Overview

overview

9

Static

static

7

restartserwera.exe

windows7-x64

9

restartserwera.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    19s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    03-02-2024 23:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    restartserwera.exe

  • Size

    7.2MB

  • MD5

    42b54c18a31575f62928dc111d7ba088

  • SHA1

    3ca800a94077a984b82d342a42fa395802019fd8

  • SHA256

    54b394e487b094033d97e0901a84bf00f6db63e8ea180d077f3fd2ee288b7ece

  • SHA512

    f4212b622ccaac8253ff8b39fe9865abe3e077c4553c3ea7f0ab8c374827c296b664b5d9b9d7299c0ef310f54cd9164c7a0aa09d32f468184cccf38935676652

  • SSDEEP

    196608:c3oNerYFMMHYglsdDsfBT++Dht3kbJmqCh0WsVSjeOI+:c3oNerYFJlQs5ThUmqCWVX1+

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\restartserwera.exe
    "C:\Users\Admin\AppData\Local\Temp\restartserwera.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start https://discord.gg/coders
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/coders
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    bd9efea5e6ffa7ed48d1da154b5d77c9

    SHA1

    d64f977ad21b5050ad43ef3caffc724ed4630d77

    SHA256

    c7cd197e81ae69e858178bae506b8131276ba4baef4409911501c7dde92f260d

    SHA512

    46f218e13e769c0ad033abd3b8d77c19e538bce3ec4ec5ac2e85dfa93f3693f4418481262ab0048fa5e405fd4c00e758bb11ff1727ed79f4a20cb1bfffcbf84e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    2c9ec408e7b138438fe11c7d9db6fa92

    SHA1

    d085ca0ead08468178632368988bde10795ba9b4

    SHA256

    11e28c8242162789d5cdaa07b3304a33dfd65b8b9fb2850b1253a9b1f3c4dc89

    SHA512

    a54d2c0c50ca113d422c6022c13e6de0ecb39fa727007bf218855f691f04ac2a5262556eba1d93c80758e0dcdbe79a372923e119d4a0f1e5678632a24a04dd34

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    bb81a3bad84b5d07c7e8167a95cfef07

    SHA1

    4129699c3bc863544115e89f57fc2a360c10c908

    SHA256

    8b04f4fb7048bef9970e46ef8423e866b6793b26b16f9d5c9219e2f22162cd15

    SHA512

    095df3c34ac299a46e38e1bd4dd56c146f95850a4ffcb35a50aa30c479c94e3810a3f08252b95b7806acd577ff0867908d216e1e199cbfcf21fe3c67904f5894

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    21d5706b2afc250addb0687e8852a88d

    SHA1

    d5c711836b9e53fe754616b4f5fb8f3937edcf05

    SHA256

    79856eaf8849efc914b009923d720c4dafbc73ab7f2dad9c2440b52c5d70074d

    SHA512

    c8ebdec15b55598d527a3f2c0b2e8ad932836511d766b5c401ffe7340e0d5541e562231be2f63eaa91285c95bc8a281789531604ce3d38fd5a81911701eab08e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    610e9a1702f82d050aa5b259056ee4a2

    SHA1

    069fafbb970627cea7ca938908ca12c93a72e647

    SHA256

    aaa354f53f1362f850b7e37f6645a21d0656f1a284a275a516ec95b2eb663e09

    SHA512

    ad587aa31fccbdd8248a133b7159e94c5b064fd41766ee69fc08cdc5b140ac5678aaf456746485d47c4fd9f95e34dfee44d0052b5f924744218e6921fc3adc51

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    a1182f9536f168fa89e937fff1306eaa

    SHA1

    945878ccc53a86ad90f85b872d23dc2b4299021b

    SHA256

    284493e8d432ca5dd4beb8b95c0abe1d4dcb4756ab289a922a7419e4a952b978

    SHA512

    fb16e2ffdbbb9c53389bac5fc3f560b6a027dbedb48f0bff2f3694dac7fd61a67585c4b18c4dc2c1a6313a5621c48365e9b4ea8fc597943d8ad1558fabe9ce12

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    3dc6894d7b88794c4472757e9ecdcda9

    SHA1

    5bbb5e8da26d64bfc57addd27c6e7b20ad0a2e10

    SHA256

    e8ef35f7f2a9a1b3d60eac96a0d06c9b5fd8978adc74bc7d4a77f7c096db5ebc

    SHA512

    22fcdd93ae2f2d358fbbe2dce639ff971e833c625da248a25904eb790d3b58fe036bcc66b2f8310a6f3eba71d7c6162820484cdd557bff8f04ea5bbc627cc003

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    c900765a25d1770cf6b323fe4fe4944c

    SHA1

    e284e102c57ab3abcd75c90d5d1c6588cbd3f075

    SHA256

    bbb2759c9389868b93d1d3680c76b37a30c5d243c996d956056004c20dd8cb04

    SHA512

    5c1e229ce3cabca31ed8d53f7ef099e4bf07089144caec73a6a054b851e5d51e37addf17cf18644e30736f8aefae5824d98b43eb811688e5a6bb5d034e4fb54d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    3768605fcf71a9c4b38f34fd2888f8ce

    SHA1

    d80faac68834df23231c447b99f93ac428c13dcd

    SHA256

    10f7c74aa6c70ea4ab2737c1ca83c8c7b690c77be6304685d79a8aab7349ae8f

    SHA512

    d545fbe4e4367e9663882337c35a1aa436f74883573f200515ce60984187d4adc212709fbc1d9b52e16d3ce8ccdbf7c1aef1f19b37654cb08cfe1b84ff507437

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    93a2ca5ae7158023e36fb167487aaa2d

    SHA1

    ccdb4a45ff44142bc13448cc9bbc589e30757cf2

    SHA256

    abbcd93f9a2875c4d1db7377086209bc46698b7be910a1f846d867c06ea5c05b

    SHA512

    b26fcce850038606c7e3732bbc284a234e85aa6ba8a02a416b28cc35ebb973863b2993bf279ddbededcf61209289d0e7bfca955b6776082b5a4b713d2cf1c220

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    57028624ea96271fd0ef9fd1d780c5ef

    SHA1

    2b127e9250af08cb0ba3cbd78a1e5b9487515a8e

    SHA256

    2570345d49e7f13c02779650e51af0db562b1d087d334c5c670dbaf87b89d541

    SHA512

    98444bde934a2222dfb5ea0ab04a02a004327c444aa0a735a6ef2a3b545a5af6c1b342523ec3dd1d74f076157de659366d60b30d5fe6aebb6b8b158e3cce5bf2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    0f90741c97ad3a3a8a6bb2a310fc154d

    SHA1

    02aef84a9e5f3c78d78048aaac5f46e54b0a0c4f

    SHA256

    cd92fc01951ea6fc0623e0075a9ea48d355d1c9298c5b3578ab34200ba861f17

    SHA512

    f3bd38244dfff004d2ee9bfd86b5780da31665b508853b62da1d8b74f9ddb3b8648045ebb5f95979b6186bc3f7f4638defb1ca4260a03bf1380e83ff0cc9d3ba

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\b5orqwt\imagestore.dat
    Filesize

    24KB

    MD5

    7b9f0b74886c2d340f40e6638de5bf98

    SHA1

    8c495729b04e03890bf5e2f17c3ff24c2763ba78

    SHA256

    a0780ec2ec9daa545b09e4586ac7e7bb9e4eb420e0af47a3235551af5e585698

    SHA512

    41accbabed57fcb89d5da2c9012a350cadd83b541f0c5d3445b07b156ea8862a11485dc3a9b366135561e6cc949599b81510cfe7adece522165e3da4a423f915

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LFTKP12M\favicon[1].ico
    Filesize

    23KB

    MD5

    ec2c34cadd4b5f4594415127380a85e6

    SHA1

    e7e129270da0153510ef04a148d08702b980b679

    SHA256

    128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

    SHA512

    c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab1E98.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar1F39.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • memory/2256-8-0x000007FE80010000-0x000007FE80011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2256-24-0x000000013F130000-0x00000001401F5000-memory.dmp

    Filesize

    16.8MB

    Download

  • memory/2256-15-0x0000000062800000-0x0000000062813000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2256-10-0x000007FEFCF10000-0x000007FEFCF7C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2256-0-0x000000013F130000-0x00000001401F5000-memory.dmp

    Filesize

    16.8MB

    Download

  • memory/2256-5-0x0000000076F70000-0x0000000077119000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2256-6-0x0000000180000000-0x0000000180305000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2256-3-0x0000000000180000-0x0000000000181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2256-2-0x000007FEFCF10000-0x000007FEFCF7C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2256-1-0x000007FEFCF10000-0x000007FEFCF7C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2256-867-0x000000013F130000-0x00000001401F5000-memory.dmp

    Filesize

    16.8MB

    Download

  • memory/2256-868-0x000007FEFCF10000-0x000007FEFCF7C000-memory.dmp

    Filesize

    432KB

    Download