Overview
overview
10Static
static
10Install Termius.exe
windows10-2004-x64
5$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3resources/...dex.js
windows10-2004-x64
1resources/...try.js
windows10-2004-x64
1resources/...ry.dll
windows10-2004-x64
3resources/...dex.js
windows10-2004-x64
1resources/...dex.js
windows10-2004-x64
1resources/...win.js
windows10-2004-x64
1resources/...dex.js
windows10-2004-x64
1resources/...acy.js
windows10-2004-x64
1resources/...ist.js
windows10-2004-x64
1resources/...nux.js
windows10-2004-x64
1resources/...ler.js
windows10-2004-x64
1resources/...ead.js
windows10-2004-x64
1resources/...ite.js
windows10-2004-x64
1resources/...ser.js
windows10-2004-x64
1resources/...n32.js
windows10-2004-x64
1resources/...gs.dll
windows10-2004-x64
3resources/...dex.js
windows10-2004-x64
1resources/...ain.js
windows10-2004-x64
1resources/...ng.dll
windows10-2004-x64
3resources/...hrc.sh
windows10-2004-x64
3resources/...hrc.sh
windows10-2004-x64
3resources/elevate.exe
windows10-2004-x64
1vk_swiftshader.dll
windows10-2004-x64
3vulkan-1.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3$R0/Uninst...us.exe
windows10-2004-x64
5Analysis
-
max time kernel
59s -
max time network
74s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 09:13
Behavioral task
behavioral1
Sample
Install Termius.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
resources/app.asar.unpacked/node_modules/@termius/registry-js/dist/lib/index.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
resources/app.asar.unpacked/node_modules/@termius/registry-js/dist/lib/registry.js
Resource
win10v2004-20240319-en
Behavioral task
behavioral8
Sample
resources/app.asar.unpacked/node_modules/@termius/registry-js/win-ia32/registry.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
resources/app.asar.unpacked/node_modules/@termius/restore-mas-purchase/index.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral10
Sample
resources/app.asar.unpacked/node_modules/@termius/serialport-bindings/build/Release/bindings.node/index.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
resources/app.asar.unpacked/node_modules/@termius/serialport-bindings/lib/darwin.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
resources/app.asar.unpacked/node_modules/@termius/serialport-bindings/lib/index.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
resources/app.asar.unpacked/node_modules/@termius/serialport-bindings/lib/legacy.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral14
Sample
resources/app.asar.unpacked/node_modules/@termius/serialport-bindings/lib/linux-list.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
resources/app.asar.unpacked/node_modules/@termius/serialport-bindings/lib/linux.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
resources/app.asar.unpacked/node_modules/@termius/serialport-bindings/lib/poller.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
resources/app.asar.unpacked/node_modules/@termius/serialport-bindings/lib/unix-read.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral18
Sample
resources/app.asar.unpacked/node_modules/@termius/serialport-bindings/lib/unix-write.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
resources/app.asar.unpacked/node_modules/@termius/serialport-bindings/lib/win32-sn-parser.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral20
Sample
resources/app.asar.unpacked/node_modules/@termius/serialport-bindings/lib/win32.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
resources/app.asar.unpacked/node_modules/@termius/serialport-bindings/win-ia32/bindings.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral22
Sample
resources/app.asar.unpacked/node_modules/@termius/windows-iap-bridge/build/Release/binding.node/index.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
resources/app.asar.unpacked/node_modules/@termius/windows-iap-bridge/lib/main.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral24
Sample
resources/app.asar.unpacked/node_modules/@termius/windows-iap-bridge/win-ia32/binding.dll
Resource
win10v2004-20240319-en
Behavioral task
behavioral25
Sample
resources/app.asar.unpacked/out/shell-integration/bashrc.sh
Resource
win10v2004-20240226-en
Behavioral task
behavioral26
Sample
resources/app.asar.unpacked/out/shell-integration/shrc.sh
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
resources/elevate.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral28
Sample
vk_swiftshader.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
vulkan-1.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral32
Sample
$R0/Uninstall Termius.exe
Resource
win10v2004-20240226-en
General
-
Target
resources/app.asar.unpacked/out/shell-integration/bashrc.sh
-
Size
1KB
-
MD5
b97b17710549e1455a522e49d4f691d2
-
SHA1
43bdf9c6250029cc207ab37e482fe572842a68fa
-
SHA256
7ebf5ff6a15228778758f14d08c3abbd6098ab6bf6a8cbcfbe5f74eabb054cb7
-
SHA512
d0a7c8fcadfdd104e60ffb7e7ef1527dea64d0acb0b83d692b87d3eef895f72bbfd185214350adb61f14cb11b51897e8e64995f34bcd53a920f7bf322f2f9cc1
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.sh OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\sh_auto_file OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.sh\ = "sh_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\ま㸘⨀蠀㭀端Ʌ OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\ま㸘⨀蠀㭀端Ʌ\ = "sh_auto_file" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\み㸙⬀耀Ɔ\ = "sh_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\sh_auto_file\shell\edit OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\sh_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\sh_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\sh_auto_file\shell\edit\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\sh_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\sh_auto_file\shell\open\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\sh_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\み㸙⬀耀Ɔ OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 384 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3960 OpenWith.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe 3960 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3960 wrote to memory of 384 3960 OpenWith.exe 105 PID 3960 wrote to memory of 384 3960 OpenWith.exe 105
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\out\shell-integration\bashrc.sh1⤵
- Modifies registry class
PID:2868
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\out\shell-integration\bashrc.sh2⤵
- Opens file in notepad (likely ransom note)
PID:384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=748 --field-trial-handle=2588,i,4353937220825226770,7138584070663735671,262144 --variations-seed-version /prefetch:81⤵PID:3484