Overview

overview

9

Static

static

ACTIVATE__...95.exe

windows7_x64

8

ACTIVATE__...95.exe

windows10_x64

9

ACTIVATE__...95.exe

windows11_x64

8

Analysis

  • max time kernel
    373s
  • max time network
    358s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    30-01-2022 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ACTIVATE____SETUP__4695.exe

  • Size

    744KB

  • MD5

    849bf640bf914ec675b9477a802a22f9

  • SHA1

    e1a12595f8c9d48416ec342cd4037a32f3fdda24

  • SHA256

    5b74eb73697a853a9d2d138a270a97a4edbcdc38ba46c5ea3cd79076ba4cecb4

  • SHA512

    763878ebb2c574f6e93e6bd7be49ee874e35e04c4bbd8d771224c16ece3628523041520497b6f66bd3f90e8f3e09b0accda049fa518bfbeb4fc77bc2175d6ec1

Score
9/10
discoveryevasionspywarestealerthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 10 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ACTIVATE____SETUP__4695.exe
    "C:\Users\Admin\AppData\Local\Temp\ACTIVATE____SETUP__4695.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Windows\SysWOW64\dllhost.exe
      "C:\Windows\System32\dllhost.exe"
      2⤵
        PID:2416
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c cmd < Nel.xls
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:580
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2220
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /FI "imagename eq BullGuardCore.exe"
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2212
          • C:\Windows\SysWOW64\find.exe
            find /I /N "bullguardcore.exe"
            4⤵
              PID:3460
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist /FI "imagename eq PSUAService.exe"
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2660
            • C:\Windows\SysWOW64\find.exe
              find /I /N "psuaservice.exe"
              4⤵
                PID:1684
              • C:\Windows\SysWOW64\findstr.exe
                findstr /V /R "^HSpZWdXvufzDAYGXjZABuYRJLvHBPEtTIkAzCKbYUuhbCfMdrpLnpmdIqmgmIvGBkAVfbjxBBCGZLxicKsnFSFJoVSzecYfbmLjezbSQPlXHSd$" Questo.xls
                4⤵
                  PID:1552
                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
                  Accostarmi.exe.pif x
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Checks processor information in registry
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:1392
                  • C:\Users\Admin\AppData\Local\Temp\File1.exe
                    "C:\Users\Admin\AppData\Local\Temp\File1.exe"
                    5⤵
                    • Executes dropped EXE
                    • Checks BIOS information in registry
                    • Drops startup file
                    • Checks whether UAC is enabled
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious use of WriteProcessMemory
                    PID:876
                    • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
                      "C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
                      6⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious behavior: AddClipboardFormatListener
                      PID:1688
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c timeout /t 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif"
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2980
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout /t 3
                      6⤵
                      • Delays execution with timeout.exe
                      PID:3336
                • C:\Windows\SysWOW64\waitfor.exe
                  waitfor /t 5 aRUpIzAL
                  4⤵
                    PID:1192

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Virtualization/Sandbox Evasion

            1
            T1497

            Credential Access

            Credentials in Files

            2
            T1081

            Discovery

            Query Registry

            4
            T1012

            Virtualization/Sandbox Evasion

            1
            T1497

            System Information Discovery

            4
            T1082

            Process Discovery

            1
            T1057

            Lateral Movement

            Collection

            Data from Local System

            2
            T1005

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
              MD5

              c56b5f0201a3b3de53e561fe76912bfd

              SHA1

              2a4062e10a5de813f5688221dbeb3f3ff33eb417

              SHA256

              237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

              SHA512

              195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nel.xls
              MD5

              a338f121bc7c0acf5f297bf85f150b7f

              SHA1

              b1b4dd45417c0907dabf3cd93ea6410c73df5325

              SHA256

              4556a5e53c426abe5565342d9b091134ebc4aaaedafb00454f0a248ff78e1668

              SHA512

              fa6b633dd69bf0cc195b093417001517e3dbe22f516109a4180d853849741b44fe8fc00264135ab8686512dc8b58a01b7727f8c3a89de121b6a176a14f0485c0

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Questo.xls
              MD5

              0d8fea82e82b1fa16b1dc714d106830c

              SHA1

              ee9b15e9c380bbd6ac6431aae8f4625fecb77bec

              SHA256

              36c088f98ef9b8fe659e23f01a15c72b6b9824faedbfd9ae78e00de536f80ed6

              SHA512

              de6dd75f8086aee2a50f4042586400b563dfe5a551195567a7ba3caaaf7c80342f47c6b452f1a97118b02eaf984c2cf350fbc2bf5b0194c6f147f84f3d268494

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vorrei.xls
              MD5

              cee0255c4b09a8487fb1d965c91b2769

              SHA1

              30e68f2c59d67c9dbde4366a91f07b6d2ad7a576

              SHA256

              5bdde7bda1df04120c4e30a546a59192ec439cebfd7b55e95adbcfed87d821b3

              SHA512

              d94613f347210b15f8759ec20377878a91735712c3fbcba1aee19dbdcc3164e17ac8ef305f07242275b66bcc8678a3ea823420c262c185f601e4ca1e21bbf328

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\x
              MD5

              cee0255c4b09a8487fb1d965c91b2769

              SHA1

              30e68f2c59d67c9dbde4366a91f07b6d2ad7a576

              SHA256

              5bdde7bda1df04120c4e30a546a59192ec439cebfd7b55e95adbcfed87d821b3

              SHA512

              d94613f347210b15f8759ec20377878a91735712c3fbcba1aee19dbdcc3164e17ac8ef305f07242275b66bcc8678a3ea823420c262c185f601e4ca1e21bbf328

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\File1.exe
              MD5

              1dc6fde69a188e99f72f3056d68fd77e

              SHA1

              044dbfb0e1b6af5dde72642aeae275c66cae2a9f

              SHA256

              1badce500780c24041071f723bb97f728a57801333984eb1be52a509c2607913

              SHA512

              f94b4fb9d9270f71627a669db6b8eeabf571d6899ad5c787a32fc2fa2eca26224e0c728e0699d9bb0c6a926b1bdb56ad6b410f26f3cb8262bd4488c9fc3f2bf4

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\File1.exe
              MD5

              1dc6fde69a188e99f72f3056d68fd77e

              SHA1

              044dbfb0e1b6af5dde72642aeae275c66cae2a9f

              SHA256

              1badce500780c24041071f723bb97f728a57801333984eb1be52a509c2607913

              SHA512

              f94b4fb9d9270f71627a669db6b8eeabf571d6899ad5c787a32fc2fa2eca26224e0c728e0699d9bb0c6a926b1bdb56ad6b410f26f3cb8262bd4488c9fc3f2bf4

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
              MD5

              1dc6fde69a188e99f72f3056d68fd77e

              SHA1

              044dbfb0e1b6af5dde72642aeae275c66cae2a9f

              SHA256

              1badce500780c24041071f723bb97f728a57801333984eb1be52a509c2607913

              SHA512

              f94b4fb9d9270f71627a669db6b8eeabf571d6899ad5c787a32fc2fa2eca26224e0c728e0699d9bb0c6a926b1bdb56ad6b410f26f3cb8262bd4488c9fc3f2bf4

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
              MD5

              1dc6fde69a188e99f72f3056d68fd77e

              SHA1

              044dbfb0e1b6af5dde72642aeae275c66cae2a9f

              SHA256

              1badce500780c24041071f723bb97f728a57801333984eb1be52a509c2607913

              SHA512

              f94b4fb9d9270f71627a669db6b8eeabf571d6899ad5c787a32fc2fa2eca26224e0c728e0699d9bb0c6a926b1bdb56ad6b410f26f3cb8262bd4488c9fc3f2bf4

              Download Submit
            • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dll
              MD5

              50741b3f2d7debf5d2bed63d88404029

              SHA1

              56210388a627b926162b36967045be06ffb1aad3

              SHA256

              f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

              SHA512

              fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

              Download Submit
            • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dll
              MD5

              50741b3f2d7debf5d2bed63d88404029

              SHA1

              56210388a627b926162b36967045be06ffb1aad3

              SHA256

              f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

              SHA512

              fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

              Download Submit
            • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dll
              MD5

              50741b3f2d7debf5d2bed63d88404029

              SHA1

              56210388a627b926162b36967045be06ffb1aad3

              SHA256

              f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

              SHA512

              fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

              Download Submit
            • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dll
              MD5

              50741b3f2d7debf5d2bed63d88404029

              SHA1

              56210388a627b926162b36967045be06ffb1aad3

              SHA256

              f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

              SHA512

              fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

              Download Submit
            • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dll
              MD5

              50741b3f2d7debf5d2bed63d88404029

              SHA1

              56210388a627b926162b36967045be06ffb1aad3

              SHA256

              f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

              SHA512

              fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

              Download Submit
            • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dll
              MD5

              50741b3f2d7debf5d2bed63d88404029

              SHA1

              56210388a627b926162b36967045be06ffb1aad3

              SHA256

              f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

              SHA512

              fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

              Download Submit
            • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\gQCSdkwXO.dll
              MD5

              50741b3f2d7debf5d2bed63d88404029

              SHA1

              56210388a627b926162b36967045be06ffb1aad3

              SHA256

              f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

              SHA512

              fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

              Download Submit
            • memory/876-131-0x00007FF7B70E0000-0x00007FF7B79D8000-memory.dmp
              Filesize

              9.0MB

              Download
            • memory/876-132-0x00007FF7B70E0000-0x00007FF7B79D8000-memory.dmp
              Filesize

              9.0MB

              Download
            • memory/876-130-0x00007FF7B70E0000-0x00007FF7B79D8000-memory.dmp
              Filesize

              9.0MB

              Download
            • memory/1688-135-0x00007FF60B940000-0x00007FF60C238000-memory.dmp
              Filesize

              9.0MB

              Download
            • memory/1688-136-0x00007FF60B940000-0x00007FF60C238000-memory.dmp
              Filesize

              9.0MB

              Download
            • memory/1688-137-0x00007FF60B940000-0x00007FF60C238000-memory.dmp
              Filesize

              9.0MB

              Download