Analysis
-
max time kernel
1801s -
max time network
1362s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
26-03-2024 19:35
General
-
Target
Crystal Temp+ Perm/Aremi v3_protected.exe
-
Size
5.8MB
-
MD5
30818cad2e5983aa365339ac70ed29ec
-
SHA1
76c48c83c2d891f9a307b3a087b7ca29b844c06e
-
SHA256
8a956dd81ce0c500f2a8ca58febde609733686dae94c91263ad7bc560e4ba9a4
-
SHA512
a33f0a91f7fb37996bad0992256c23d83b78fb7335c28c257fb4b97648eb69a7399f47486b61c16a1890e5139891ad70ffbd677ec4edadb62aaac702384e12a3
-
SSDEEP
98304:HqvT9n5S50x9ojeVlqHOEULzgLOLkD9KCAbN3pwim/OIgWMDgdMCMDgx:K7TSypVlASLzsJ9KdNZ6gWMDgdMCMDgx
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
AgentTesla payload 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
Themida packer 24 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Crystal Temp+ Perm\Aremi v3_protected.exe"C:\Users\Admin\AppData\Local\Temp\Crystal Temp+ Perm\Aremi v3_protected.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\crystal temp+ perm\aremi v3_protected.exe"c:\users\admin\appdata\local\temp\crystal temp+ perm\aremi v3_protected.exe "2⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Crystal Temp+ Perm\aremi v3_protected.exeFilesize
1.6MB
MD51b49c25d797f1a978d11c8334d693995
SHA116f8272975123b5f2e1af72c038a30737823c3e1
SHA2567ab837a255697285865c093d5c6fe44f36e0cf72febaabbdc97634fdae0a4f69
SHA5120f28f88380dc1bccdad371dd1f19927706fad760c6c5a2f3a6b4072fb772234533148f3d990c42d13c1f683536f1b1974b7c8412d5158643af07cb1a9c5a3ebf
-
C:\Windows\Resources\Themes\explorer.exeFilesize
1.2MB
MD5181718e1c57c1e2e79aefef1ac60fbd4
SHA1d8e73ec0ac1ee3788b7decdcac521af683b56f32
SHA256db421493ff89db58e73a61fdd542dda8d6b75b4c41a15681ce978de151beb75a
SHA512b760d4e9f148db70efd0f8d2e58d8b7479d51b13e810a67c4b04c1fade92c4b35034bab625683b1df76488ed2b8e938141d42047416cc04295f9b323869fef1f
-
C:\Windows\Resources\Themes\explorer.exeFilesize
1.1MB
MD5eb8cce9604d8e6e6cdb8596e7b0570dc
SHA1821013dddaa14cd717d973589529a5d34a8e3654
SHA256ba68d794c5331f15c1ce4a72c167e295f21d3db3031ca68408f6ee27dc89e64d
SHA512bd14f02501925dad80fef0d88897846ec6cb775ddfc523d8d3d850b33d931f713f108a7e0138ec3349af9af129aa71393181352ddecd44ec4e6c3a8c61cee026
-
C:\Windows\Resources\Themes\icsys.icn.exeFilesize
1.4MB
MD537c7f90ea38a7fed9b9a9c6304eccbcf
SHA179571dedf7acf2e541f7103e7baf4bc20ed60512
SHA256a15bb0664b0a60ca6a22b1b4dee767e26cbf9357ea158acfb7e2b15bb24e7d47
SHA512706a05b71306ad05e4dcdf7ec5935fb29620bdc1f8843726def415371a437f272877868495e876c27733255e6bfd7f1db508d589900404d3f3d08ca1914adc90
-
C:\Windows\Resources\Themes\icsys.icn.exeFilesize
1.6MB
MD53f9d3d2ff14fc62a685a39c9adcea239
SHA195f2c087553d565802e29ef9093c1b9010cf8f47
SHA256b71774e26375085f0880f087d68969dbcc0f64ded0ac1a3a64c24309366448b9
SHA512d3db11fb5bece6621adc3e1a402d7ef74d6002c19b94a05f894f14ccf28c6e25409ce3de5ba51bdfe3c15ac6795b2acae54d7ed9b06a54d90b7cffea730997e5
-
C:\Windows\Resources\spoolsv.exeFilesize
4.7MB
MD5a78b5589cc36dc45b6452d0cfe68ba56
SHA1a35efc4451e0259cc3772d2b86feb82bb0e86ee0
SHA256bbb494314f9863e42a8d37f7d83ab97251910efdbad594997a8fb1fb3c7f19f8
SHA512b791875d20536193455e94637a8563d50500eb3566a2742ba40dbea86b2f3f282cb10eac35664144fe480e6c911e8791a37bd7158c214f9c8742776e2c2d31b7
-
C:\Windows\Resources\spoolsv.exeFilesize
3.4MB
MD5828dab3f9dfefd0b0aed4575f5d4814a
SHA178decf050832928372fb4c51c9fcaa6ab12b7fd5
SHA25647e0ef4f3e5ded64a3681b8ee6990490a3a8bc950ea538f3d20c3ba1a1e1c28a
SHA51275175588effcfc1c4a9445511783f2ecc00d61741076c00f9efc0a4f5752ab079eb76b97bb3cba1033fd35d0e113fd1c78977937651a4a2db9c4520d2411b23a
-
C:\Windows\Resources\svchost.exeFilesize
3.6MB
MD5f35ca50f422fb57de0662f9a4c734e19
SHA17bca735e7568226270b184ba362f996407be9c14
SHA256b28128b1cfa2433dc94aca355fea9fd92a91a114bf03a6545fa7d5073655821f
SHA5129dd721ab33c7e22b05d9c908d45afb6ac76e013a39d2c41d9eaf3c3607e807fce31caea87a03150686c8bdbad857c24712b4f1a08e06fb2937210d3952cd4e18
-
\??\c:\windows\resources\svchost.exeFilesize
4.7MB
MD540e839434e45ad2c762f187436422f12
SHA10db093a2861de4a2732c19de9c5d3457b94f4078
SHA25620460288cdfae4713ec175e36e19292525089392b1eeb21a82147c5a18ac5c02
SHA512b7cec071588e06d64aed75285d487cc993ad84ce267646bfd3ce98181389661bfb48ead7a5efc62881610296e5421527511b314ee79c113e7ed2bf8413f7b0f2
-
memory/980-107-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/980-93-0x0000000000400000-0x0000000000FEB000-memory.dmpFilesize
11.9MB
-
memory/980-98-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/980-99-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/980-100-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/980-94-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/980-106-0x0000000000400000-0x0000000000FEB000-memory.dmpFilesize
11.9MB
-
memory/1672-0-0x0000000000400000-0x0000000000FEB000-memory.dmpFilesize
11.9MB
-
memory/1672-3-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/1672-4-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/1672-1-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/1672-18-0x0000000000400000-0x0000000000FEB000-memory.dmpFilesize
11.9MB
-
memory/1672-5-0x0000000077DC4000-0x0000000077DC6000-memory.dmpFilesize
8KB
-
memory/1672-30-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/1672-31-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/1672-35-0x0000000000400000-0x0000000000FEB000-memory.dmpFilesize
11.9MB
-
memory/1672-40-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/1672-39-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/1672-2-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/2432-81-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/2432-79-0x0000000000400000-0x0000000000FEB000-memory.dmpFilesize
11.9MB
-
memory/2432-112-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/2432-113-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/2432-114-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/2432-116-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/2432-80-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/2432-83-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/2432-110-0x0000000000400000-0x0000000000FEB000-memory.dmpFilesize
11.9MB
-
memory/2988-45-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/2988-85-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/2988-53-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/2988-96-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/2988-84-0x0000000000400000-0x0000000000FEB000-memory.dmpFilesize
11.9MB
-
memory/2988-127-0x0000000000400000-0x0000000000FEB000-memory.dmpFilesize
11.9MB
-
memory/2988-111-0x0000000000400000-0x0000000000FEB000-memory.dmpFilesize
11.9MB
-
memory/2988-97-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/2988-47-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/2988-101-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/2988-44-0x0000000000400000-0x0000000000FEB000-memory.dmpFilesize
11.9MB
-
memory/2988-46-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/2988-95-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/3180-78-0x00000000094F0000-0x000000000952C000-memory.dmpFilesize
240KB
-
memory/3180-102-0x0000000005620000-0x0000000005630000-memory.dmpFilesize
64KB
-
memory/3180-65-0x0000000005620000-0x0000000005630000-memory.dmpFilesize
64KB
-
memory/3180-21-0x0000000006210000-0x0000000006424000-memory.dmpFilesize
2.1MB
-
memory/3180-20-0x0000000005770000-0x000000000577A000-memory.dmpFilesize
40KB
-
memory/3180-19-0x0000000005620000-0x0000000005630000-memory.dmpFilesize
64KB
-
memory/3180-54-0x0000000005620000-0x0000000005630000-memory.dmpFilesize
64KB
-
memory/3180-62-0x0000000074E30000-0x00000000755E0000-memory.dmpFilesize
7.7MB
-
memory/3180-17-0x00000000056B0000-0x0000000005742000-memory.dmpFilesize
584KB
-
memory/3180-52-0x0000000008D40000-0x0000000008D52000-memory.dmpFilesize
72KB
-
memory/3180-16-0x0000000005C60000-0x0000000006204000-memory.dmpFilesize
5.6MB
-
memory/3180-15-0x0000000074E30000-0x00000000755E0000-memory.dmpFilesize
7.7MB
-
memory/3180-14-0x0000000000CA0000-0x0000000000E3E000-memory.dmpFilesize
1.6MB
-
memory/4064-61-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/4064-63-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/4064-60-0x0000000000400000-0x0000000000FEB000-memory.dmpFilesize
11.9MB
-
memory/4064-108-0x0000000000400000-0x0000000000FEB000-memory.dmpFilesize
11.9MB
-
memory/4064-109-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/4064-66-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/4756-68-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/4756-67-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/4756-64-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/4756-89-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/4756-77-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/4756-82-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/4756-88-0x0000000000400000-0x0000000000FEB000-memory.dmpFilesize
11.9MB
-
memory/4756-51-0x0000000000400000-0x0000000000FEB000-memory.dmpFilesize
11.9MB
-
memory/4756-29-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/4756-28-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/4756-27-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/4756-26-0x0000000077200000-0x00000000772F0000-memory.dmpFilesize
960KB
-
memory/4756-25-0x0000000000400000-0x0000000000FEB000-memory.dmpFilesize
11.9MB