Analysis Overview
SHA256
d13ec3096398daa37bbc870ab323733353f3da106fdc56acef3802f597db9794
Threat Level: Known bad
The file install_win64.zip was found to be: Known bad.
Malicious Activity Summary
Aurora
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Checks BIOS information in registry
Reads user/profile data of web browsers
Themida packer
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-27 14:19
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-27 14:19
Reported
2023-01-27 14:22
Platform
win10-20220901-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Aurora
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OaiD1tJhe7.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OaiD1tJhe7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OaiD1tJhe7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OaiD1tJhe7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OaiD1tJhe7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OaiD1tJhe7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OaiD1tJhe7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OaiD1tJhe7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OaiD1tJhe7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OaiD1tJhe7.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\install_win64.exe
"C:\Users\Admin\AppData\Local\Temp\install_win64.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\OaiD1tJhe7.exe"
C:\Users\Admin\AppData\Local\Temp\OaiD1tJhe7.exe
"C:\Users\Admin\AppData\Local\Temp\OaiD1tJhe7.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 45.15.156.210:8081 | tcp | |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 13.89.179.9:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/1448-120-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-122-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-121-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-123-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-124-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-125-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-126-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-128-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-127-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-129-0x0000000000BE0000-0x0000000001551000-memory.dmp
memory/1448-130-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-131-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-132-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-133-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-134-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-135-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-136-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-137-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-139-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-138-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-140-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-141-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-142-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-143-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-144-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-146-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-145-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-147-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-148-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-149-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-150-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-151-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-152-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-153-0x0000000000BE0000-0x0000000001551000-memory.dmp
memory/1448-154-0x0000000000BE0000-0x0000000001551000-memory.dmp
memory/1448-155-0x0000000000BE0000-0x0000000001551000-memory.dmp
memory/1448-156-0x0000000000BE0000-0x0000000001551000-memory.dmp
memory/1448-157-0x0000000000BE0000-0x0000000001551000-memory.dmp
memory/1448-158-0x0000000000BE0000-0x0000000001551000-memory.dmp
memory/1448-159-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-160-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-161-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-162-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-163-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-165-0x0000000000000000-mapping.dmp
memory/4228-169-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-170-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-171-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-168-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-175-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-177-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-179-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-180-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-181-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-183-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-182-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-184-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-185-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-178-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-176-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-174-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-173-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-172-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-167-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4228-166-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/1448-164-0x0000000077D10000-0x0000000077E9E000-memory.dmp
memory/4328-232-0x0000000000000000-mapping.dmp
memory/1704-238-0x0000000000000000-mapping.dmp
memory/1448-288-0x0000000000BE0000-0x0000000001551000-memory.dmp
memory/3056-306-0x0000000000000000-mapping.dmp
memory/4624-312-0x0000000000000000-mapping.dmp
memory/2216-391-0x0000000000000000-mapping.dmp
memory/2216-427-0x0000000004440000-0x0000000004476000-memory.dmp
memory/2216-432-0x0000000006F10000-0x0000000007538000-memory.dmp
memory/2216-447-0x0000000006DB0000-0x0000000006DD2000-memory.dmp
memory/2216-452-0x00000000075B0000-0x0000000007616000-memory.dmp
memory/2216-453-0x0000000007690000-0x00000000076F6000-memory.dmp
memory/2216-454-0x0000000007930000-0x0000000007C80000-memory.dmp
memory/2216-457-0x0000000007670000-0x000000000768C000-memory.dmp
memory/2216-458-0x0000000007700000-0x000000000774B000-memory.dmp
memory/2216-462-0x0000000007FC0000-0x0000000008036000-memory.dmp
memory/2216-474-0x0000000008D60000-0x0000000008D7A000-memory.dmp
memory/2216-473-0x0000000009050000-0x00000000090E4000-memory.dmp
memory/2216-475-0x0000000008FE0000-0x0000000009002000-memory.dmp
memory/2216-476-0x00000000095F0000-0x0000000009AEE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OaiD1tJhe7.exe
| MD5 | fd3921d7f42c4a42115ce88d1c9fe031 |
| SHA1 | 30d5b2cd633667a340047e1ff1ce44628555eba0 |
| SHA256 | 0ea7ac01f7c8cb0ad3574688fd83265cceb7c3c16f89f29799b8be1b3a314a6a |
| SHA512 | 8216ba2c9da3e6021f8f90c824a9da14632069477e508117948d841fd7dcc7fe28e1fb3d9cae854afe32db3ed46c6ba9cc49b3840ec875f66f3fa252ae11fb70 |
C:\Users\Admin\AppData\Local\Temp\OaiD1tJhe7.exe
| MD5 | fd3921d7f42c4a42115ce88d1c9fe031 |
| SHA1 | 30d5b2cd633667a340047e1ff1ce44628555eba0 |
| SHA256 | 0ea7ac01f7c8cb0ad3574688fd83265cceb7c3c16f89f29799b8be1b3a314a6a |
| SHA512 | 8216ba2c9da3e6021f8f90c824a9da14632069477e508117948d841fd7dcc7fe28e1fb3d9cae854afe32db3ed46c6ba9cc49b3840ec875f66f3fa252ae11fb70 |
memory/636-490-0x0000000000000000-mapping.dmp