Overview

overview

10

Static

static

10

Install Termius.exe

windows10-1703-x64

5

$PLUGINSDI...er.dll

windows10-1703-x64

1

$PLUGINSDI...ls.dll

windows10-1703-x64

3

$PLUGINSDI...em.dll

windows10-1703-x64

3

$PLUGINSDI...ll.dll

windows10-1703-x64

3

Termius.exe

windows10-1703-x64

5

locales/de.ps1

windows10-1703-x64

1

resources/...ar.dll

windows10-1703-x64

3

resources/...dex.js

windows10-1703-x64

1

resources/...or.dll

windows10-1703-x64

3

resources/...46.dll

windows10-1703-x64

3

resources/...o2.dll

windows10-1703-x64

3

resources/...js.dll

windows10-1703-x64

3

resources/...48.dll

windows10-1703-x64

1

resources/...20.dll

windows10-1703-x64

3

resources/...b1.dll

windows10-1703-x64

3

resources/...us.dll

windows10-1703-x64

3

resources/...dex.js

windows10-1703-x64

1

resources/...nt.dll

windows10-1703-x64

3

resources/...ng.dll

windows10-1703-x64

3

resources/elevate.exe

windows10-1703-x64

1

vk_swiftshader.dll

windows10-1703-x64

3

vulkan-1.dll

windows10-1703-x64

3

resources/...gs.dll

windows10-1703-x64

1

resources/...ng.dll

windows10-1703-x64

1

resources/elevate.exe

windows10-1703-x64

1

$PLUGINSDI...ec.dll

windows10-1703-x64

3

$PLUGINSDI...7z.dll

windows10-1703-x64

3

$R0/Uninst...us.exe

windows10-1703-x64

5

$PLUGINSDI...em.dll

windows10-1703-x64

3

$PLUGINSDI...ll.dll

windows10-1703-x64

3

$PLUGINSDI...ec.dll

windows10-1703-x64

3

Resubmissions

23-05-2024 17:43

240523-waxw8sag81 10

07-05-2024 14:30

240507-rvdlwabb6s 10

25-03-2024 12:06

240325-n94j3aaa9v 10

Analysis

  • max time kernel
    153s
  • max time network
    186s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25-03-2024 12:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Termius.exe

  • Size

    127.9MB

  • MD5

    616115fcb2df66fc74c913e7bea40645

  • SHA1

    fb73df51d80d8ea976929b7367127dad5e411a52

  • SHA256

    b98a1facf293368e387c7053c064ffabebb23f39023e046f7cf37661e4cbc95b

  • SHA512

    f417c1a8d45c4d379d8e96a17cbb2dd440beb1975f30ada2648dea075b09bed850255ba3c24481ceb29f4aa24c750ca797f2b844c54bea5d47714d773d77a127

  • SSDEEP

    1572864:PeuFC6t472Ah+FgOqXJniFHUfN8WZis2Vawn0fhj5h8ioZFk5/SDJPtiwhkzLUsB:YSJZqT8Ois+nQAE5m0rWEDFMk5

Score
5/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 14 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Termius.exe
    "C:\Users\Admin\AppData\Local\Temp\Termius.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:220
    • C:\Users\Admin\AppData\Local\Temp\Termius.exe
      C:\Users\Admin\AppData\Local\Temp\Termius.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Termius /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Termius\Crashpad --url=https://o76327.ingest.sentry.io/api/193727/minidump/?sentry_key=55af16af94074b88844cd7e16f535fa5 --annotation=_productName=Termius --annotation=_version=8.9.9 --annotation=plat=Win32 --annotation=prod=Electron "--annotation=sentry___initialScope={\"environment\":\"production\"}" --annotation=ver=21.4.4 --initial-client-data=0x458,0x46c,0x474,0x470,0x478,0x7da5bc0,0x7da5bd0,0x7da5bdc
      2⤵
        PID:2740
      • C:\Users\Admin\AppData\Local\Temp\Termius.exe
        "C:\Users\Admin\AppData\Local\Temp\Termius.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Termius" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1744,i,5307858083990605468,12781611085632430454,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        2⤵
          PID:236
        • C:\Users\Admin\AppData\Local\Temp\Termius.exe
          "C:\Users\Admin\AppData\Local\Temp\Termius.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Termius" --mojo-platform-channel-handle=2312 --field-trial-handle=1744,i,5307858083990605468,12781611085632430454,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
          2⤵
            PID:1496
          • C:\Users\Admin\AppData\Local\Temp\Termius.exe
            "C:\Users\Admin\AppData\Local\Temp\Termius.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Termius" --app-user-model-id=electron.app.Termius --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2692 --field-trial-handle=1744,i,5307858083990605468,12781611085632430454,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
            2⤵
            • Checks computer location settings
            PID:4716
          • C:\Users\Admin\AppData\Local\Temp\Termius.exe
            "C:\Users\Admin\AppData\Local\Temp\Termius.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Termius" --app-user-model-id=electron.app.Termius --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2752 --field-trial-handle=1744,i,5307858083990605468,12781611085632430454,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
            2⤵
            • Checks computer location settings
            PID:904
          • C:\Users\Admin\AppData\Local\Temp\Termius.exe
            "C:\Users\Admin\AppData\Local\Temp\Termius.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Termius" --app-user-model-id=electron.app.Termius --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1744,i,5307858083990605468,12781611085632430454,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
            2⤵
            • Checks computer location settings
            PID:368
          • C:\Users\Admin\AppData\Local\Temp\Termius.exe
            "C:\Users\Admin\AppData\Local\Temp\Termius.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\Termius" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4056 --field-trial-handle=1744,i,5307858083990605468,12781611085632430454,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4240

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Termius\IndexedDB\file__0.indexeddb.leveldb\CURRENT
          Filesize

          16B

          MD5

          46295cac801e5d4857d09837238a6394

          SHA1

          44e0fa1b517dbf802b18faf0785eeea6ac51594b

          SHA256

          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

          SHA512

          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Termius\Network\Network Persistent State
          Filesize

          537B

          MD5

          c7dcaedf1c37b5098e6c1f6c1db32c4e

          SHA1

          5794ba8b5648c77bf1ca7c4626a11f00caf60c58

          SHA256

          fa29651e9730279c502a82c047b96cb0d993addda242da4eca568466bf86b204

          SHA512

          d70b5bb016a342fd5a7cbcc4490913eb65eb909ab38ae0fe0a421317c32bcff1d0312038bab73bd84199bf62ebb4abf90b439b318c13d8753fc7a2b57a7b5ddd

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Termius\Network\Network Persistent State~RFe58d31a.TMP
          Filesize

          59B

          MD5

          2800881c775077e1c4b6e06bf4676de4

          SHA1

          2873631068c8b3b9495638c865915be822442c8b

          SHA256

          226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

          SHA512

          e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Termius\ff83584c-da6e-4cfd-a6b0-2b4158d84d8d.tmp
          Filesize

          57B

          MD5

          58127c59cb9e1da127904c341d15372b

          SHA1

          62445484661d8036ce9788baeaba31d204e9a5fc

          SHA256

          be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

          SHA512

          8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Termius\sentry\scope_v2.json
          Filesize

          5KB

          MD5

          7c5f14d102ea457038680599dc6320f7

          SHA1

          ba3a26d0a10df0043a1593e7c622f8419ea55aaf

          SHA256

          89784a0d7c6aeba80d50d496ec4912f33c30a86690dcb4a10c78007b99e83ba9

          SHA512

          cb558a60c5cd3b11bbfc0d4927a0030b4a9adfe78d4d7bcd7454bed659b68c46dcbe6b0280244387e6252e69e51114b1064d1ed9e30547cdd09d88f505189738

          Download Submit