1ee9be483e830f3eb7f2f03f90af4a9acab03c574a7fdfd236ae061ce27d28b9

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23/07/2023, 16:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

flashplayer32pp_en_install.exe
Size

3.9MB
MD5

0e52534986fd3f2ccba65e9e1f41a55b
SHA1

d6a442664bbdaa9d226d54f9b3590fbc4c8b2c03
SHA256

1ee9be483e830f3eb7f2f03f90af4a9acab03c574a7fdfd236ae061ce27d28b9
SHA512

17742cc6a0d7da4092c11ba363d87789e9bb18fff33710848f6fe6092bad19ac34990e866c091857412d22a9db8a88a0e52527557b30867030aa4f2bddf55263
SSDEEP

98304:SA9T0cVgiSptbwkKXwsgl3WWQ26h39+Yx/L+aUCfgpC+:SA9AcVjSpnKXwsgYr2o+u/WM

Score

9^/10

collection evasion spyware stealer themida trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	flashplayer32pp_en_install.exe

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2464-82-0x0000000000400000-0x0000000000465000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1556-71-0x0000000000400000-0x0000000000483000-memory.dmp	WebBrowserPassView
behavioral1/memory/1556-75-0x0000000000400000-0x0000000000483000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral1/memory/1556-71-0x0000000000400000-0x0000000000483000-memory.dmp	Nirsoft
behavioral1/memory/1556-75-0x0000000000400000-0x0000000000483000-memory.dmp	Nirsoft
behavioral1/memory/2464-82-0x0000000000400000-0x0000000000465000-memory.dmp	Nirsoft

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	flashplayer32pp_en_install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	flashplayer32pp_en_install.exe

Executes dropped EXE 2 IoCs

pid	Process
1556	A.exe
2464	B.exe

Loads dropped DLL 3 IoCs

pid	Process
2236	cmd.exe
2236	cmd.exe
1448	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2544-54-0x0000000000800000-0x00000000010DA000-memory.dmp	themida
behavioral1/memory/2544-56-0x0000000000800000-0x00000000010DA000-memory.dmp	themida
behavioral1/memory/2544-57-0x0000000000800000-0x00000000010DA000-memory.dmp	themida
behavioral1/memory/2544-59-0x0000000000800000-0x00000000010DA000-memory.dmp	themida
behavioral1/memory/2544-58-0x0000000000800000-0x00000000010DA000-memory.dmp	themida
behavioral1/memory/2544-60-0x0000000000800000-0x00000000010DA000-memory.dmp	themida
behavioral1/memory/2544-61-0x0000000000800000-0x00000000010DA000-memory.dmp	themida
behavioral1/memory/2544-62-0x0000000000800000-0x00000000010DA000-memory.dmp	themida
behavioral1/memory/2544-63-0x0000000000800000-0x00000000010DA000-memory.dmp	themida
behavioral1/memory/2544-72-0x0000000000800000-0x00000000010DA000-memory.dmp	themida
behavioral1/memory/2544-73-0x0000000000800000-0x00000000010DA000-memory.dmp	themida
behavioral1/memory/2544-83-0x0000000000800000-0x00000000010DA000-memory.dmp	themida
behavioral1/memory/2544-84-0x0000000000800000-0x00000000010DA000-memory.dmp	themida

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012023-65.dat	upx
behavioral1/files/0x0009000000012023-68.dat	upx
behavioral1/memory/2236-67-0x0000000000160000-0x00000000001E3000-memory.dmp	upx
behavioral1/files/0x0009000000012023-66.dat	upx
behavioral1/files/0x0009000000012023-70.dat	upx
behavioral1/memory/1556-71-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/1556-75-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/files/0x000a000000012023-79.dat	upx
behavioral1/memory/1448-80-0x0000000000160000-0x00000000001C5000-memory.dmp	upx
behavioral1/files/0x000a000000012023-81.dat	upx
behavioral1/files/0x000a000000012023-78.dat	upx
behavioral1/memory/2464-82-0x0000000000400000-0x0000000000465000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	B.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	flashplayer32pp_en_install.exe

AutoIT Executable 11 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2544-57-0x0000000000800000-0x00000000010DA000-memory.dmp	autoit_exe
behavioral1/memory/2544-59-0x0000000000800000-0x00000000010DA000-memory.dmp	autoit_exe
behavioral1/memory/2544-58-0x0000000000800000-0x00000000010DA000-memory.dmp	autoit_exe
behavioral1/memory/2544-60-0x0000000000800000-0x00000000010DA000-memory.dmp	autoit_exe
behavioral1/memory/2544-61-0x0000000000800000-0x00000000010DA000-memory.dmp	autoit_exe
behavioral1/memory/2544-62-0x0000000000800000-0x00000000010DA000-memory.dmp	autoit_exe
behavioral1/memory/2544-63-0x0000000000800000-0x00000000010DA000-memory.dmp	autoit_exe
behavioral1/memory/2544-72-0x0000000000800000-0x00000000010DA000-memory.dmp	autoit_exe
behavioral1/memory/2544-73-0x0000000000800000-0x00000000010DA000-memory.dmp	autoit_exe
behavioral1/memory/2544-83-0x0000000000800000-0x00000000010DA000-memory.dmp	autoit_exe
behavioral1/memory/2544-84-0x0000000000800000-0x00000000010DA000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2544	flashplayer32pp_en_install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2544	flashplayer32pp_en_install.exe
1556	A.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2236	2544	flashplayer32pp_en_install.exe	28
PID 2544 wrote to memory of 2236	2544	flashplayer32pp_en_install.exe	28
PID 2544 wrote to memory of 2236	2544	flashplayer32pp_en_install.exe	28
PID 2544 wrote to memory of 2236	2544	flashplayer32pp_en_install.exe	28
PID 2236 wrote to memory of 1556	2236	cmd.exe	30
PID 2236 wrote to memory of 1556	2236	cmd.exe	30
PID 2236 wrote to memory of 1556	2236	cmd.exe	30
PID 2236 wrote to memory of 1556	2236	cmd.exe	30
PID 2544 wrote to memory of 1448	2544	flashplayer32pp_en_install.exe	32
PID 2544 wrote to memory of 1448	2544	flashplayer32pp_en_install.exe	32
PID 2544 wrote to memory of 1448	2544	flashplayer32pp_en_install.exe	32
PID 2544 wrote to memory of 1448	2544	flashplayer32pp_en_install.exe	32
PID 1448 wrote to memory of 2464	1448	cmd.exe	34
PID 1448 wrote to memory of 2464	1448	cmd.exe	34
PID 1448 wrote to memory of 2464	1448	cmd.exe	34
PID 1448 wrote to memory of 2464	1448	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\flashplayer32pp_en_install.exe
"C:\Users\Admin\AppData\Local\Temp\flashplayer32pp_en_install.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c A.exe /stext A.txt
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\A.exe
    A.exe /stext A.txt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c B.exe /stext B.txt
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Users\Admin\AppData\Local\Temp\B.exe
    B.exe /stext B.txt
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A.exe

Filesize
224KB

MD5
440028436e4eb1d94fc14b09f5d6224c

SHA1
eaee95e001b415026db7aeac9804fb03e65d8caa

SHA256
3570596c4b62fee8a80b4cab0ee2ff6c33342d2ceb1b3d9d7d06fa352655d027

SHA512
516e7be456337236d2f6b550a5ec8e41590e647a3cfd6894f7dcfe714dd601ba787f88cde55f3ca5fe70d20f3ff72f9b248a0404df582be60ac08701c42c5c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A.exe

Filesize
224KB

MD5
440028436e4eb1d94fc14b09f5d6224c

SHA1
eaee95e001b415026db7aeac9804fb03e65d8caa

SHA256
3570596c4b62fee8a80b4cab0ee2ff6c33342d2ceb1b3d9d7d06fa352655d027

SHA512
516e7be456337236d2f6b550a5ec8e41590e647a3cfd6894f7dcfe714dd601ba787f88cde55f3ca5fe70d20f3ff72f9b248a0404df582be60ac08701c42c5c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\B.exe

Filesize
202KB

MD5
a394c0ae6cf5530bb91b37b8bd09c468

SHA1
e006c548c39f36630833163fe524887780390dfd

SHA256
fd057d11727f14563a5533dd8453d6e3dcbf71862483a15bf8b769a73243a201

SHA512
17e9c6f6b3c2b6197216fd132ed54c1d2586c359c42e12915bc256472769f00a4f413f6ac83a784945b9e296d63b6b943f72876cf495569a65ff26c6189748a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B.exe

Filesize
202KB

MD5
a394c0ae6cf5530bb91b37b8bd09c468

SHA1
e006c548c39f36630833163fe524887780390dfd

SHA256
fd057d11727f14563a5533dd8453d6e3dcbf71862483a15bf8b769a73243a201

SHA512
17e9c6f6b3c2b6197216fd132ed54c1d2586c359c42e12915bc256472769f00a4f413f6ac83a784945b9e296d63b6b943f72876cf495569a65ff26c6189748a4

Download Submit
\Users\Admin\AppData\Local\Temp\A.exe

Filesize
224KB

MD5
440028436e4eb1d94fc14b09f5d6224c

SHA1
eaee95e001b415026db7aeac9804fb03e65d8caa

SHA256
3570596c4b62fee8a80b4cab0ee2ff6c33342d2ceb1b3d9d7d06fa352655d027

SHA512
516e7be456337236d2f6b550a5ec8e41590e647a3cfd6894f7dcfe714dd601ba787f88cde55f3ca5fe70d20f3ff72f9b248a0404df582be60ac08701c42c5c8d

Download Submit
\Users\Admin\AppData\Local\Temp\A.exe

Filesize
224KB

MD5
440028436e4eb1d94fc14b09f5d6224c

SHA1
eaee95e001b415026db7aeac9804fb03e65d8caa

SHA256
3570596c4b62fee8a80b4cab0ee2ff6c33342d2ceb1b3d9d7d06fa352655d027

SHA512
516e7be456337236d2f6b550a5ec8e41590e647a3cfd6894f7dcfe714dd601ba787f88cde55f3ca5fe70d20f3ff72f9b248a0404df582be60ac08701c42c5c8d

Download Submit
\Users\Admin\AppData\Local\Temp\B.exe

Filesize
202KB

MD5
a394c0ae6cf5530bb91b37b8bd09c468

SHA1
e006c548c39f36630833163fe524887780390dfd

SHA256
fd057d11727f14563a5533dd8453d6e3dcbf71862483a15bf8b769a73243a201

SHA512
17e9c6f6b3c2b6197216fd132ed54c1d2586c359c42e12915bc256472769f00a4f413f6ac83a784945b9e296d63b6b943f72876cf495569a65ff26c6189748a4

Download Submit
memory/1448-80-0x0000000000160000-0x00000000001C5000-memory.dmp

Filesize
404KB

Download
memory/1556-71-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1556-75-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2236-67-0x0000000000160000-0x00000000001E3000-memory.dmp

Filesize
524KB

Download
memory/2236-69-0x0000000000160000-0x00000000001E3000-memory.dmp

Filesize
524KB

Download
memory/2464-82-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2544-72-0x0000000000800000-0x00000000010DA000-memory.dmp

Filesize
8.9MB

Download
memory/2544-54-0x0000000000800000-0x00000000010DA000-memory.dmp

Filesize
8.9MB

Download
memory/2544-57-0x0000000000800000-0x00000000010DA000-memory.dmp

Filesize
8.9MB

Download
memory/2544-63-0x0000000000800000-0x00000000010DA000-memory.dmp

Filesize
8.9MB

Download
memory/2544-73-0x0000000000800000-0x00000000010DA000-memory.dmp

Filesize
8.9MB

Download
memory/2544-61-0x0000000000800000-0x00000000010DA000-memory.dmp

Filesize
8.9MB

Download
memory/2544-55-0x00000000774D0000-0x00000000774D2000-memory.dmp

Filesize
8KB

Download
memory/2544-56-0x0000000000800000-0x00000000010DA000-memory.dmp

Filesize
8.9MB

Download
memory/2544-59-0x0000000000800000-0x00000000010DA000-memory.dmp

Filesize
8.9MB

Download
memory/2544-60-0x0000000000800000-0x00000000010DA000-memory.dmp

Filesize
8.9MB

Download
memory/2544-58-0x0000000000800000-0x00000000010DA000-memory.dmp

Filesize
8.9MB

Download
memory/2544-62-0x0000000000800000-0x00000000010DA000-memory.dmp

Filesize
8.9MB

Download
memory/2544-83-0x0000000000800000-0x00000000010DA000-memory.dmp

Filesize
8.9MB

Download
memory/2544-84-0x0000000000800000-0x00000000010DA000-memory.dmp

Filesize
8.9MB

Download