fcc32dfed84d2fe80d64463f781d408e2eb51c8beb3c0

    SHA512

    cd2c0c4b833d85a0e7cd1627d9a3fc9332b2c65821ea5f1982fde85568d4f008b263826210c6912222b98e6207268cde467f1010f775b77fa9633b51280494e3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\5655798.exe
    MD5

    ed4dfa563a88597f38e062bc4dc2a036

    SHA1

    ae99199406f0893f0d26ab6c8f03e1fab348afc0

    SHA256

    3ea02603bd6c910bb91df1b652cb7ff39db1553a4aefb1d016b7c39c31e2c0b1

    SHA512

    8d595cf21f5128713747da963bed1cbf99a2f28c635fe050f4a3ab9c30d34f6615269b01e9acd63efff4c3ea99c7158c6c53c18c1fd07e2c6307aa4b39073ba3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\5655798.exe
    MD5

    ed4dfa563a88597f38e062bc4dc2a036

    SHA1

    ae99199406f0893f0d26ab6c8f03e1fab348afc0

    SHA256

    3ea02603bd6c910bb91df1b652cb7ff39db1553a4aefb1d016b7c39c31e2c0b1

    SHA512

    8d595cf21f5128713747da963bed1cbf99a2f28c635fe050f4a3ab9c30d34f6615269b01e9acd63efff4c3ea99c7158c6c53c18c1fd07e2c6307aa4b39073ba3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7165786.exe
    MD5

    a8db1bf1f4246c4e715f93f2a18fbe59

    SHA1

    5486db0d84862e68c4b9f24160bdc895bf3a45aa

    SHA256

    3f6143b5b4286cedcc3c8adcb25b1a971e1657dde65cca796e117971c2ac58bd

    SHA512

    905652518f08a3b0dba61706389c29eb91f4e9eab2071c550b6b0eb4092451c5f5b1abf992536efc723aaa4f335f027aecde5342465487547043d7842c0602e8

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7165786.exe
    MD5

    a8db1bf1f4246c4e715f93f2a18fbe59

    SHA1

    5486db0d84862e68c4b9f24160bdc895bf3a45aa

    SHA256

    3f6143b5b4286cedcc3c8adcb25b1a971e1657dde65cca796e117971c2ac58bd

    SHA512

    905652518f08a3b0dba61706389c29eb91f4e9eab2071c550b6b0eb4092451c5f5b1abf992536efc723aaa4f335f027aecde5342465487547043d7842c0602e8

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7420569.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7420569.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • memory/1280-118-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1280-115-0x0000000000680000-0x0000000000681000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1280-117-0x0000000000CE0000-0x0000000000CE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1684-163-0x0000000004D40000-0x0000000004D88000-memory.dmp
    Filesize

    288KB

    Download
  • memory/1684-159-0x0000000002640000-0x0000000002641000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1684-155-0x0000000000540000-0x0000000000541000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1684-171-0x0000000002660000-0x0000000002661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1684-176-0x0000000004FD0000-0x0000000004FD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1684-148-0x0000000000000000-mapping.dmp
    Download
  • memory/1856-194-0x0000000077390000-0x000000007751E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1856-136-0x0000000000000000-mapping.dmp
    Download
  • memory/1856-199-0x00000000018F0000-0x00000000018F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1856-189-0x0000000001170000-0x0000000001171000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1864-132-0x0000000077390000-0x000000007751E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1864-140-0x0000000006A70000-0x0000000006A71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1864-197-0x0000000007080000-0x0000000007081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1864-152-0x0000000006460000-0x0000000006461000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1864-128-0x0000000000000000-mapping.dmp
    Download
  • memory/1864-161-0x0000000006450000-0x0000000006451000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1864-162-0x0000000006310000-0x0000000006311000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1864-147-0x0000000006260000-0x0000000006261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1864-135-0x00000000011B0000-0x00000000011B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1864-157-0x00000000062C0000-0x00000000062C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2324-141-0x0000000000000000-mapping.dmp
    Download
  • memory/2324-153-0x0000000009840000-0x0000000009841000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2324-160-0x00000000028A0000-0x00000000028A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2324-149-0x0000000002730000-0x0000000002731000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2324-145-0x0000000000520000-0x0000000000521000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3732-127-0x00000000019A0000-0x00000000019A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3732-158-0x000000000EB90000-0x000000000EB91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3732-130-0x0000000005810000-0x0000000005811000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3732-144-0x000000000E8F0000-0x000000000E8F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3732-124-0x00000000016F0000-0x00000000016F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3732-126-0x000000000B180000-0x000000000B181000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3732-175-0x0000000005A30000-0x0000000005A31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3732-125-0x0000000005780000-0x00000000057C9000-memory.dmp
    Filesize

    292KB

    Download
  • memory/3732-119-0x0000000000000000-mapping.dmp
    Download
  • memory/3732-181-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3732-150-0x000000000EFF0000-0x000000000EFF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3732-122-0x0000000000F70000-0x0000000000F71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3944-164-0x0000000000000000-mapping.dmp
    Download
  • memory/3944-186-0x0000000005320000-0x0000000005321000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3944-182-0x00000000051F0000-0x00000000051F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3944-178-0x0000000004B10000-0x0000000004B11000-memory.dmp
    Filesize

    4KB

    Download