Analysis
-
max time kernel
132s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 05:35
General
-
Target
the-setup.exe
-
Size
727KB
-
MD5
7db33b8774b89cb731339281d85be486
-
SHA1
21a8da797e816d3cd5e111c3f8d66c6d3bbc449b
-
SHA256
0e4c64a675fbce01bc1f600d2d5b19b22f61b0190865689852a566feefbdb081
-
SHA512
c5f66db529be1fc41341a813d978b1f6a704babf4044bf65d479d8c18b9d38491bf29e5da16ea54ac5ed9b0af9349eb8524de8be10375c354c88047d5d1b5108
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\the-setup.exe"C:\Users\Admin\AppData\Local\Temp\the-setup.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Vedi.accdr2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^TUoZCCjcVvLcOZmKBbMwdBTPeuuCUrSZzlHEAerndtHzFihCRWyaiMJaqzXcvKBRDLeEaVpmxgLjUApU$" Ieri.accdr4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.pifViscere.exe.pif j4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\File1.exe"C:\Users\Admin\AppData\Local\Temp\File1.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\SysWOW64\waitfor.exewaitfor /t 5 vIziDdEUzIdfKU4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Distrugge.accdrMD5
35e554db7f925ee8822344bddda984b7
SHA1f53cb0394a6e5970bfaaf20becb89386ae89bb83
SHA256c51efc01659c151e013aaa37223620eeebf7feafb44031e466b10fd93226dbae
SHA5121c6d8e762d1856f0db804d84673f84d5f3033cf124c8f7878264339a19ff3b204c3c5bd94f2573ee6e8cfbb99d1ae5a41ecd5679ab5b59627f5cdcb20460a9d3
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ieri.accdrMD5
27df7c180bcf92c720ba98c6a4c578c7
SHA1913eb04d4e871b18de913af107ac46fa48f21b50
SHA256cfdd17167c448b21331f2c8a94eb88db9b5f2da31c39fcd23e0136b5a1d928f0
SHA512d3e3153cc7f19bd1a87bbaac7254e7187b6d46c02ebf7786b5c3dbe5d6b5a58ba21a4e1387f764e7d0ab4d19a424d9610c71b643d1c4b8bdfc382fc2fa2cdc9a
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PpxPlsA.dllMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vedi.accdrMD5
88ab2d2e3e862562fcb8b11835727025
SHA1438e3da92c034c6c139e4a4c269e11fbe5e90c4b
SHA256ad1688407e232daf78895433d38441e85008b431dee7f7b282745524337fe057
SHA512586ae6b67ca3bb50b440d14af390ff15cc685b15fb0fc11264d6ebea530a7d6e105cec59e3a41750958a50856c4604df01fe0d47b973b7efa0df49f76dde685a
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.pifMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\File1.exeMD5
80805036184d9ff94a32bad39ba0a553
SHA14dfa5e8254755da7c2c589efb7467bd0b67aaa98
SHA2566c334c7c715f8385c04cc37cf4ee14760c2683a23e3e5c5164f4cbe4ec0988d1
SHA512b50455b82b1cef724dc3e6987976d8f3cd31bc5196a8cc1f6a941fe14e4486fa2cec4501560a5c2395bdceecc16ea074fe72901a3ed58da379befdadceb3104b
-
C:\Users\Admin\AppData\Local\Temp\File1.exeMD5
80805036184d9ff94a32bad39ba0a553
SHA14dfa5e8254755da7c2c589efb7467bd0b67aaa98
SHA2566c334c7c715f8385c04cc37cf4ee14760c2683a23e3e5c5164f4cbe4ec0988d1
SHA512b50455b82b1cef724dc3e6987976d8f3cd31bc5196a8cc1f6a941fe14e4486fa2cec4501560a5c2395bdceecc16ea074fe72901a3ed58da379befdadceb3104b
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
80805036184d9ff94a32bad39ba0a553
SHA14dfa5e8254755da7c2c589efb7467bd0b67aaa98
SHA2566c334c7c715f8385c04cc37cf4ee14760c2683a23e3e5c5164f4cbe4ec0988d1
SHA512b50455b82b1cef724dc3e6987976d8f3cd31bc5196a8cc1f6a941fe14e4486fa2cec4501560a5c2395bdceecc16ea074fe72901a3ed58da379befdadceb3104b
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exeMD5
80805036184d9ff94a32bad39ba0a553
SHA14dfa5e8254755da7c2c589efb7467bd0b67aaa98
SHA2566c334c7c715f8385c04cc37cf4ee14760c2683a23e3e5c5164f4cbe4ec0988d1
SHA512b50455b82b1cef724dc3e6987976d8f3cd31bc5196a8cc1f6a941fe14e4486fa2cec4501560a5c2395bdceecc16ea074fe72901a3ed58da379befdadceb3104b
-
memory/208-145-0x0000000003F51000-0x0000000003F59000-memory.dmpFilesize
32KB
-
memory/1516-154-0x00007FF6CB0A0000-0x00007FF6CB9C3000-memory.dmpFilesize
9.1MB
-
memory/1516-155-0x00007FF6CB0A0000-0x00007FF6CB9C3000-memory.dmpFilesize
9.1MB
-
memory/1516-156-0x00007FF6CB0A0000-0x00007FF6CB9C3000-memory.dmpFilesize
9.1MB
-
memory/3728-149-0x00007FF6C8A50000-0x00007FF6C9373000-memory.dmpFilesize
9.1MB
-
memory/3728-150-0x00007FF6C8A50000-0x00007FF6C9373000-memory.dmpFilesize
9.1MB
-
memory/3728-151-0x00007FF919710000-0x00007FF919712000-memory.dmpFilesize
8KB
-
memory/3728-148-0x00007FF6C8A50000-0x00007FF6C9373000-memory.dmpFilesize
9.1MB
-
memory/4024-136-0x000001FF7EB40000-0x000001FF7EB44000-memory.dmpFilesize
16KB
-
memory/4024-135-0x000001FF7E480000-0x000001FF7E490000-memory.dmpFilesize
64KB
-
memory/4024-134-0x000001FF7E420000-0x000001FF7E430000-memory.dmpFilesize
64KB