Overview

overview

9

Static

static

7

SecuriteIn...70.exe

windows7-x64

9

SecuriteIn...70.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/11/2023, 10:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.W32.ClipBanker.BM.gen.Eldorado.29544.5170.exe

  • Size

    5.7MB

  • MD5

    c0ef9d267c5557088c0724b75f1d10b5

  • SHA1

    160a3a4bd2522bf2da9959d46bef2066d69b4e35

  • SHA256

    2b4eb665e3459f0bad9d1564c0e9bcf603057c73996290344c92b6c42d6bc66d

  • SHA512

    ec13ee5881737f0fef46b2657c5d5d40ebe7d52867063801cb9fdabc19ce062c22da799b1a1c7616024f835aee0b340d338abe8e08d64cda4f427ad162cf2031

  • SSDEEP

    98304:Pl1miR1gYgNgqVpbTYVgZoj47MZ5FV0ZIvY4mQj1zvJvHfc10YS29F+bfbJBQJqP:ZgYgNvpbXZ778hsIvY6j15fc1S26TbvP

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Themida packer 35 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.ClipBanker.BM.gen.Eldorado.29544.5170.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.ClipBanker.BM.gen.Eldorado.29544.5170.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4756
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s3o4.0.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2612
      • C:\ProgramData\pinterests\XRJNZC.exe
        "C:\ProgramData\pinterests\XRJNZC.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4360
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
          4⤵
          • Creates scheduled task(s)
          PID:4228
  • C:\ProgramData\pinterests\XRJNZC.exe
    C:\ProgramData\pinterests\XRJNZC.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:1440
  • C:\ProgramData\pinterests\XRJNZC.exe
    C:\ProgramData\pinterests\XRJNZC.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3728

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\pinterests\XRJNZC.exe
          Filesize

          5.7MB

          MD5

          c0ef9d267c5557088c0724b75f1d10b5

          SHA1

          160a3a4bd2522bf2da9959d46bef2066d69b4e35

          SHA256

          2b4eb665e3459f0bad9d1564c0e9bcf603057c73996290344c92b6c42d6bc66d

          SHA512

          ec13ee5881737f0fef46b2657c5d5d40ebe7d52867063801cb9fdabc19ce062c22da799b1a1c7616024f835aee0b340d338abe8e08d64cda4f427ad162cf2031

          Download Submit

        • C:\ProgramData\pinterests\XRJNZC.exe
          Filesize

          5.7MB

          MD5

          c0ef9d267c5557088c0724b75f1d10b5

          SHA1

          160a3a4bd2522bf2da9959d46bef2066d69b4e35

          SHA256

          2b4eb665e3459f0bad9d1564c0e9bcf603057c73996290344c92b6c42d6bc66d

          SHA512

          ec13ee5881737f0fef46b2657c5d5d40ebe7d52867063801cb9fdabc19ce062c22da799b1a1c7616024f835aee0b340d338abe8e08d64cda4f427ad162cf2031

          Download Submit

        • C:\ProgramData\pinterests\XRJNZC.exe
          Filesize

          5.7MB

          MD5

          c0ef9d267c5557088c0724b75f1d10b5

          SHA1

          160a3a4bd2522bf2da9959d46bef2066d69b4e35

          SHA256

          2b4eb665e3459f0bad9d1564c0e9bcf603057c73996290344c92b6c42d6bc66d

          SHA512

          ec13ee5881737f0fef46b2657c5d5d40ebe7d52867063801cb9fdabc19ce062c22da799b1a1c7616024f835aee0b340d338abe8e08d64cda4f427ad162cf2031

          Download Submit

        • C:\ProgramData\pinterests\XRJNZC.exe
          Filesize

          5.7MB

          MD5

          c0ef9d267c5557088c0724b75f1d10b5

          SHA1

          160a3a4bd2522bf2da9959d46bef2066d69b4e35

          SHA256

          2b4eb665e3459f0bad9d1564c0e9bcf603057c73996290344c92b6c42d6bc66d

          SHA512

          ec13ee5881737f0fef46b2657c5d5d40ebe7d52867063801cb9fdabc19ce062c22da799b1a1c7616024f835aee0b340d338abe8e08d64cda4f427ad162cf2031

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\s3o4.0.bat
          Filesize

          176B

          MD5

          6f3b1c931861427ccf8d31b5fa64da9f

          SHA1

          7c76006c9c96d37f6de35e178beb0d0dc14aaa90

          SHA256

          55bcbd0610a067c72ba9ca3e947ea10ccfc0ceefad6db133f730131874f05612

          SHA512

          f570e58e127940cc4c9dd455fbd1aa484aeda6252f360b003d244079b8c97f67892bccbb91ffe6f5d537442cd48745bd18c4f294ea59e36027140f3f67e4f2c3

          Download Submit

        • memory/1440-54-0x0000000002190000-0x0000000002191000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1440-66-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/1440-50-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/1440-51-0x0000000002130000-0x0000000002131000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1440-52-0x0000000002150000-0x0000000002151000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1440-55-0x00000000021A0000-0x00000000021A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1440-67-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/1440-53-0x0000000002180000-0x0000000002181000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1440-65-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/1440-64-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/1440-63-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/1440-56-0x00000000021B0000-0x00000000021B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1440-62-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/1440-57-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/3728-78-0x0000000003E00000-0x0000000003E01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3728-81-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/3728-92-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/3728-77-0x0000000002350000-0x0000000002351000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3728-79-0x0000000003E10000-0x0000000003E11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3728-80-0x0000000003E20000-0x0000000003E21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3728-74-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/3728-75-0x0000000002330000-0x0000000002331000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3728-76-0x0000000002340000-0x0000000002341000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4360-42-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4360-29-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4360-41-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4360-43-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4360-44-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4360-45-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4360-46-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4360-37-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4360-49-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4360-36-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4360-34-0x0000000000F50000-0x0000000001DA8000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4360-35-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4360-33-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4360-32-0x00000000006F0000-0x00000000006F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4360-30-0x00000000006D0000-0x00000000006D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4360-31-0x00000000006E0000-0x00000000006E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4756-24-0x00000000007C0000-0x0000000001618000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4756-8-0x00000000007C0000-0x0000000001618000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4756-20-0x00000000007C0000-0x0000000001618000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4756-17-0x00000000007C0000-0x0000000001618000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4756-16-0x00000000007C0000-0x0000000001618000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4756-15-0x00000000007C0000-0x0000000001618000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4756-14-0x00000000007C0000-0x0000000001618000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4756-13-0x00000000007C0000-0x0000000001618000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4756-12-0x0000000077614000-0x0000000077616000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4756-0-0x00000000007C0000-0x0000000001618000-memory.dmp

          Filesize

          14.3MB

          Download

        • memory/4756-7-0x00000000037D0000-0x00000000037D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4756-6-0x00000000037C0000-0x00000000037C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4756-5-0x00000000037B0000-0x00000000037B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4756-4-0x00000000037A0000-0x00000000037A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4756-3-0x0000000003770000-0x0000000003771000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4756-2-0x0000000003760000-0x0000000003761000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4756-1-0x00000000007C0000-0x0000000001618000-memory.dmp

          Filesize

          14.3MB

          Download