Overview

overview

10

Static

static

8

all/clicke...fy.exe

windows7_x64

7

all/clicke...fy.exe

windows10-2004_x64

7

all/clicke...v2.exe

windows7_x64

8

all/clicke...v2.exe

windows10-2004_x64

8

all/clicke...on.exe

windows7_x64

1

all/clicke...on.exe

windows10-2004_x64

4

all/clicke...er.exe

windows7_x64

1

all/clicke...er.exe

windows10-2004_x64

7

all/clicke...p3.exe

windows7_x64

8

all/clicke...p3.exe

windows10-2004_x64

8

all/clicke...ao.exe

windows7_x64

4

all/clicke...ao.exe

windows10-2004_x64

6

all/clickers/vega.exe

windows7_x64

1

all/clickers/vega.exe

windows10-2004_x64

10

all/gcs/Cl...er.exe

windows7_x64

7

all/gcs/Cl...er.exe

windows10-2004_x64

7

all/gcs/Icetea.exe

windows7_x64

1

all/gcs/Icetea.exe

windows10-2004_x64

4

all/gcs/Koid.exe

windows7_x64

1

all/gcs/Koid.exe

windows10-2004_x64

4

all/gcs/crypt.exe

windows7_x64

9

all/gcs/crypt.exe

windows10-2004_x64

9

all/gcs/en...an.exe

windows7_x64

8

all/gcs/en...an.exe

windows10-2004_x64

8

all/gcs/epic.exe

windows7_x64

1

all/gcs/epic.exe

windows10-2004_x64

4

all/gcs/itami.exe

windows7_x64

1

all/gcs/itami.exe

windows10-2004_x64

4

all/gcs/kr...nt.exe

windows7_x64

1

all/gcs/kr...nt.exe

windows10-2004_x64

9

all/gcs/kura.exe

windows7_x64

1

all/gcs/kura.exe

windows10-2004_x64

9

Analysis

  • max time kernel
    1547s
  • max time network
    1738s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    16-02-2022 17:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    all/gcs/kura.exe

  • Size

    3.3MB

  • MD5

    208a92b2100ef3dc268b709e7a9aa3e2

  • SHA1

    2825a5777445dd584289fe35e41c836f8743dbcb

  • SHA256

    5e8394b44ba1373b36214d09b16a43ada6d001e55509de72c1f85928481422b0

  • SHA512

    fa64f5ab44d63ee3963dfbc4c49f089fb9395c55a4847096c7791935876bfdb91af6653dc27db6a012cfba02ef97b7e5ac278a5145f1ad3b80fa735f1d86699a

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\all\gcs\kura.exe
    "C:\Users\Admin\AppData\Local\Temp\all\gcs\kura.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:3528
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:3704
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2776
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3856

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2776-133-0x000001D13D530000-0x000001D13D540000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2776-134-0x000001D13D5A0000-0x000001D13D5B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2776-135-0x000001D1402B0000-0x000001D1402B4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2776-136-0x000001D1402D0000-0x000001D1402D4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2776-137-0x000001D140210000-0x000001D140211000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2776-139-0x000001D1401D0000-0x000001D1401D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3528-130-0x00007FFF998F0000-0x00007FFF998F2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3528-131-0x00007FF78D6B0000-0x00007FF78DFB4000-memory.dmp
      Filesize

      9.0MB

      Download
    • memory/3528-132-0x00007FF78D6B0000-0x00007FF78DFB4000-memory.dmp
      Filesize

      9.0MB

      Download