Overview

overview

9

Static

static

7

Open__File_-Setup.exe

windows7_x64

9

Open__File_-Setup.exe

windows10_x64

9

Analysis

  • max time kernel
    122s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-01-2022 15:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Open__File_-Setup.exe

  • Size

    2.6MB

  • MD5

    f0b845c4482445e3687374a9bc0721d9

  • SHA1

    30aca922fb58f40860d43f7e092cb5f0421dfd43

  • SHA256

    50425bbffda899deae06a34073cbfcec097ded72f040d19ba91318dd39975b4b

  • SHA512

    b4df83357138608be2e995c393485047d8c0c813492495ab10d2af877b5160c0d29401ab2d053fd605124b4a0779204e08a8d306588b68f4cc14cae58f57a1c2

Score
9/10
discoveryevasionspywarestealerthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Open__File_-Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Open__File_-Setup.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Users\Admin\AppData\Local\Temp\File1.exe
      "C:\Users\Admin\AppData\Local\Temp\File1.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Drops startup file
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
        "C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: AddClipboardFormatListener
        PID:3608
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Open__File_-Setup.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 3
        3⤵
        • Delays execution with timeout.exe
        PID:704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\File1.exe
    MD5

    ea345ce2b32c6a7e42b2cf2319b28f06

    SHA1

    488b6ecbca06456f550eac7d38948329ad932a8f

    SHA256

    f90452c51e3a385e62283584a8c7af51249e8a0a7af0901a5786c358cf0e9511

    SHA512

    9069d2bf2bd72d8eb426e54c90952c2475ac75ace3c871829a17b7a147dec27ec1eb1ad91abc4796542ca83c1ded1b7935469f721615909fca73529ab1d1abf2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\File1.exe
    MD5

    ea345ce2b32c6a7e42b2cf2319b28f06

    SHA1

    488b6ecbca06456f550eac7d38948329ad932a8f

    SHA256

    f90452c51e3a385e62283584a8c7af51249e8a0a7af0901a5786c358cf0e9511

    SHA512

    9069d2bf2bd72d8eb426e54c90952c2475ac75ace3c871829a17b7a147dec27ec1eb1ad91abc4796542ca83c1ded1b7935469f721615909fca73529ab1d1abf2

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
    MD5

    ea345ce2b32c6a7e42b2cf2319b28f06

    SHA1

    488b6ecbca06456f550eac7d38948329ad932a8f

    SHA256

    f90452c51e3a385e62283584a8c7af51249e8a0a7af0901a5786c358cf0e9511

    SHA512

    9069d2bf2bd72d8eb426e54c90952c2475ac75ace3c871829a17b7a147dec27ec1eb1ad91abc4796542ca83c1ded1b7935469f721615909fca73529ab1d1abf2

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
    MD5

    ea345ce2b32c6a7e42b2cf2319b28f06

    SHA1

    488b6ecbca06456f550eac7d38948329ad932a8f

    SHA256

    f90452c51e3a385e62283584a8c7af51249e8a0a7af0901a5786c358cf0e9511

    SHA512

    9069d2bf2bd72d8eb426e54c90952c2475ac75ace3c871829a17b7a147dec27ec1eb1ad91abc4796542ca83c1ded1b7935469f721615909fca73529ab1d1abf2

    Download Submit
  • memory/656-123-0x00007FF657220000-0x00007FF657B42000-memory.dmp
    Filesize

    9.1MB

    Download
  • memory/656-124-0x00007FF657220000-0x00007FF657B42000-memory.dmp
    Filesize

    9.1MB

    Download
  • memory/656-125-0x00007FF657220000-0x00007FF657B42000-memory.dmp
    Filesize

    9.1MB

    Download
  • memory/2608-120-0x0000000000090000-0x000000000074B000-memory.dmp
    Filesize

    6.7MB

    Download
  • memory/2608-119-0x00000000775A0000-0x000000007772E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2608-118-0x0000000000090000-0x000000000074B000-memory.dmp
    Filesize

    6.7MB

    Download
  • memory/3608-128-0x00007FF6E2990000-0x00007FF6E32B2000-memory.dmp
    Filesize

    9.1MB

    Download
  • memory/3608-129-0x00007FF6E2990000-0x00007FF6E32B2000-memory.dmp
    Filesize

    9.1MB

    Download
  • memory/3608-130-0x00007FF6E2990000-0x00007FF6E32B2000-memory.dmp
    Filesize

    9.1MB

    Download