Analysis Overview
SHA256
3adaf2bfb411db2b56601739580b8577a11089beffa33df2edbc9369c2e4faa7
Threat Level: Known bad
The file 3adaf2bfb411db2b56601739580b8577a11089beffa33df2edbc9369c2e4faa7 was found to be: Known bad.
Malicious Activity Summary
CryptBot
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Themida packer
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Checks BIOS information in registry
Checks whether UAC is enabled
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-12 08:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-12 08:34
Reported
2022-02-12 08:38
Platform
win7-en-20211208
Max time kernel
118s
Max time network
130s
Command Line
Signatures
CryptBot
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\affair1\Setup.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\affair1\Setup1.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\affair1\KMSpico.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-1L5TB.tmp\KMSpico.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\affair1\Setup1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\affair1\Setup1.exe | N/A |
Loads dropped DLL
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\affair1\Setup1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\affair1\Setup1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\affair1\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\affair1\Setup.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\affair1\Setup1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-1L5TB.tmp\KMSpico.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3adaf2bfb411db2b56601739580b8577a11089beffa33df2edbc9369c2e4faa7.exe
"C:\Users\Admin\AppData\Local\Temp\3adaf2bfb411db2b56601739580b8577a11089beffa33df2edbc9369c2e4faa7.exe"
C:\Program Files (x86)\affair1\Setup.exe
"C:\Program Files (x86)\affair1\Setup.exe"
C:\Program Files (x86)\affair1\Setup1.exe
"C:\Program Files (x86)\affair1\Setup1.exe"
C:\Program Files (x86)\affair1\KMSpico.exe
"C:\Program Files (x86)\affair1\KMSpico.exe"
C:\Users\Admin\AppData\Local\Temp\is-1L5TB.tmp\KMSpico.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1L5TB.tmp\KMSpico.tmp" /SL5="$80150,2952592,69120,C:\Program Files (x86)\affair1\KMSpico.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\vHpOavYo & timeout 4 & del /f /q "C:\Program Files (x86)\affair1\Setup.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
Network
Files
memory/1156-54-0x00000000766D1000-0x00000000766D3000-memory.dmp
\Program Files (x86)\affair1\Setup.exe
| MD5 | b7c4d84e29ceef241c3fd8cbcaaa6915 |
| SHA1 | eaea6e4203d921d2e2784f872ce6bb7ce6876764 |
| SHA256 | 05ad9dc479c246795c6cb5a470159c3f90d6d4fb6c37febdc45ddec2fc636c9d |
| SHA512 | 46cf110a892757c624270441f52938953d572dadab6489eafe25f34c5a4aea83e91d1ea42e4733f99b27a842cc662f523cb46d3605d2fdf369723fa69da1c3fa |
\Program Files (x86)\affair1\Setup.exe
| MD5 | b7c4d84e29ceef241c3fd8cbcaaa6915 |
| SHA1 | eaea6e4203d921d2e2784f872ce6bb7ce6876764 |
| SHA256 | 05ad9dc479c246795c6cb5a470159c3f90d6d4fb6c37febdc45ddec2fc636c9d |
| SHA512 | 46cf110a892757c624270441f52938953d572dadab6489eafe25f34c5a4aea83e91d1ea42e4733f99b27a842cc662f523cb46d3605d2fdf369723fa69da1c3fa |
\Program Files (x86)\affair1\Setup.exe
| MD5 | b7c4d84e29ceef241c3fd8cbcaaa6915 |
| SHA1 | eaea6e4203d921d2e2784f872ce6bb7ce6876764 |
| SHA256 | 05ad9dc479c246795c6cb5a470159c3f90d6d4fb6c37febdc45ddec2fc636c9d |
| SHA512 | 46cf110a892757c624270441f52938953d572dadab6489eafe25f34c5a4aea83e91d1ea42e4733f99b27a842cc662f523cb46d3605d2fdf369723fa69da1c3fa |
\Program Files (x86)\affair1\Setup.exe
| MD5 | b7c4d84e29ceef241c3fd8cbcaaa6915 |
| SHA1 | eaea6e4203d921d2e2784f872ce6bb7ce6876764 |
| SHA256 | 05ad9dc479c246795c6cb5a470159c3f90d6d4fb6c37febdc45ddec2fc636c9d |
| SHA512 | 46cf110a892757c624270441f52938953d572dadab6489eafe25f34c5a4aea83e91d1ea42e4733f99b27a842cc662f523cb46d3605d2fdf369723fa69da1c3fa |
C:\Program Files (x86)\affair1\Setup.exe
| MD5 | b7c4d84e29ceef241c3fd8cbcaaa6915 |
| SHA1 | eaea6e4203d921d2e2784f872ce6bb7ce6876764 |
| SHA256 | 05ad9dc479c246795c6cb5a470159c3f90d6d4fb6c37febdc45ddec2fc636c9d |
| SHA512 | 46cf110a892757c624270441f52938953d572dadab6489eafe25f34c5a4aea83e91d1ea42e4733f99b27a842cc662f523cb46d3605d2fdf369723fa69da1c3fa |
C:\Program Files (x86)\affair1\Setup.exe
| MD5 | b7c4d84e29ceef241c3fd8cbcaaa6915 |
| SHA1 | eaea6e4203d921d2e2784f872ce6bb7ce6876764 |
| SHA256 | 05ad9dc479c246795c6cb5a470159c3f90d6d4fb6c37febdc45ddec2fc636c9d |
| SHA512 | 46cf110a892757c624270441f52938953d572dadab6489eafe25f34c5a4aea83e91d1ea42e4733f99b27a842cc662f523cb46d3605d2fdf369723fa69da1c3fa |
\Program Files (x86)\affair1\Setup1.exe
| MD5 | 5471e00dc319a006f9a41cb84c46df04 |
| SHA1 | a94273294009f89fceda6b263b7c40d18494d4d4 |
| SHA256 | eb3c5b00bc5347197ae29e42948b225f4871c6ff63856309e0566e546e7cfcb5 |
| SHA512 | 86b8b2da5b376a77282af562ecff82dbb0ae44e8180b8dd2712da087e5cfbc8e106618bc5334569fe94820076876f8d8c1ce214f7c455dc03d47de0707d736fb |
\Program Files (x86)\affair1\Setup1.exe
| MD5 | 5471e00dc319a006f9a41cb84c46df04 |
| SHA1 | a94273294009f89fceda6b263b7c40d18494d4d4 |
| SHA256 | eb3c5b00bc5347197ae29e42948b225f4871c6ff63856309e0566e546e7cfcb5 |
| SHA512 | 86b8b2da5b376a77282af562ecff82dbb0ae44e8180b8dd2712da087e5cfbc8e106618bc5334569fe94820076876f8d8c1ce214f7c455dc03d47de0707d736fb |
\Program Files (x86)\affair1\Setup1.exe
| MD5 | 5471e00dc319a006f9a41cb84c46df04 |
| SHA1 | a94273294009f89fceda6b263b7c40d18494d4d4 |
| SHA256 | eb3c5b00bc5347197ae29e42948b225f4871c6ff63856309e0566e546e7cfcb5 |
| SHA512 | 86b8b2da5b376a77282af562ecff82dbb0ae44e8180b8dd2712da087e5cfbc8e106618bc5334569fe94820076876f8d8c1ce214f7c455dc03d47de0707d736fb |
C:\Program Files (x86)\affair1\Setup1.exe
| MD5 | 5471e00dc319a006f9a41cb84c46df04 |
| SHA1 | a94273294009f89fceda6b263b7c40d18494d4d4 |
| SHA256 | eb3c5b00bc5347197ae29e42948b225f4871c6ff63856309e0566e546e7cfcb5 |
| SHA512 | 86b8b2da5b376a77282af562ecff82dbb0ae44e8180b8dd2712da087e5cfbc8e106618bc5334569fe94820076876f8d8c1ce214f7c455dc03d47de0707d736fb |
\Program Files (x86)\affair1\KMSpico.exe
| MD5 | a02164371a50c5ff9fa2870ef6e8cfa3 |
| SHA1 | 060614723f8375ecaad8b249ff07e3be082d7f25 |
| SHA256 | 64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a |
| SHA512 | 6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326 |
\Program Files (x86)\affair1\KMSpico.exe
| MD5 | a02164371a50c5ff9fa2870ef6e8cfa3 |
| SHA1 | 060614723f8375ecaad8b249ff07e3be082d7f25 |
| SHA256 | 64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a |
| SHA512 | 6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326 |
\Program Files (x86)\affair1\KMSpico.exe
| MD5 | a02164371a50c5ff9fa2870ef6e8cfa3 |
| SHA1 | 060614723f8375ecaad8b249ff07e3be082d7f25 |
| SHA256 | 64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a |
| SHA512 | 6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326 |
C:\Program Files (x86)\affair1\KMSpico.exe
| MD5 | a02164371a50c5ff9fa2870ef6e8cfa3 |
| SHA1 | 060614723f8375ecaad8b249ff07e3be082d7f25 |
| SHA256 | 64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a |
| SHA512 | 6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326 |
\Program Files (x86)\affair1\KMSpico.exe
| MD5 | a02164371a50c5ff9fa2870ef6e8cfa3 |
| SHA1 | 060614723f8375ecaad8b249ff07e3be082d7f25 |
| SHA256 | 64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a |
| SHA512 | 6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326 |
memory/1688-73-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Program Files (x86)\affair1\KMSpico.exe
| MD5 | a02164371a50c5ff9fa2870ef6e8cfa3 |
| SHA1 | 060614723f8375ecaad8b249ff07e3be082d7f25 |
| SHA256 | 64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a |
| SHA512 | 6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326 |
memory/1688-77-0x0000000000401000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-1L5TB.tmp\KMSpico.tmp
| MD5 | 1778c1f66ff205875a6435a33229ab3c |
| SHA1 | 5b6189159b16c6f85feed66834af3e06c0277a19 |
| SHA256 | 95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6 |
| SHA512 | 8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0 |
\Users\Admin\AppData\Local\Temp\is-1L5TB.tmp\KMSpico.tmp
| MD5 | 1778c1f66ff205875a6435a33229ab3c |
| SHA1 | 5b6189159b16c6f85feed66834af3e06c0277a19 |
| SHA256 | 95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6 |
| SHA512 | 8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0 |
\Users\Admin\AppData\Local\Temp\is-9AJFF.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-9AJFF.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/1552-82-0x0000000000240000-0x0000000000241000-memory.dmp
memory/464-84-0x0000000000250000-0x0000000000251000-memory.dmp
memory/464-83-0x000000000044B000-0x000000000044D000-memory.dmp
memory/464-85-0x0000000000FE0000-0x0000000001028000-memory.dmp
memory/924-86-0x0000000000DF0000-0x00000000014D0000-memory.dmp
memory/924-87-0x0000000000DF0000-0x00000000014D0000-memory.dmp
memory/924-88-0x0000000000DF0000-0x00000000014D0000-memory.dmp
memory/924-89-0x0000000077D30000-0x0000000077D32000-memory.dmp
C:\Program Files (x86)\affair1\Setup1.exe
| MD5 | 5471e00dc319a006f9a41cb84c46df04 |
| SHA1 | a94273294009f89fceda6b263b7c40d18494d4d4 |
| SHA256 | eb3c5b00bc5347197ae29e42948b225f4871c6ff63856309e0566e546e7cfcb5 |
| SHA512 | 86b8b2da5b376a77282af562ecff82dbb0ae44e8180b8dd2712da087e5cfbc8e106618bc5334569fe94820076876f8d8c1ce214f7c455dc03d47de0707d736fb |
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
| MD5 | 5471e00dc319a006f9a41cb84c46df04 |
| SHA1 | a94273294009f89fceda6b263b7c40d18494d4d4 |
| SHA256 | eb3c5b00bc5347197ae29e42948b225f4871c6ff63856309e0566e546e7cfcb5 |
| SHA512 | 86b8b2da5b376a77282af562ecff82dbb0ae44e8180b8dd2712da087e5cfbc8e106618bc5334569fe94820076876f8d8c1ce214f7c455dc03d47de0707d736fb |
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
| MD5 | 5471e00dc319a006f9a41cb84c46df04 |
| SHA1 | a94273294009f89fceda6b263b7c40d18494d4d4 |
| SHA256 | eb3c5b00bc5347197ae29e42948b225f4871c6ff63856309e0566e546e7cfcb5 |
| SHA512 | 86b8b2da5b376a77282af562ecff82dbb0ae44e8180b8dd2712da087e5cfbc8e106618bc5334569fe94820076876f8d8c1ce214f7c455dc03d47de0707d736fb |
memory/1404-94-0x0000000000CE0000-0x00000000013C0000-memory.dmp
memory/1404-95-0x0000000000CE0000-0x00000000013C0000-memory.dmp
memory/1404-96-0x0000000000CE0000-0x00000000013C0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-12 08:34
Reported
2022-02-12 08:38
Platform
win10v2004-en-20220113
Max time kernel
157s
Max time network
166s
Command Line
Signatures
CryptBot
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\affair1\Setup.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\affair1\Setup1.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\affair1\KMSpico.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-EQ18E.tmp\KMSpico.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\affair1\Setup1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\affair1\Setup1.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3adaf2bfb411db2b56601739580b8577a11089beffa33df2edbc9369c2e4faa7.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\affair1\Setup1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\affair1\Setup1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\pending.xml | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\affair1\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\affair1\Setup.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\affair1\Setup1.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\affair1\Setup1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3adaf2bfb411db2b56601739580b8577a11089beffa33df2edbc9369c2e4faa7.exe
"C:\Users\Admin\AppData\Local\Temp\3adaf2bfb411db2b56601739580b8577a11089beffa33df2edbc9369c2e4faa7.exe"
C:\Program Files (x86)\affair1\Setup.exe
"C:\Program Files (x86)\affair1\Setup.exe"
C:\Program Files (x86)\affair1\Setup1.exe
"C:\Program Files (x86)\affair1\Setup1.exe"
C:\Program Files (x86)\affair1\KMSpico.exe
"C:\Program Files (x86)\affair1\KMSpico.exe"
C:\Users\Admin\AppData\Local\Temp\is-EQ18E.tmp\KMSpico.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EQ18E.tmp\KMSpico.tmp" /SL5="$5002A,2952592,69120,C:\Program Files (x86)\affair1\KMSpico.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tisysc64.top | udp |
| US | 8.8.8.8:53 | tisysc64.top | udp |
| US | 8.8.8.8:53 | tisysc64.top | udp |
| US | 8.8.8.8:53 | tisysc64.top | udp |
| US | 8.8.8.8:53 | tisysc64.top | udp |
| US | 8.8.8.8:53 | tisysc64.top | udp |
| US | 8.8.8.8:53 | tisysc64.top | udp |
| US | 8.8.8.8:53 | tisysc64.top | udp |
| US | 8.8.8.8:53 | tisysc64.top | udp |
| US | 8.8.8.8:53 | tisysc64.top | udp |
| US | 8.8.8.8:53 | tisysc64.top | udp |
| US | 8.8.8.8:53 | tisysc64.top | udp |
| US | 8.8.8.8:53 | tisysc64.top | udp |
| US | 8.8.8.8:53 | tisysc64.top | udp |
| US | 8.8.8.8:53 | tisysc64.top | udp |
| US | 8.8.8.8:53 | tisysc64.top | udp |
| US | 8.8.8.8:53 | tisysc64.top | udp |
| US | 8.8.8.8:53 | tisysc64.top | udp |
| US | 8.8.8.8:53 | tisysc64.top | udp |
Files
C:\Program Files (x86)\affair1\Setup.exe
| MD5 | b7c4d84e29ceef241c3fd8cbcaaa6915 |
| SHA1 | eaea6e4203d921d2e2784f872ce6bb7ce6876764 |
| SHA256 | 05ad9dc479c246795c6cb5a470159c3f90d6d4fb6c37febdc45ddec2fc636c9d |
| SHA512 | 46cf110a892757c624270441f52938953d572dadab6489eafe25f34c5a4aea83e91d1ea42e4733f99b27a842cc662f523cb46d3605d2fdf369723fa69da1c3fa |
C:\Program Files (x86)\affair1\Setup.exe
| MD5 | b7c4d84e29ceef241c3fd8cbcaaa6915 |
| SHA1 | eaea6e4203d921d2e2784f872ce6bb7ce6876764 |
| SHA256 | 05ad9dc479c246795c6cb5a470159c3f90d6d4fb6c37febdc45ddec2fc636c9d |
| SHA512 | 46cf110a892757c624270441f52938953d572dadab6489eafe25f34c5a4aea83e91d1ea42e4733f99b27a842cc662f523cb46d3605d2fdf369723fa69da1c3fa |
C:\Program Files (x86)\affair1\Setup1.exe
| MD5 | 5471e00dc319a006f9a41cb84c46df04 |
| SHA1 | a94273294009f89fceda6b263b7c40d18494d4d4 |
| SHA256 | eb3c5b00bc5347197ae29e42948b225f4871c6ff63856309e0566e546e7cfcb5 |
| SHA512 | 86b8b2da5b376a77282af562ecff82dbb0ae44e8180b8dd2712da087e5cfbc8e106618bc5334569fe94820076876f8d8c1ce214f7c455dc03d47de0707d736fb |
C:\Program Files (x86)\affair1\Setup1.exe
| MD5 | 5471e00dc319a006f9a41cb84c46df04 |
| SHA1 | a94273294009f89fceda6b263b7c40d18494d4d4 |
| SHA256 | eb3c5b00bc5347197ae29e42948b225f4871c6ff63856309e0566e546e7cfcb5 |
| SHA512 | 86b8b2da5b376a77282af562ecff82dbb0ae44e8180b8dd2712da087e5cfbc8e106618bc5334569fe94820076876f8d8c1ce214f7c455dc03d47de0707d736fb |
C:\Program Files (x86)\affair1\KMSpico.exe
| MD5 | a02164371a50c5ff9fa2870ef6e8cfa3 |
| SHA1 | 060614723f8375ecaad8b249ff07e3be082d7f25 |
| SHA256 | 64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a |
| SHA512 | 6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326 |
C:\Program Files (x86)\affair1\KMSpico.exe
| MD5 | a02164371a50c5ff9fa2870ef6e8cfa3 |
| SHA1 | 060614723f8375ecaad8b249ff07e3be082d7f25 |
| SHA256 | 64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a |
| SHA512 | 6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326 |
memory/2452-136-0x0000000000400000-0x0000000000417000-memory.dmp
memory/4600-138-0x00000000007D0000-0x0000000000EB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-EQ18E.tmp\KMSpico.tmp
| MD5 | 1778c1f66ff205875a6435a33229ab3c |
| SHA1 | 5b6189159b16c6f85feed66834af3e06c0277a19 |
| SHA256 | 95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6 |
| SHA512 | 8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0 |
memory/4600-143-0x0000000077814000-0x0000000077816000-memory.dmp
memory/2452-141-0x0000000000401000-0x000000000040B000-memory.dmp
memory/4600-142-0x00000000007D0000-0x0000000000EB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-EQ18E.tmp\KMSpico.tmp
| MD5 | 1778c1f66ff205875a6435a33229ab3c |
| SHA1 | 5b6189159b16c6f85feed66834af3e06c0277a19 |
| SHA256 | 95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6 |
| SHA512 | 8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0 |
memory/4600-144-0x00000000007D0000-0x0000000000EB0000-memory.dmp
memory/4932-145-0x0000000000540000-0x0000000000541000-memory.dmp
memory/4716-146-0x0000019812A20000-0x0000019812A30000-memory.dmp
memory/4716-147-0x0000019812C40000-0x0000019812C50000-memory.dmp
memory/4716-148-0x0000019815130000-0x0000019815134000-memory.dmp
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
| MD5 | 5471e00dc319a006f9a41cb84c46df04 |
| SHA1 | a94273294009f89fceda6b263b7c40d18494d4d4 |
| SHA256 | eb3c5b00bc5347197ae29e42948b225f4871c6ff63856309e0566e546e7cfcb5 |
| SHA512 | 86b8b2da5b376a77282af562ecff82dbb0ae44e8180b8dd2712da087e5cfbc8e106618bc5334569fe94820076876f8d8c1ce214f7c455dc03d47de0707d736fb |
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
| MD5 | 5471e00dc319a006f9a41cb84c46df04 |
| SHA1 | a94273294009f89fceda6b263b7c40d18494d4d4 |
| SHA256 | eb3c5b00bc5347197ae29e42948b225f4871c6ff63856309e0566e546e7cfcb5 |
| SHA512 | 86b8b2da5b376a77282af562ecff82dbb0ae44e8180b8dd2712da087e5cfbc8e106618bc5334569fe94820076876f8d8c1ce214f7c455dc03d47de0707d736fb |
memory/2652-151-0x0000000000EA0000-0x0000000001580000-memory.dmp
memory/2652-152-0x0000000000EA0000-0x0000000001580000-memory.dmp
memory/2652-153-0x0000000000EA0000-0x0000000001580000-memory.dmp
memory/4732-154-0x000000000044B000-0x000000000044D000-memory.dmp
memory/4732-155-0x0000000000CF0000-0x0000000000CF1000-memory.dmp
memory/4732-156-0x0000000002A50000-0x0000000002A98000-memory.dmp