allcome | be1bc698d63cbfc97d75edaa1fe850772d1e082a7b9a24aa5e09ed5b3bdeedde

Resubmissions

25-12-2022 14:22

221225-rppf7abf39 10

25-12-2022 14:22

25-12-2022 14:21

25-12-2022 14:21

25-12-2022 14:13

Analysis

max time kernel
143s
max time network
115s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-12-2022 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
Size

9.1MB
MD5

58ec0acfe4edcc15917b97ef91596f07
SHA1

60e610685d9a549926e7a9b0cb6bcc6509708d3c
SHA256

2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02
SHA512

5769c348149efc107d94bd02e6bbb16440c7974533b843cc42fb7c23fb3e2209754ab69ca9f04a0ba4c56c83e5c30983568a1b1d5f9861c1328befdf09e78736
SSDEEP

196608:K2ejh9Qo2P3Cgnpmtw69DvGSfkDpVpyPc9izcM/WaQCf:Kd4CHx3IyP4izp+Uf

Score

10^/10

allcome evasion stealer themida trojan

Malware Config

Extracted

Family

allcome

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=finarnw

Signatures

Allcome
A clipbanker that supports stealing different cryptocurrency wallets and payment forms.
stealer allcome

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MoUSO.exe

Executes dropped EXE 1 IoCs

pid	Process
1588	MoUSO.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MoUSO.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/900-56-0x00000000009B0000-0x00000000012CE000-memory.dmp	themida
behavioral2/memory/900-57-0x00000000009B0000-0x00000000012CE000-memory.dmp	themida
behavioral2/memory/1488-74-0x00000000009B0000-0x00000000012CE000-memory.dmp	themida
behavioral2/memory/900-108-0x00000000009B0000-0x00000000012CE000-memory.dmp	themida
behavioral2/files/0x00060000000142c9-112.dat	themida
behavioral2/files/0x00060000000142c9-114.dat	themida
behavioral2/memory/1588-117-0x0000000000220000-0x0000000000B3E000-memory.dmp	themida
behavioral2/memory/1588-118-0x0000000000220000-0x0000000000B3E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 1864	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1184	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
1588	MoUSO.exe
1588	MoUSO.exe
1588	MoUSO.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
Token: SeDebugPrivilege	1588	MoUSO.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1488	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	28
PID 900 wrote to memory of 1488	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	28
PID 900 wrote to memory of 1488	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	28
PID 900 wrote to memory of 1488	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	28
PID 900 wrote to memory of 1488	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	28
PID 900 wrote to memory of 1488	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	28
PID 900 wrote to memory of 1488	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	28
PID 900 wrote to memory of 1488	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	28
PID 900 wrote to memory of 1488	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	28
PID 900 wrote to memory of 1488	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	28
PID 900 wrote to memory of 1488	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	28
PID 900 wrote to memory of 1844	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	29
PID 900 wrote to memory of 1844	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	29
PID 900 wrote to memory of 1844	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	29
PID 900 wrote to memory of 1844	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	29
PID 900 wrote to memory of 1844	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	29
PID 900 wrote to memory of 1844	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	29
PID 900 wrote to memory of 1844	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	29
PID 900 wrote to memory of 1844	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	29
PID 900 wrote to memory of 1844	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	29
PID 900 wrote to memory of 1844	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	29
PID 900 wrote to memory of 1844	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	29
PID 900 wrote to memory of 1780	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	30
PID 900 wrote to memory of 1780	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	30
PID 900 wrote to memory of 1780	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	30
PID 900 wrote to memory of 1780	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	30
PID 900 wrote to memory of 1780	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	30
PID 900 wrote to memory of 1780	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	30
PID 900 wrote to memory of 1780	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	30
PID 900 wrote to memory of 1780	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	30
PID 900 wrote to memory of 1780	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	30
PID 900 wrote to memory of 1780	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	30
PID 900 wrote to memory of 1780	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	30
PID 900 wrote to memory of 1864	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	31
PID 900 wrote to memory of 1864	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	31
PID 900 wrote to memory of 1864	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	31
PID 900 wrote to memory of 1864	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	31
PID 900 wrote to memory of 1864	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	31
PID 900 wrote to memory of 1864	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	31
PID 900 wrote to memory of 1864	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	31
PID 900 wrote to memory of 1864	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	31
PID 900 wrote to memory of 1864	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	31
PID 900 wrote to memory of 1864	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	31
PID 900 wrote to memory of 1864	900	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	31
PID 1864 wrote to memory of 1184	1864	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	33
PID 1864 wrote to memory of 1184	1864	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	33
PID 1864 wrote to memory of 1184	1864	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	33
PID 1864 wrote to memory of 1184	1864	2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe	33
PID 364 wrote to memory of 1588	364	taskeng.exe	36
PID 364 wrote to memory of 1588	364	taskeng.exe	36
PID 364 wrote to memory of 1588	364	taskeng.exe	36
PID 364 wrote to memory of 1588	364	taskeng.exe	36
PID 1588 wrote to memory of 968	1588	MoUSO.exe	37
PID 1588 wrote to memory of 968	1588	MoUSO.exe	37
PID 1588 wrote to memory of 968	1588	MoUSO.exe	37
PID 1588 wrote to memory of 968	1588	MoUSO.exe	37
PID 1588 wrote to memory of 968	1588	MoUSO.exe	37
PID 1588 wrote to memory of 968	1588	MoUSO.exe	37
PID 1588 wrote to memory of 968	1588	MoUSO.exe	37
PID 1588 wrote to memory of 968	1588	MoUSO.exe	37
PID 1588 wrote to memory of 968	1588	MoUSO.exe	37
PID 1588 wrote to memory of 968	1588	MoUSO.exe	37
PID 1588 wrote to memory of 968	1588	MoUSO.exe	37

C:\Users\Admin\AppData\Local\Temp\2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
"C:\Users\Admin\AppData\Local\Temp\2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
  "C:\Users\Admin\AppData\Local\Temp\2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe"
  2⤵
  PID:1488
- C:\Users\Admin\AppData\Local\Temp\2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
  "C:\Users\Admin\AppData\Local\Temp\2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe"
  2⤵
  PID:1844
- C:\Users\Admin\AppData\Local\Temp\2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
  "C:\Users\Admin\AppData\Local\Temp\2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe"
  2⤵
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe
  "C:\Users\Admin\AppData\Local\Temp\2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1184

C:\Windows\system32\taskeng.exe
taskeng.exe {FFB3F19D-01B2-4A22-9EF5-FBA43B52328C} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:364
- C:\Users\Admin\AppData\Local\cache\MoUSO.exe
  C:\Users\Admin\AppData\Local\cache\MoUSO.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Users\Admin\AppData\Local\cache\MoUSO.exe
    "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
    3⤵
    PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\cache\MoUSO.exe

Filesize
9.1MB

MD5
58ec0acfe4edcc15917b97ef91596f07

SHA1
60e610685d9a549926e7a9b0cb6bcc6509708d3c

SHA256
2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02

SHA512
5769c348149efc107d94bd02e6bbb16440c7974533b843cc42fb7c23fb3e2209754ab69ca9f04a0ba4c56c83e5c30983568a1b1d5f9861c1328befdf09e78736

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe

Filesize
9.1MB

MD5
58ec0acfe4edcc15917b97ef91596f07

SHA1
60e610685d9a549926e7a9b0cb6bcc6509708d3c

SHA256
2d640e53d6e6d96266afb87c150403609c66d66ab1a5404c20efb13c85f9ae02

SHA512
5769c348149efc107d94bd02e6bbb16440c7974533b843cc42fb7c23fb3e2209754ab69ca9f04a0ba4c56c83e5c30983568a1b1d5f9861c1328befdf09e78736

Download Submit
memory/900-58-0x00000000008D0000-0x0000000000900000-memory.dmp

Filesize
192KB

Download
memory/900-91-0x000000000E830000-0x000000000F14E000-memory.dmp

Filesize
9.1MB

Download
memory/900-59-0x0000000000620000-0x0000000000638000-memory.dmp

Filesize
96KB

Download
memory/900-60-0x00000000009B0000-0x00000000012CE000-memory.dmp

Filesize
9.1MB

Download
memory/900-61-0x0000000000990000-0x00000000009AA000-memory.dmp

Filesize
104KB

Download
memory/900-62-0x0000000000940000-0x0000000000946000-memory.dmp

Filesize
24KB

Download
memory/900-57-0x00000000009B0000-0x00000000012CE000-memory.dmp

Filesize
9.1MB

Download
memory/900-56-0x00000000009B0000-0x00000000012CE000-memory.dmp

Filesize
9.1MB

Download
memory/900-108-0x00000000009B0000-0x00000000012CE000-memory.dmp

Filesize
9.1MB

Download
memory/900-102-0x000000000E830000-0x000000000F14E000-memory.dmp

Filesize
9.1MB

Download
memory/900-101-0x000000000E830000-0x000000000F14E000-memory.dmp

Filesize
9.1MB

Download
memory/900-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1488-74-0x00000000009B0000-0x00000000012CE000-memory.dmp

Filesize
9.1MB

Download
memory/1488-64-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1488-69-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1488-70-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1488-68-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1488-63-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1488-66-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/1588-118-0x0000000000220000-0x0000000000B3E000-memory.dmp

Filesize
9.1MB

Download
memory/1588-117-0x0000000000220000-0x0000000000B3E000-memory.dmp

Filesize
9.1MB

Download
memory/1864-111-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1864-109-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1864-107-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1864-103-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download