Analysis Overview
SHA256
405862265e3d65d3fdd6f9a502fa001e7c7c4564848e060971240758264a9a25
Threat Level: Known bad
The file install_win64.zip was found to be: Known bad.
Malicious Activity Summary
Aurora
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-25 22:02
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2023-01-25 22:02
Reported
2023-01-25 22:05
Platform
win10v2004-20221111-en
Max time kernel
88s
Max time network
154s
Command Line
Signatures
Aurora
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cFA1XOkvBu.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\install_win64.exe
"C:\Users\Admin\AppData\Local\Temp\install_win64.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\cFA1XOkvBu.exe"
C:\Users\Admin\AppData\Local\Temp\cFA1XOkvBu.exe
"C:\Users\Admin\AppData\Local\Temp\cFA1XOkvBu.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.4.4:443 | tcp | |
| N/A | 142.251.39.100:443 | tcp | |
| N/A | 142.250.179.195:443 | tcp | |
| N/A | 142.250.179.195:443 | tcp | |
| N/A | 8.8.4.4:443 | tcp | |
| N/A | 142.250.179.200:443 | tcp | |
| N/A | 45.15.156.210:8081 | tcp | |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 216.58.214.10:443 | tcp | |
| N/A | 142.251.39.106:443 | tcp | |
| N/A | 142.250.179.163:443 | tcp | |
| N/A | 142.251.36.10:443 | tcp | |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 108.156.60.51:443 | tcp | |
| N/A | 108.156.60.107:443 | tcp | |
| N/A | 8.248.3.254:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 104.18.226.52:443 | tcp | |
| N/A | 8.248.3.254:80 | tcp | |
| N/A | 20.50.73.10:443 | tcp | |
| N/A | 96.16.53.137:80 | tcp | |
| N/A | 96.16.53.137:80 | tcp | |
| N/A | 96.16.53.137:80 | tcp | |
| N/A | 8.248.3.254:80 | tcp |
Files
memory/4812-132-0x00000000007E0000-0x0000000001151000-memory.dmp
memory/4812-133-0x00000000007E0000-0x0000000001151000-memory.dmp
memory/4812-134-0x0000000076F80000-0x0000000077123000-memory.dmp
memory/4812-135-0x00000000007E0000-0x0000000001151000-memory.dmp
memory/4812-136-0x00000000007E0000-0x0000000001151000-memory.dmp
memory/4812-137-0x00000000007E0000-0x0000000001151000-memory.dmp
memory/4812-138-0x00000000007E0000-0x0000000001151000-memory.dmp
memory/4812-139-0x00000000007E0000-0x0000000001151000-memory.dmp
memory/1212-140-0x0000000000000000-mapping.dmp
memory/2680-141-0x0000000000000000-mapping.dmp
memory/2104-142-0x0000000000000000-mapping.dmp
memory/1484-143-0x0000000000000000-mapping.dmp
memory/4152-144-0x0000000000000000-mapping.dmp
memory/4812-145-0x00000000007E0000-0x0000000001151000-memory.dmp
memory/4812-146-0x0000000076F80000-0x0000000077123000-memory.dmp
memory/3880-147-0x0000000000000000-mapping.dmp
memory/3880-148-0x0000000002C00000-0x0000000002C36000-memory.dmp
memory/3880-149-0x0000000005700000-0x0000000005D28000-memory.dmp
memory/3880-150-0x0000000005500000-0x0000000005522000-memory.dmp
memory/3880-151-0x0000000005DE0000-0x0000000005E46000-memory.dmp
memory/3880-152-0x0000000005EC0000-0x0000000005F26000-memory.dmp
memory/3880-153-0x00000000064C0000-0x00000000064DE000-memory.dmp
memory/3880-154-0x00000000076A0000-0x0000000007736000-memory.dmp
memory/3880-155-0x00000000069A0000-0x00000000069BA000-memory.dmp
memory/3880-156-0x00000000069F0000-0x0000000006A12000-memory.dmp
memory/3880-157-0x0000000007CF0000-0x0000000008294000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cFA1XOkvBu.exe
| MD5 | fd3921d7f42c4a42115ce88d1c9fe031 |
| SHA1 | 30d5b2cd633667a340047e1ff1ce44628555eba0 |
| SHA256 | 0ea7ac01f7c8cb0ad3574688fd83265cceb7c3c16f89f29799b8be1b3a314a6a |
| SHA512 | 8216ba2c9da3e6021f8f90c824a9da14632069477e508117948d841fd7dcc7fe28e1fb3d9cae854afe32db3ed46c6ba9cc49b3840ec875f66f3fa252ae11fb70 |
memory/2000-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cFA1XOkvBu.exe
| MD5 | fd3921d7f42c4a42115ce88d1c9fe031 |
| SHA1 | 30d5b2cd633667a340047e1ff1ce44628555eba0 |
| SHA256 | 0ea7ac01f7c8cb0ad3574688fd83265cceb7c3c16f89f29799b8be1b3a314a6a |
| SHA512 | 8216ba2c9da3e6021f8f90c824a9da14632069477e508117948d841fd7dcc7fe28e1fb3d9cae854afe32db3ed46c6ba9cc49b3840ec875f66f3fa252ae11fb70 |
memory/2000-161-0x0000000000F40000-0x0000000001623000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-25 22:02
Reported
2023-01-25 22:05
Platform
win7-20220812-en
Max time kernel
138s
Max time network
146s
Command Line
Signatures
Aurora
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\install_win64.zip
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x268
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" shell32.dll,Options_RunDLL 0
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\install_win64\" -spe -an -ai#7zMap23464:106:7zEvent8875
C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe
"C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\2PTwnwQcRm.exe"
C:\Users\Admin\AppData\Local\Temp\2PTwnwQcRm.exe
"C:\Users\Admin\AppData\Local\Temp\2PTwnwQcRm.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 45.15.156.210:8081 | tcp | |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
Files
memory/824-54-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp
memory/1028-55-0x0000000074F41000-0x0000000074F43000-memory.dmp
memory/1028-56-0x0000000071311000-0x0000000071313000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe
| MD5 | 644282347b989dcaddd336fc0eb7cb17 |
| SHA1 | 8eb7200270436c97a5e6c4e3571996e8ec060b0f |
| SHA256 | f0488e552a733e4669e055a33848d5e16876b2239dfbf48cfddf4d12db0a42b0 |
| SHA512 | 92c83c745f7638081173c5ac909f19d4d761ba558f092ee76da144e4551e15600c222c6ff1a4a58ff73847469920146413b2ee3d1ffa469017295a8f14a119cc |
memory/1968-60-0x0000000000D40000-0x00000000016B1000-memory.dmp
memory/1968-61-0x0000000000D40000-0x00000000016B1000-memory.dmp
memory/1968-62-0x0000000000D40000-0x00000000016B1000-memory.dmp
memory/1968-63-0x0000000000D40000-0x00000000016B1000-memory.dmp
memory/1968-64-0x0000000000D40000-0x00000000016B1000-memory.dmp
memory/1968-66-0x0000000077440000-0x00000000775C0000-memory.dmp
memory/1968-65-0x0000000000D40000-0x00000000016B1000-memory.dmp
memory/1012-67-0x0000000000000000-mapping.dmp
memory/1664-68-0x0000000000000000-mapping.dmp
memory/1864-69-0x0000000000000000-mapping.dmp
memory/1312-70-0x0000000000000000-mapping.dmp
memory/952-71-0x0000000000000000-mapping.dmp
memory/1684-72-0x0000000000000000-mapping.dmp
memory/1684-74-0x0000000071F40000-0x00000000724EB000-memory.dmp
memory/1968-76-0x0000000077440000-0x00000000775C0000-memory.dmp
memory/1968-75-0x0000000000D40000-0x00000000016B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2PTwnwQcRm.exe
| MD5 | fd3921d7f42c4a42115ce88d1c9fe031 |
| SHA1 | 30d5b2cd633667a340047e1ff1ce44628555eba0 |
| SHA256 | 0ea7ac01f7c8cb0ad3574688fd83265cceb7c3c16f89f29799b8be1b3a314a6a |
| SHA512 | 8216ba2c9da3e6021f8f90c824a9da14632069477e508117948d841fd7dcc7fe28e1fb3d9cae854afe32db3ed46c6ba9cc49b3840ec875f66f3fa252ae11fb70 |
\Users\Admin\AppData\Local\Temp\2PTwnwQcRm.exe
| MD5 | fd3921d7f42c4a42115ce88d1c9fe031 |
| SHA1 | 30d5b2cd633667a340047e1ff1ce44628555eba0 |
| SHA256 | 0ea7ac01f7c8cb0ad3574688fd83265cceb7c3c16f89f29799b8be1b3a314a6a |
| SHA512 | 8216ba2c9da3e6021f8f90c824a9da14632069477e508117948d841fd7dcc7fe28e1fb3d9cae854afe32db3ed46c6ba9cc49b3840ec875f66f3fa252ae11fb70 |
C:\Users\Admin\AppData\Local\Temp\2PTwnwQcRm.exe
| MD5 | fd3921d7f42c4a42115ce88d1c9fe031 |
| SHA1 | 30d5b2cd633667a340047e1ff1ce44628555eba0 |
| SHA256 | 0ea7ac01f7c8cb0ad3574688fd83265cceb7c3c16f89f29799b8be1b3a314a6a |
| SHA512 | 8216ba2c9da3e6021f8f90c824a9da14632069477e508117948d841fd7dcc7fe28e1fb3d9cae854afe32db3ed46c6ba9cc49b3840ec875f66f3fa252ae11fb70 |
memory/364-79-0x0000000000000000-mapping.dmp
memory/1684-82-0x0000000071F40000-0x00000000724EB000-memory.dmp
memory/364-83-0x0000000001360000-0x0000000001A43000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-25 22:02
Reported
2023-01-25 22:05
Platform
win10v2004-20220901-en
Max time kernel
90s
Max time network
153s
Command Line
Signatures
Aurora
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XQ8XVYIoF9.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\install_win64.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\install_win64\" -spe -an -ai#7zMap16379:106:7zEvent10938
C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe
"C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\XQ8XVYIoF9.exe"
C:\Users\Admin\AppData\Local\Temp\XQ8XVYIoF9.exe
"C:\Users\Admin\AppData\Local\Temp\XQ8XVYIoF9.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 20.42.73.25:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 45.15.156.210:8081 | tcp | |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 204.79.197.200:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe
| MD5 | 446a94cde644528889e1d99773d0fcb4 |
| SHA1 | fe4101e37180a2aa341889a7382da285f17f1d30 |
| SHA256 | ee47555bdeb1124c269bfe960cda5203dd30423762e101871c31e85e6813f2b4 |
| SHA512 | 9a267bbbcc2e7f47517f4d8b37525a8fcc452906e51605114ccd5df69fc15f6b08b8847a5167f187f137b26f527dae3e334826a26c70e15afae65b87bb163887 |
C:\Users\Admin\AppData\Local\Temp\install_win64\install_win64.exe
| MD5 | 446a94cde644528889e1d99773d0fcb4 |
| SHA1 | fe4101e37180a2aa341889a7382da285f17f1d30 |
| SHA256 | ee47555bdeb1124c269bfe960cda5203dd30423762e101871c31e85e6813f2b4 |
| SHA512 | 9a267bbbcc2e7f47517f4d8b37525a8fcc452906e51605114ccd5df69fc15f6b08b8847a5167f187f137b26f527dae3e334826a26c70e15afae65b87bb163887 |
memory/2960-134-0x0000000000AB0000-0x0000000001421000-memory.dmp
memory/2960-135-0x0000000000AB0000-0x0000000001421000-memory.dmp
memory/2960-136-0x0000000000AB0000-0x0000000001421000-memory.dmp
memory/2960-137-0x0000000000AB0000-0x0000000001421000-memory.dmp
memory/2960-138-0x0000000000AB0000-0x0000000001421000-memory.dmp
memory/2960-139-0x0000000077A40000-0x0000000077BE3000-memory.dmp
memory/2960-140-0x0000000000AB0000-0x0000000001421000-memory.dmp
memory/2960-141-0x0000000000AB0000-0x0000000001421000-memory.dmp
memory/4592-142-0x0000000000000000-mapping.dmp
memory/1732-143-0x0000000000000000-mapping.dmp
memory/796-144-0x0000000000000000-mapping.dmp
memory/4696-145-0x0000000000000000-mapping.dmp
memory/5076-146-0x0000000000000000-mapping.dmp
memory/2884-147-0x0000000000000000-mapping.dmp
memory/2884-148-0x0000000002E10000-0x0000000002E46000-memory.dmp
memory/2884-149-0x0000000005A70000-0x0000000006098000-memory.dmp
memory/2960-150-0x0000000000AB0000-0x0000000001421000-memory.dmp
memory/2884-151-0x0000000005790000-0x00000000057B2000-memory.dmp
memory/2884-152-0x0000000005830000-0x0000000005896000-memory.dmp
memory/2884-153-0x0000000006110000-0x0000000006176000-memory.dmp
memory/2884-154-0x0000000006740000-0x000000000675E000-memory.dmp
memory/2960-155-0x0000000077A40000-0x0000000077BE3000-memory.dmp
memory/2884-156-0x0000000006CB0000-0x0000000006D46000-memory.dmp
memory/2884-158-0x0000000007710000-0x0000000007732000-memory.dmp
memory/2884-157-0x0000000006C40000-0x0000000006C5A000-memory.dmp
memory/2884-159-0x0000000007CF0000-0x0000000008294000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XQ8XVYIoF9.exe
| MD5 | fd3921d7f42c4a42115ce88d1c9fe031 |
| SHA1 | 30d5b2cd633667a340047e1ff1ce44628555eba0 |
| SHA256 | 0ea7ac01f7c8cb0ad3574688fd83265cceb7c3c16f89f29799b8be1b3a314a6a |
| SHA512 | 8216ba2c9da3e6021f8f90c824a9da14632069477e508117948d841fd7dcc7fe28e1fb3d9cae854afe32db3ed46c6ba9cc49b3840ec875f66f3fa252ae11fb70 |
C:\Users\Admin\AppData\Local\Temp\XQ8XVYIoF9.exe
| MD5 | fd3921d7f42c4a42115ce88d1c9fe031 |
| SHA1 | 30d5b2cd633667a340047e1ff1ce44628555eba0 |
| SHA256 | 0ea7ac01f7c8cb0ad3574688fd83265cceb7c3c16f89f29799b8be1b3a314a6a |
| SHA512 | 8216ba2c9da3e6021f8f90c824a9da14632069477e508117948d841fd7dcc7fe28e1fb3d9cae854afe32db3ed46c6ba9cc49b3840ec875f66f3fa252ae11fb70 |
memory/60-161-0x0000000000000000-mapping.dmp
memory/60-163-0x0000000000160000-0x0000000000843000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-01-25 22:02
Reported
2023-01-25 22:05
Platform
win7-20221111-en
Max time kernel
24s
Max time network
110s
Command Line
Signatures
Aurora
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tp9YydAEET.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\install_win64.exe
"C:\Users\Admin\AppData\Local\Temp\install_win64.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\tp9YydAEET.exe"
C:\Users\Admin\AppData\Local\Temp\tp9YydAEET.exe
"C:\Users\Admin\AppData\Local\Temp\tp9YydAEET.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 45.15.156.210:8081 | tcp | |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
Files
memory/828-54-0x0000000075C41000-0x0000000075C43000-memory.dmp
memory/828-55-0x0000000000060000-0x00000000009D1000-memory.dmp
memory/828-56-0x0000000000060000-0x00000000009D1000-memory.dmp
memory/828-57-0x0000000000060000-0x00000000009D1000-memory.dmp
memory/828-58-0x0000000000060000-0x00000000009D1000-memory.dmp
memory/828-59-0x0000000000060000-0x00000000009D1000-memory.dmp
memory/828-61-0x0000000000060000-0x00000000009D1000-memory.dmp
memory/828-62-0x0000000077C40000-0x0000000077DC0000-memory.dmp
memory/1988-63-0x0000000000000000-mapping.dmp
memory/1156-64-0x0000000000000000-mapping.dmp
memory/1016-65-0x0000000000000000-mapping.dmp
memory/1108-66-0x0000000000000000-mapping.dmp
memory/1092-67-0x0000000000000000-mapping.dmp
memory/1716-68-0x0000000000000000-mapping.dmp
memory/1716-70-0x0000000073AA0000-0x000000007404B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tp9YydAEET.exe
| MD5 | fd3921d7f42c4a42115ce88d1c9fe031 |
| SHA1 | 30d5b2cd633667a340047e1ff1ce44628555eba0 |
| SHA256 | 0ea7ac01f7c8cb0ad3574688fd83265cceb7c3c16f89f29799b8be1b3a314a6a |
| SHA512 | 8216ba2c9da3e6021f8f90c824a9da14632069477e508117948d841fd7dcc7fe28e1fb3d9cae854afe32db3ed46c6ba9cc49b3840ec875f66f3fa252ae11fb70 |
\Users\Admin\AppData\Local\Temp\tp9YydAEET.exe
| MD5 | fd3921d7f42c4a42115ce88d1c9fe031 |
| SHA1 | 30d5b2cd633667a340047e1ff1ce44628555eba0 |
| SHA256 | 0ea7ac01f7c8cb0ad3574688fd83265cceb7c3c16f89f29799b8be1b3a314a6a |
| SHA512 | 8216ba2c9da3e6021f8f90c824a9da14632069477e508117948d841fd7dcc7fe28e1fb3d9cae854afe32db3ed46c6ba9cc49b3840ec875f66f3fa252ae11fb70 |
memory/780-73-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tp9YydAEET.exe
| MD5 | fd3921d7f42c4a42115ce88d1c9fe031 |
| SHA1 | 30d5b2cd633667a340047e1ff1ce44628555eba0 |
| SHA256 | 0ea7ac01f7c8cb0ad3574688fd83265cceb7c3c16f89f29799b8be1b3a314a6a |
| SHA512 | 8216ba2c9da3e6021f8f90c824a9da14632069477e508117948d841fd7dcc7fe28e1fb3d9cae854afe32db3ed46c6ba9cc49b3840ec875f66f3fa252ae11fb70 |
memory/1716-76-0x0000000073AA0000-0x000000007404B000-memory.dmp
memory/780-77-0x0000000000D30000-0x0000000001413000-memory.dmp
memory/828-80-0x0000000000060000-0x00000000009D1000-memory.dmp
memory/828-81-0x0000000077C40000-0x0000000077DC0000-memory.dmp