Overview

overview

9

Static

static

7

19271a21ee...e7.exe

windows7-x64

9

19271a21ee...e7.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    111s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-07-2022 10:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19271a21eecc6fd0a2c0057ea715e9b8f81c53d2052239e3ee25a8893b5d95e7.exe

  • Size

    39.3MB

  • MD5

    a9eb0ced20bd86d51bb02f2ba9d4a3fd

  • SHA1

    1036c06b86135ad9eca7502b8259e29822ba6555

  • SHA256

    19271a21eecc6fd0a2c0057ea715e9b8f81c53d2052239e3ee25a8893b5d95e7

  • SHA512

    8641ed1cd50f750d3e40a959536e015ea44b902d4d9bc3370ee3f554ee6b42ffbebe50c54a3c313ae88125d0eac63c98b0c94311cdfd72874df636ee19c260b8

Score
9/10
evasionspywarestealerthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19271a21eecc6fd0a2c0057ea715e9b8f81c53d2052239e3ee25a8893b5d95e7.exe
    "C:\Users\Admin\AppData\Local\Temp\19271a21eecc6fd0a2c0057ea715e9b8f81c53d2052239e3ee25a8893b5d95e7.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Core.bpl
    Filesize

    221KB

    MD5

    8651c784128a79090369ca5beeaad39f

    SHA1

    ff861ccc0ee25978f01b4fc4b85644f367dcb3f8

    SHA256

    2cc2cf20ab39b49c3570826ece739975fcbd22f6c51a33b0b47a073d4bc39a7c

    SHA512

    7c6627bcc0cd9a3aa2441917c820517b64e8bfee97934d3c995c5f21e7457ba82825aabc8f849712db92be06b05bedfb2265be898f9b33be2302e3a155a3c83f

    Download Submit
  • memory/4728-130-0x0000000000400000-0x000000000136B000-memory.dmp
    Filesize

    15.4MB

    Download
  • memory/4728-131-0x0000000000400000-0x000000000136B000-memory.dmp
    Filesize

    15.4MB

    Download
  • memory/4728-132-0x0000000000400000-0x000000000136B000-memory.dmp
    Filesize

    15.4MB

    Download
  • memory/4728-133-0x0000000077D10000-0x0000000077EB3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4728-134-0x0000000000400000-0x000000000136B000-memory.dmp
    Filesize

    15.4MB

    Download
  • memory/4728-135-0x0000000000400000-0x000000000136B000-memory.dmp
    Filesize

    15.4MB

    Download
  • memory/4728-136-0x0000000077D10000-0x0000000077EB3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4728-137-0x0000000010000000-0x0000000010012000-memory.dmp
    Filesize

    72KB

    Download