e66fd24e29c4cd33772fbda049a4efc7b55a0c22959d0d56d0fa77bd34040864

Resubmissions

28-03-2024 09:19

240328-laa3cshc5s 10

28-03-2024 09:13

240328-k6zvxseh67 10

Analysis

max time kernel
108s
max time network
117s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
28-03-2024 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Termius.exe
Size

127.9MB
MD5

d6ac79d520b70b1e97a7efecacf0e39c
SHA1

a1081041746d5c5aedd755cc86a3c13c57d6d7f3
SHA256

c49a2a50b1e38ddc9d293a4e87dc25ceecb19019a52b5f8fb9131f64b66d873b
SHA512

bd8727b95623c12cd83e804f9c516109ad6b3fefe4b633741146890a16f45b2c820b4a368951f30b1df4d69ecb258dbdfdf62ee2a8376a557b96ed7378fa9575
SSDEEP

1572864:deuFC6t472Ah+FgOqXJniFHUfN8WZis2Vawn0fhj5h8ioZFk5/SDJPtiwhkzLUsj:2SJZqT8Ois+nQAE5m0rWEDFMk7

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Control Panel\International\Geo\Nation	Termius.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Control Panel\International\Geo\Nation	Termius.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Control Panel\International\Geo\Nation	Termius.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ssh\shell	Termius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\termius\ = "URL:termius"	Termius.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\termius\shell\open\command	Termius.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\termius\shell	Termius.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ssh\shell\open\command	Termius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\termius\URL Protocol	Termius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\termius\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Termius.exe\" \"%1\""	Termius.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ssh	Termius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ssh\URL Protocol	Termius.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\termius\shell\open	Termius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ssh\ = "URL:ssh"	Termius.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ssh\shell\open	Termius.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\termius	Termius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ssh\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Termius.exe\" \"%1\""	Termius.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Termius.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Termius.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Termius.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Termius.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Termius.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Termius.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Termius.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe
Token: SeShutdownPrivilege	2212	Termius.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 3056	2212	Termius.exe	28
PID 2212 wrote to memory of 3056	2212	Termius.exe	28
PID 2212 wrote to memory of 3056	2212	Termius.exe	28
PID 2212 wrote to memory of 3056	2212	Termius.exe	28
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2772	2212	Termius.exe	29
PID 2212 wrote to memory of 2480	2212	Termius.exe	30
PID 2212 wrote to memory of 2480	2212	Termius.exe	30
PID 2212 wrote to memory of 2480	2212	Termius.exe	30
PID 2212 wrote to memory of 2480	2212	Termius.exe	30
PID 2212 wrote to memory of 1068	2212	Termius.exe	31
PID 2212 wrote to memory of 1068	2212	Termius.exe	31
PID 2212 wrote to memory of 1068	2212	Termius.exe	31
PID 2212 wrote to memory of 1068	2212	Termius.exe	31
PID 2212 wrote to memory of 2164	2212	Termius.exe	32
PID 2212 wrote to memory of 2164	2212	Termius.exe	32
PID 2212 wrote to memory of 2164	2212	Termius.exe	32
PID 2212 wrote to memory of 2164	2212	Termius.exe	32
PID 2212 wrote to memory of 2156	2212	Termius.exe	33
PID 2212 wrote to memory of 2156	2212	Termius.exe	33
PID 2212 wrote to memory of 2156	2212	Termius.exe	33
PID 2212 wrote to memory of 2156	2212	Termius.exe	33
PID 2212 wrote to memory of 1480	2212	Termius.exe	34
PID 2212 wrote to memory of 1480	2212	Termius.exe	34
PID 2212 wrote to memory of 1480	2212	Termius.exe	34
PID 2212 wrote to memory of 1480	2212	Termius.exe	34

C:\Users\Admin\AppData\Local\Temp\Termius.exe
"C:\Users\Admin\AppData\Local\Temp\Termius.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\Termius.exe
  C:\Users\Admin\AppData\Local\Temp\Termius.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Termius /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Termius\Crashpad --url=https://o76327.ingest.sentry.io/api/193727/minidump/?sentry_key=55af16af94074b88844cd7e16f535fa5 --annotation=_productName=Termius --annotation=_version=8.10.4 --annotation=plat=Win32 --annotation=prod=Electron "--annotation=sentry___initialScope={\"environment\":\"production\"}" --annotation=ver=21.4.4 --initial-client-data=0x2f8,0x2fc,0x300,0x2f0,0x304,0x7ce5bc0,0x7ce5bd0,0x7ce5bdc
  2⤵
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\Termius.exe
  "C:\Users\Admin\AppData\Local\Temp\Termius.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Termius" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1188 --field-trial-handle=1228,i,6792281857877826351,4791852182516374023,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2772
- C:\Users\Admin\AppData\Local\Temp\Termius.exe
  "C:\Users\Admin\AppData\Local\Temp\Termius.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Termius" --mojo-platform-channel-handle=1604 --field-trial-handle=1228,i,6792281857877826351,4791852182516374023,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\Termius.exe
  "C:\Users\Admin\AppData\Local\Temp\Termius.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Termius" --app-user-model-id=electron.app.Termius --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1920 --field-trial-handle=1228,i,6792281857877826351,4791852182516374023,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  PID:1068
- C:\Users\Admin\AppData\Local\Temp\Termius.exe
  "C:\Users\Admin\AppData\Local\Temp\Termius.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Termius" --app-user-model-id=electron.app.Termius --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1952 --field-trial-handle=1228,i,6792281857877826351,4791852182516374023,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:2164
- C:\Users\Admin\AppData\Local\Temp\Termius.exe
  "C:\Users\Admin\AppData\Local\Temp\Termius.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Termius" --app-user-model-id=electron.app.Termius --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1744 --field-trial-handle=1228,i,6792281857877826351,4791852182516374023,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:2156
- C:\Users\Admin\AppData\Local\Temp\Termius.exe
  "C:\Users\Admin\AppData\Local\Temp\Termius.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Termius" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1320 --field-trial-handle=1228,i,6792281857877826351,4791852182516374023,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:1480

C:\Users\Admin\AppData\Local\Temp\Termius.exe
"C:\Users\Admin\AppData\Local\Temp\Termius.exe" --new-window
1⤵
PID:2796
- C:\Users\Admin\AppData\Local\Temp\Termius.exe
  C:\Users\Admin\AppData\Local\Temp\Termius.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Termius /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Termius\Crashpad --url=https://o76327.ingest.sentry.io/api/193727/minidump/?sentry_key=55af16af94074b88844cd7e16f535fa5 --annotation=_productName=Termius --annotation=_version=8.10.4 --annotation=plat=Win32 --annotation=prod=Electron "--annotation=sentry___initialScope={\"environment\":\"production\"}" --annotation=ver=21.4.4 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2ec,0x300,0x7ce5bc0,0x7ce5bd0,0x7ce5bdc
  2⤵
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e7122375e0d3d551cfc02d113bbfc26

SHA1
d3833f3133588e380c358e641d1212beb3e50cfc

SHA256
e88cc722131583adf156ca3ecefd2997c5bbe3e9e2a55aba58244d6cefc6dd70

SHA512
58090ed17a46e61c7241f1259c583dbe78e6773a1a17338eb2fa575a96ba40ed5174d38f4c58141cba8d9041258f12a762945a63d0d5bf2902aef790381ab9f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f6fa7f6893265dd41ac85152fa9cb324

SHA1
ee81992fe5d589d7fffe534720926290d4e11724

SHA256
0aaccf24b79984c8247909ec391698515bdebc45d3998aebc96d02afd94892a0

SHA512
2e8d8a67cfbcba444211f22015006f890e89c9f8fb925fd81d7b4b2941ed5840aada6ff5bf58beab018a80d7b1bc25788750b8e32f4d7f3059d3006ca1293288

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8176.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Termius\275d7e16-5e02-4a53-b394-c83a480b1705.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\Termius\Cache\Cache_Data\f_000001

Filesize
441KB

MD5
4604e676a0a7d18770853919e24ec465

SHA1
415ef3b2ca0851e00ebaf0d6c9f6213c561ac98f

SHA256
a075b01d9b015c616511a9e87da77da3d9881621db32f584e4606ddabf1c1100

SHA512
3d89c21f20772a8bebdb70b29c42fca2f6bffcda49dff9d5644f3f3910b7c710a5c20154a7af5134c9c7a8624a1251b5e56ced9351d87463f31bed8188eb0774

Download Submit
C:\Users\Admin\AppData\Roaming\Termius\Crashpad\settings.dat

Filesize
40B

MD5
f3980861a3e0dde670068f260b4c232e

SHA1
ad1273b19f11b7c2416c2139e3107537e0a8c50f

SHA256
a9bb82fa1c308151febec09e630d8e98e3ba21c9eedfd50ea73f97f5f8fd468d

SHA512
94855cd83019b2eef6a7e554786ea6ff8f9dabeebe0765a87b40e831bb22a4ee666861c6dac29bd743f8e9b263c08eec02cda52c91c873fc70adefaf90669d94

Download Submit
C:\Users\Admin\AppData\Roaming\Termius\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\Termius\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\Termius\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\Termius\Local Storage\leveldb\CURRENT~RFf767668.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Termius\sentry\scope_v2.json

Filesize
1KB

MD5
7d87e452c963a54a0b45248f304b9cce

SHA1
f540cb05fda22c6bbfb7614c0a57f3a212ea0206

SHA256
37f278cbfff394c759e86a5c51aa10ed645e0ab472d284c94c02b61b61540bb9

SHA512
cfce3782bf1472d673588b426ed5469dafec5e623f96cabe9cbc8caa8f2a5861a49c228ef6b9f89c5af307970148c153c00160ff3a795ab780e54cd0dcf6187f

Download Submit
memory/2212-65-0x000000000A780000-0x000000000A781000-memory.dmp

Filesize
4KB

Download
memory/2212-398-0x000000000A780000-0x000000000A781000-memory.dmp

Filesize
4KB

Download
memory/2772-5-0x0000000008410000-0x0000000008411000-memory.dmp

Filesize
4KB

Download