Malware Analysis Report

2025-08-05 23:04

Sample ID 240412-cwm5dace47
Target Geforce-experience.exe
SHA256 d7278046445b08ca84aa61ae91d87ce9ed49c9101b3b9a7788741289457d65e8
Tags
themida agenttesla evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7278046445b08ca84aa61ae91d87ce9ed49c9101b3b9a7788741289457d65e8

Threat Level: Known bad

The file Geforce-experience.exe was found to be: Known bad.

Malicious Activity Summary

themida agenttesla evasion keylogger spyware stealer trojan

AgentTesla

AgentTesla payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-12 02:25

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-12 02:25

Reported

2024-04-12 02:32

Platform

win10v2004-20240226-en

Max time kernel

302s

Max time network

296s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe

"C:\Users\Admin\AppData\Local\Temp\Geforce-experience.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 57.72.67.172.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/3220-0-0x0000000000710000-0x000000000185E000-memory.dmp

memory/3220-1-0x0000000076DA0000-0x0000000076E90000-memory.dmp

memory/3220-2-0x0000000076DA0000-0x0000000076E90000-memory.dmp

memory/3220-3-0x0000000076DA0000-0x0000000076E90000-memory.dmp

memory/3220-4-0x0000000076DA0000-0x0000000076E90000-memory.dmp

memory/3220-5-0x0000000076DA0000-0x0000000076E90000-memory.dmp

memory/3220-6-0x0000000076DA0000-0x0000000076E90000-memory.dmp

memory/3220-7-0x0000000077724000-0x0000000077726000-memory.dmp

memory/3220-11-0x0000000000710000-0x000000000185E000-memory.dmp

memory/3220-12-0x0000000000710000-0x000000000185E000-memory.dmp

memory/3220-13-0x0000000006C50000-0x00000000071F4000-memory.dmp

memory/3220-14-0x0000000006500000-0x0000000006592000-memory.dmp

memory/3220-15-0x0000000006450000-0x0000000006462000-memory.dmp

memory/3220-17-0x00000000065A0000-0x0000000006606000-memory.dmp

memory/3220-18-0x00000000061D0000-0x00000000061EA000-memory.dmp

memory/3220-19-0x0000000009720000-0x00000000097D2000-memory.dmp

memory/3220-20-0x0000000007240000-0x000000000727C000-memory.dmp

memory/3220-21-0x00000000072C0000-0x00000000072CA000-memory.dmp

memory/3220-22-0x0000000000710000-0x000000000185E000-memory.dmp

memory/3220-23-0x0000000007490000-0x000000000749A000-memory.dmp

memory/3220-24-0x00000000078F0000-0x0000000007AE6000-memory.dmp

memory/3220-25-0x0000000008AF0000-0x0000000008EF6000-memory.dmp

memory/3220-27-0x0000000076DA0000-0x0000000076E90000-memory.dmp

memory/3220-28-0x0000000076DA0000-0x0000000076E90000-memory.dmp

memory/3220-29-0x0000000076DA0000-0x0000000076E90000-memory.dmp

memory/3220-30-0x0000000076DA0000-0x0000000076E90000-memory.dmp

memory/3220-32-0x0000000076DA0000-0x0000000076E90000-memory.dmp

memory/3220-31-0x0000000076DA0000-0x0000000076E90000-memory.dmp

memory/3220-33-0x000000000C2F0000-0x000000000C472000-memory.dmp

memory/3220-35-0x0000000006690000-0x00000000066A0000-memory.dmp

memory/3220-38-0x0000000006690000-0x00000000066A0000-memory.dmp