Analysis Overview
SHA256
a23ecb9d07a0b5a9a01a03243d7dd8d4f65226c6e66345d145583332e7ebd26a
Threat Level: Shows suspicious behavior
The file files.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Themida packer
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 13:08
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 13:05
Reported
2024-04-09 13:10
Platform
win10v2004-20240319-en
Max time kernel
11s
Max time network
35s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe"
Network
| Country | Destination | Domain | Proto |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.250.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 172.217.168.234:443 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
Files
memory/3412-0-0x00000153A7BE0000-0x00000153A82E8000-memory.dmp
memory/3412-1-0x00007FFB9AD60000-0x00007FFB9B821000-memory.dmp
memory/3412-2-0x00000153C2A00000-0x00000153C2A10000-memory.dmp
memory/3412-3-0x00000153A8710000-0x00000153A8734000-memory.dmp
memory/3412-4-0x00000153C2C30000-0x00000153C2D16000-memory.dmp
memory/3412-5-0x00000153C2D20000-0x00000153C2EE1000-memory.dmp
memory/3412-7-0x00000153C2EF0000-0x00000153C3EF0000-memory.dmp
memory/3412-8-0x00007FFB9AD60000-0x00007FFB9B821000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 13:05
Reported
2024-04-09 13:12
Platform
win11-20240221-en
Max time kernel
128s
Max time network
152s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/872-0-0x000002422DFE0000-0x000002422E6E8000-memory.dmp
memory/872-1-0x00007FF992430000-0x00007FF992EF2000-memory.dmp
memory/872-2-0x0000024248CE0000-0x0000024248CF0000-memory.dmp
memory/872-3-0x0000024230300000-0x0000024230324000-memory.dmp
memory/872-4-0x0000024248FD0000-0x00000242490B6000-memory.dmp
memory/872-5-0x00000242490C0000-0x0000024249281000-memory.dmp
memory/872-7-0x00007FF992430000-0x00007FF992EF2000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-09 13:05
Reported
2024-04-09 13:12
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
160s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe.config
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-09 13:05
Reported
2024-04-09 13:12
Platform
win11-20240221-en
Max time kernel
84s
Max time network
94s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe.config
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |