Analysis
-
max time kernel
98s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 13:26
Behavioral task
behavioral1
Sample
Full-Setup-Password-123/FullSetup-Crack.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
Full-Setup-Password-123/FullSetup-Crack.exe
Resource
win10v2004-20220721-en
Behavioral task
behavioral3
Sample
Full-Setup-Password-123/Pre-ActivatedSetup.exe
Resource
win7-20220715-en
General
-
Target
Full-Setup-Password-123/Pre-ActivatedSetup.exe
-
Size
394.6MB
-
MD5
3f5be2df1e9b82907d2a4c2ef35d4c77
-
SHA1
f9d19490bdb7aeb386c2668ad0ffa70d6e17c910
-
SHA256
3765b96b74793a1d255c903ef7a32c1cfadb2a24997aa7b0b896665d1cbf6b7f
-
SHA512
4ae4ae06a29022f0ce8aef2801cb7488a8ffb55e2f0f59a91ef52320df63eb1fd350da41e6ae3e6e01954072c16aa3cd95526fdd3e017e01d44de32f9b0e228f
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Pre-ActivatedSetup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Pre-ActivatedSetup.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Pre-ActivatedSetup.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Pre-ActivatedSetup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Pre-ActivatedSetup.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Pre-ActivatedSetup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation Pre-ActivatedSetup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral4/memory/2484-130-0x00000000006A0000-0x0000000000F28000-memory.dmp themida behavioral4/memory/2484-131-0x00000000006A0000-0x0000000000F28000-memory.dmp themida behavioral4/memory/2484-132-0x00000000006A0000-0x0000000000F28000-memory.dmp themida behavioral4/memory/2484-133-0x00000000006A0000-0x0000000000F28000-memory.dmp themida behavioral4/memory/2484-134-0x00000000006A0000-0x0000000000F28000-memory.dmp themida behavioral4/memory/2484-135-0x00000000006A0000-0x0000000000F28000-memory.dmp themida behavioral4/memory/2484-136-0x00000000006A0000-0x0000000000F28000-memory.dmp themida behavioral4/memory/2484-138-0x00000000006A0000-0x0000000000F28000-memory.dmp themida behavioral4/memory/2484-139-0x00000000006A0000-0x0000000000F28000-memory.dmp themida behavioral4/memory/2484-140-0x00000000006A0000-0x0000000000F28000-memory.dmp themida behavioral4/memory/2484-163-0x00000000006A0000-0x0000000000F28000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Pre-ActivatedSetup.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Pre-ActivatedSetup.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Pre-ActivatedSetup.exepid process 2484 Pre-ActivatedSetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Pre-ActivatedSetup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Pre-ActivatedSetup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Pre-ActivatedSetup.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3796 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2840 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Pre-ActivatedSetup.exepid process 2484 Pre-ActivatedSetup.exe 2484 Pre-ActivatedSetup.exe 2484 Pre-ActivatedSetup.exe 2484 Pre-ActivatedSetup.exe 2484 Pre-ActivatedSetup.exe 2484 Pre-ActivatedSetup.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2840 taskkill.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Pre-ActivatedSetup.execmd.exedescription pid process target process PID 2484 wrote to memory of 4032 2484 Pre-ActivatedSetup.exe cmd.exe PID 2484 wrote to memory of 4032 2484 Pre-ActivatedSetup.exe cmd.exe PID 2484 wrote to memory of 4032 2484 Pre-ActivatedSetup.exe cmd.exe PID 4032 wrote to memory of 2840 4032 cmd.exe taskkill.exe PID 4032 wrote to memory of 2840 4032 cmd.exe taskkill.exe PID 4032 wrote to memory of 2840 4032 cmd.exe taskkill.exe PID 4032 wrote to memory of 3796 4032 cmd.exe timeout.exe PID 4032 wrote to memory of 3796 4032 cmd.exe timeout.exe PID 4032 wrote to memory of 3796 4032 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Full-Setup-Password-123\Pre-ActivatedSetup.exe"C:\Users\Admin\AppData\Local\Temp\Full-Setup-Password-123\Pre-ActivatedSetup.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Pre-ActivatedSetup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Full-Setup-Password-123\Pre-ActivatedSetup.exe" & del C:\ProgramData\*.dll & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im Pre-ActivatedSetup.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
PID:3796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2484-138-0x00000000006A0000-0x0000000000F28000-memory.dmpFilesize
8.5MB
-
memory/2484-132-0x00000000006A0000-0x0000000000F28000-memory.dmpFilesize
8.5MB
-
memory/2484-139-0x00000000006A0000-0x0000000000F28000-memory.dmpFilesize
8.5MB
-
memory/2484-140-0x00000000006A0000-0x0000000000F28000-memory.dmpFilesize
8.5MB
-
memory/2484-134-0x00000000006A0000-0x0000000000F28000-memory.dmpFilesize
8.5MB
-
memory/2484-135-0x00000000006A0000-0x0000000000F28000-memory.dmpFilesize
8.5MB
-
memory/2484-137-0x0000000077B60000-0x0000000077D03000-memory.dmpFilesize
1.6MB
-
memory/2484-136-0x00000000006A0000-0x0000000000F28000-memory.dmpFilesize
8.5MB
-
memory/2484-130-0x00000000006A0000-0x0000000000F28000-memory.dmpFilesize
8.5MB
-
memory/2484-131-0x00000000006A0000-0x0000000000F28000-memory.dmpFilesize
8.5MB
-
memory/2484-133-0x00000000006A0000-0x0000000000F28000-memory.dmpFilesize
8.5MB
-
memory/2484-141-0x0000000077B60000-0x0000000077D03000-memory.dmpFilesize
1.6MB
-
memory/2484-142-0x0000000060900000-0x0000000060992000-memory.dmpFilesize
584KB
-
memory/2484-163-0x00000000006A0000-0x0000000000F28000-memory.dmpFilesize
8.5MB
-
memory/2484-162-0x0000000077B60000-0x0000000077D03000-memory.dmpFilesize
1.6MB
-
memory/2840-164-0x0000000000000000-mapping.dmp
-
memory/3796-165-0x0000000000000000-mapping.dmp
-
memory/4032-161-0x0000000000000000-mapping.dmp