Overview

overview

10

Static

static

8

all/clicke...fy.exe

windows7_x64

7

all/clicke...fy.exe

windows10-2004_x64

7

all/clicke...v2.exe

windows7_x64

8

all/clicke...v2.exe

windows10-2004_x64

8

all/clicke...on.exe

windows7_x64

1

all/clicke...on.exe

windows10-2004_x64

4

all/clicke...er.exe

windows7_x64

1

all/clicke...er.exe

windows10-2004_x64

7

all/clicke...p3.exe

windows7_x64

8

all/clicke...p3.exe

windows10-2004_x64

8

all/clicke...ao.exe

windows7_x64

4

all/clicke...ao.exe

windows10-2004_x64

6

all/clickers/vega.exe

windows7_x64

1

all/clickers/vega.exe

windows10-2004_x64

10

all/gcs/Cl...er.exe

windows7_x64

7

all/gcs/Cl...er.exe

windows10-2004_x64

7

all/gcs/Icetea.exe

windows7_x64

1

all/gcs/Icetea.exe

windows10-2004_x64

4

all/gcs/Koid.exe

windows7_x64

1

all/gcs/Koid.exe

windows10-2004_x64

4

all/gcs/crypt.exe

windows7_x64

9

all/gcs/crypt.exe

windows10-2004_x64

9

all/gcs/en...an.exe

windows7_x64

8

all/gcs/en...an.exe

windows10-2004_x64

8

all/gcs/epic.exe

windows7_x64

1

all/gcs/epic.exe

windows10-2004_x64

4

all/gcs/itami.exe

windows7_x64

1

all/gcs/itami.exe

windows10-2004_x64

4

all/gcs/kr...nt.exe

windows7_x64

1

all/gcs/kr...nt.exe

windows10-2004_x64

9

all/gcs/kura.exe

windows7_x64

1

all/gcs/kura.exe

windows10-2004_x64

9

Analysis

  • max time kernel
    1547s
  • max time network
    1748s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    16-02-2022 17:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    all/gcs/kryptonclient.exe

  • Size

    3.8MB

  • MD5

    a7beb58e9507171e44455f1f823286ab

  • SHA1

    3689b44d42583008d5d158968bf7e81c3c0ccf3c

  • SHA256

    e781c6915a983883f16ed22a1236e9bc93af081fb5cd3b8ec4c554ceb18183db

  • SHA512

    35b7714979773d60296d81f57c4805cc0160db8b881a27ef4370718049949940f9d5734566b6398d5ab7b32800bf50e6f54bdd23150ad02ac60f2b7b55bd4b2b

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\all\gcs\kryptonclient.exe
    "C:\Users\Admin\AppData\Local\Temp\all\gcs\kryptonclient.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:4860
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4380
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4380-134-0x000002122FC20000-0x000002122FC30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4380-135-0x000002122FC80000-0x000002122FC90000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4380-136-0x0000021232340000-0x0000021232344000-memory.dmp
    Filesize

    16KB

    Download
  • memory/4380-137-0x0000021232360000-0x0000021232364000-memory.dmp
    Filesize

    16KB

    Download
  • memory/4380-138-0x00000212322A0000-0x00000212322A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4380-140-0x0000021232260000-0x0000021232261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4860-130-0x00007FFCFD610000-0x00007FFCFD612000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4860-131-0x00007FF6F96E0000-0x00007FF6FA0F7000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/4860-132-0x00007FF6F96E0000-0x00007FF6FA0F7000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/4860-133-0x00007FF6F96E0000-0x00007FF6FA0F7000-memory.dmp
    Filesize

    10.1MB

    Download