Overview

overview

10

Static

static

7

Full-Setup...ck.exe

windows7-x64

9

Full-Setup...ck.exe

windows10-2004-x64

10

Full-Setup...up.exe

windows7-x64

9

Full-Setup...up.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    98s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2022 13:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Full-Setup-Password-123/Pre-ActivatedSetup.exe

  • Size

    394.6MB

  • MD5

    3f5be2df1e9b82907d2a4c2ef35d4c77

  • SHA1

    f9d19490bdb7aeb386c2668ad0ffa70d6e17c910

  • SHA256

    3765b96b74793a1d255c903ef7a32c1cfadb2a24997aa7b0b896665d1cbf6b7f

  • SHA512

    4ae4ae06a29022f0ce8aef2801cb7488a8ffb55e2f0f59a91ef52320df63eb1fd350da41e6ae3e6e01954072c16aa3cd95526fdd3e017e01d44de32f9b0e228f

Score
9/10
discoveryevasionspywarestealerthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 11 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Full-Setup-Password-123\Pre-ActivatedSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\Full-Setup-Password-123\Pre-ActivatedSetup.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im Pre-ActivatedSetup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Full-Setup-Password-123\Pre-ActivatedSetup.exe" & del C:\ProgramData\*.dll & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4032
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im Pre-ActivatedSetup.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2840
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 6
        3⤵
        • Delays execution with timeout.exe
        PID:3796

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2484-138-0x00000000006A0000-0x0000000000F28000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/2484-132-0x00000000006A0000-0x0000000000F28000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/2484-139-0x00000000006A0000-0x0000000000F28000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/2484-140-0x00000000006A0000-0x0000000000F28000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/2484-134-0x00000000006A0000-0x0000000000F28000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/2484-135-0x00000000006A0000-0x0000000000F28000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/2484-137-0x0000000077B60000-0x0000000077D03000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2484-136-0x00000000006A0000-0x0000000000F28000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/2484-130-0x00000000006A0000-0x0000000000F28000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/2484-131-0x00000000006A0000-0x0000000000F28000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/2484-133-0x00000000006A0000-0x0000000000F28000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/2484-141-0x0000000077B60000-0x0000000077D03000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2484-142-0x0000000060900000-0x0000000060992000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2484-163-0x00000000006A0000-0x0000000000F28000-memory.dmp
    Filesize

    8.5MB

    Download
  • memory/2484-162-0x0000000077B60000-0x0000000077D03000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2840-164-0x0000000000000000-mapping.dmp
    Download
  • memory/3796-165-0x0000000000000000-mapping.dmp
    Download
  • memory/4032-161-0x0000000000000000-mapping.dmp
    Download