Analysis Overview
SHA256
44a6389937c8a2dcbadfb5d04829a2c36fbcc27b37ddc9719847801222d0cce5
Threat Level: Likely malicious
The file 20.zip was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Looks up external IP address via web service
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-31 22:53
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-31 22:53
Reported
2022-10-31 23:06
Platform
win10-20220812-es
Max time kernel
719s
Max time network
623s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords = "No" | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask = "No" | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "No" | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords = "No" | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask = "No" | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "No" | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4416 wrote to memory of 680 | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4416 wrote to memory of 680 | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4416 wrote to memory of 680 | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 680 wrote to memory of 5072 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe |
| PID 680 wrote to memory of 5072 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe |
| PID 680 wrote to memory of 5072 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\20.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\" -an -ai#7zMap26490:66:7zEvent18462
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe
"C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.ahk
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.ahk
Network
| Country | Destination | Domain | Proto |
| US | 20.42.73.25:443 | tcp | |
| NL | 8.248.3.254:80 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | titiopatas4599.hopto.org | udp |
| US | 137.184.158.185:80 | titiopatas4599.hopto.org | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 137.184.158.185:80 | titiopatas4599.hopto.org | tcp |
Files
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe
| MD5 | 03c469798bf1827d989f09f346ce95f7 |
| SHA1 | 05e491bc1b8fbfbfdca24b565f2464137f30691e |
| SHA256 | de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a |
| SHA512 | d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238 |
memory/4416-116-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-117-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-118-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-119-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-120-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-121-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-125-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-126-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-128-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-129-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-130-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-131-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-132-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-133-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-134-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-135-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-136-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-137-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-138-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-127-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-123-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-124-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-122-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-140-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-139-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-141-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-142-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-143-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-144-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-145-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-146-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-147-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-148-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-149-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-150-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-151-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-152-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-153-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-154-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-155-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-156-0x0000000077700000-0x000000007788E000-memory.dmp
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.ahk
| MD5 | 9882ec7fce0f08d20e7138aeffb11aca |
| SHA1 | ccdc032eabac74359032e4f418075bcd13e9781d |
| SHA256 | 851dc30759f774cda21fdbdc06a3f782097ef464c488f8aa5a23e301142e042c |
| SHA512 | f5cbdd6ad3884ba20f83312720752fb2dc6a09aeffd4408d0b133ffe87616cffb0e5cbd1f3317524f2440ad41b3cc3b98c836263accad12ac1f72a924c238ca3 |
memory/4416-158-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-159-0x0000000077700000-0x000000007788E000-memory.dmp
C:\Users\Admin\Documents\bgdwubmodm.xqg
| MD5 | 186b119d39e666a41a602ff6c9605b70 |
| SHA1 | 99599a7c7620265b9e30dc1b7028b34ec274464c |
| SHA256 | 3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305 |
| SHA512 | be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75 |
\Users\Admin\Documents\bgdwubmodm.xqg
| MD5 | 186b119d39e666a41a602ff6c9605b70 |
| SHA1 | 99599a7c7620265b9e30dc1b7028b34ec274464c |
| SHA256 | 3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305 |
| SHA512 | be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75 |
\Users\Admin\Documents\bgdwubmodm.xqg
| MD5 | 186b119d39e666a41a602ff6c9605b70 |
| SHA1 | 99599a7c7620265b9e30dc1b7028b34ec274464c |
| SHA256 | 3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305 |
| SHA512 | be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75 |
memory/4416-163-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-164-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-165-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-166-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-168-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-167-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-169-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-170-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-171-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-172-0x0000000004960000-0x00000000064E4000-memory.dmp
memory/4416-173-0x0000000004960000-0x00000000064E4000-memory.dmp
memory/4416-174-0x0000000004960000-0x00000000064E4000-memory.dmp
memory/4416-175-0x0000000004960000-0x00000000064E4000-memory.dmp
memory/4416-176-0x0000000004960000-0x00000000064E4000-memory.dmp
memory/4416-177-0x0000000077700000-0x000000007788E000-memory.dmp
memory/4416-178-0x0000000004960000-0x00000000064E4000-memory.dmp
memory/4416-179-0x0000000004960000-0x00000000064E4000-memory.dmp
memory/4416-180-0x0000000004960000-0x00000000064E4000-memory.dmp
memory/4416-181-0x0000000004960000-0x00000000064E4000-memory.dmp
memory/4416-182-0x0000000004960000-0x00000000064E4000-memory.dmp
memory/4416-183-0x0000000004960000-0x00000000064E4000-memory.dmp
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe
| MD5 | 03c469798bf1827d989f09f346ce95f7 |
| SHA1 | 05e491bc1b8fbfbfdca24b565f2464137f30691e |
| SHA256 | de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a |
| SHA512 | d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238 |
memory/680-229-0x0000000000000000-mapping.dmp
memory/5072-246-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe
| MD5 | 03c469798bf1827d989f09f346ce95f7 |
| SHA1 | 05e491bc1b8fbfbfdca24b565f2464137f30691e |
| SHA256 | de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a |
| SHA512 | d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238 |
\Users\Admin\Documents\bgdwubmodm.xqg
| MD5 | 186b119d39e666a41a602ff6c9605b70 |
| SHA1 | 99599a7c7620265b9e30dc1b7028b34ec274464c |
| SHA256 | 3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305 |
| SHA512 | be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75 |
\Users\Admin\Documents\bgdwubmodm.xqg
| MD5 | 186b119d39e666a41a602ff6c9605b70 |
| SHA1 | 99599a7c7620265b9e30dc1b7028b34ec274464c |
| SHA256 | 3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305 |
| SHA512 | be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-31 22:53
Reported
2022-10-31 23:06
Platform
win10v2004-20220812-es
Max time kernel
712s
Max time network
515s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "No" | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FormSuggest Passwords = "No" | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FormSuggest PW Ask = "No" | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe | N/A |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\20.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\" -an -ai#7zMap8665:66:7zEvent1725
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe
"C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe
"C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe
"C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe
"C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 20.189.173.1:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | titiopatas4599.hopto.org | udp |
| US | 137.184.158.185:80 | titiopatas4599.hopto.org | tcp |
Files
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe
| MD5 | 03c469798bf1827d989f09f346ce95f7 |
| SHA1 | 05e491bc1b8fbfbfdca24b565f2464137f30691e |
| SHA256 | de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a |
| SHA512 | d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238 |
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe
| MD5 | 03c469798bf1827d989f09f346ce95f7 |
| SHA1 | 05e491bc1b8fbfbfdca24b565f2464137f30691e |
| SHA256 | de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a |
| SHA512 | d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238 |
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe
| MD5 | 03c469798bf1827d989f09f346ce95f7 |
| SHA1 | 05e491bc1b8fbfbfdca24b565f2464137f30691e |
| SHA256 | de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a |
| SHA512 | d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238 |
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe
| MD5 | 03c469798bf1827d989f09f346ce95f7 |
| SHA1 | 05e491bc1b8fbfbfdca24b565f2464137f30691e |
| SHA256 | de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a |
| SHA512 | d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238 |
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.ahk
| MD5 | 186b119d39e666a41a602ff6c9605b70 |
| SHA1 | 99599a7c7620265b9e30dc1b7028b34ec274464c |
| SHA256 | 3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305 |
| SHA512 | be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75 |
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe
| MD5 | 03c469798bf1827d989f09f346ce95f7 |
| SHA1 | 05e491bc1b8fbfbfdca24b565f2464137f30691e |
| SHA256 | de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a |
| SHA512 | d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238 |
C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.ahk
| MD5 | 9882ec7fce0f08d20e7138aeffb11aca |
| SHA1 | ccdc032eabac74359032e4f418075bcd13e9781d |
| SHA256 | 851dc30759f774cda21fdbdc06a3f782097ef464c488f8aa5a23e301142e042c |
| SHA512 | f5cbdd6ad3884ba20f83312720752fb2dc6a09aeffd4408d0b133ffe87616cffb0e5cbd1f3317524f2440ad41b3cc3b98c836263accad12ac1f72a924c238ca3 |
C:\Users\Admin\Documents\bgdwubmodm.xqg
| MD5 | 186b119d39e666a41a602ff6c9605b70 |
| SHA1 | 99599a7c7620265b9e30dc1b7028b34ec274464c |
| SHA256 | 3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305 |
| SHA512 | be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75 |
C:\Users\Admin\Documents\bgdwubmodm.xqg
| MD5 | 186b119d39e666a41a602ff6c9605b70 |
| SHA1 | 99599a7c7620265b9e30dc1b7028b34ec274464c |
| SHA256 | 3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305 |
| SHA512 | be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75 |
memory/3328-141-0x0000000004660000-0x00000000061E4000-memory.dmp
memory/3328-143-0x0000000076E70000-0x0000000077013000-memory.dmp
memory/3328-142-0x0000000004660000-0x00000000061E4000-memory.dmp
memory/3328-144-0x0000000004660000-0x00000000061E4000-memory.dmp
memory/3328-145-0x0000000004660000-0x00000000061E4000-memory.dmp
memory/3328-146-0x0000000004660000-0x00000000061E4000-memory.dmp
memory/3328-147-0x0000000004660000-0x00000000061E4000-memory.dmp
memory/3328-148-0x0000000004660000-0x00000000061E4000-memory.dmp
memory/3328-149-0x0000000004660000-0x00000000061E4000-memory.dmp
memory/3328-150-0x0000000004660000-0x00000000061E4000-memory.dmp
memory/3328-151-0x0000000004660000-0x00000000061E4000-memory.dmp
memory/3328-152-0x0000000004660000-0x00000000061E4000-memory.dmp
memory/3328-153-0x0000000004660000-0x00000000061E4000-memory.dmp
memory/3328-154-0x0000000076E70000-0x0000000077013000-memory.dmp