Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

Analysis

  • max time kernel
    5s
  • max time network
    21s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-05-2024 08:35

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913.exe

  • Size

    389KB

  • MD5

    d6078bbecc15a333c6171debc4488498

  • SHA1

    ca57a639ec0fc1a6489b69278478c5845a4c046b

  • SHA256

    8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913

  • SHA512

    912f67baa141bb846a12568c94d5dfbd6d6cdefe0a036a9249accd83e9ee460bc8863758c8bd5cdac7a0af3f481194b57ef414378ebb400967579ba6d736469e

  • SSDEEP

    6144:vLFJaFBq+TaKqqrlBLSIOHGt8i3/gmjX/RBdRP2gjycIeVMO+ZyeR:vOlldCGt//gmjXjdR+KjFVMPZN

Score
10/10
evasionexecutionthemidatrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913.exe
    "C:\Users\Admin\AppData\Local\Temp\8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3800
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:568
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4352
      • C:\Users\Admin\Pictures\AxKV3Uzy867JwmiaBrbqU7gM.exe
        "C:\Users\Admin\Pictures\AxKV3Uzy867JwmiaBrbqU7gM.exe"
        3⤵
        • Executes dropped EXE
        PID:1788
        • C:\Users\Admin\AppData\Local\Temp\u1do.0.exe
          "C:\Users\Admin\AppData\Local\Temp\u1do.0.exe"
          4⤵
            PID:4596
        • C:\Users\Admin\Pictures\VDVvJvqrj95KXcYNry0FtUnc.exe
          "C:\Users\Admin\Pictures\VDVvJvqrj95KXcYNry0FtUnc.exe"
          3⤵
            PID:232
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              4⤵
              • Command and Scripting Interpreter: PowerShell
              PID:1680
          • C:\Users\Admin\Pictures\4Vxa22gIH29Mk38MxdmXlfyo.exe
            "C:\Users\Admin\Pictures\4Vxa22gIH29Mk38MxdmXlfyo.exe"
            3⤵
              PID:3312
            • C:\Users\Admin\Pictures\VFBtPAAuETOdUu9kYmuUmsOc.exe
              "C:\Users\Admin\Pictures\VFBtPAAuETOdUu9kYmuUmsOc.exe"
              3⤵
                PID:2152
              • C:\Users\Admin\Pictures\dPM2WPw8gRFpYKrVegv8tnod.exe
                "C:\Users\Admin\Pictures\dPM2WPw8gRFpYKrVegv8tnod.exe"
                3⤵
                  PID:780
                • C:\Users\Admin\Pictures\PKLpnG5JAVNlKNSVx5HdZ2aG.exe
                  "C:\Users\Admin\Pictures\PKLpnG5JAVNlKNSVx5HdZ2aG.exe"
                  3⤵
                    PID:1340
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                  2⤵
                    PID:1548
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                  1⤵
                    PID:3768
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                    1⤵
                      PID:4820

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j2gnyyzh.cg2.ps1
                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\u1do.0.exe
                      Filesize

                      226KB

                      MD5

                      6891c527d4d65692716c149981e770ff

                      SHA1

                      ac4ba0be44795c437f860d710bdd0e3157d17caf

                      SHA256

                      b37a558c37740094e51a1b04fa05280e3f28b2592f5881d96ae5f5a05e2c5902

                      SHA512

                      1195f321c53df745aec5350e606293507f89e8f3dce3b1c58244f6a6eb9de5cdacdc222960663f7b3e03be69804bbbf8905764c2d1a21dc745e21edba9112e15

                      Download Submit

                    • C:\Users\Admin\Pictures\AxKV3Uzy867JwmiaBrbqU7gM.exe
                      Filesize

                      367KB

                      MD5

                      c90428760a8081ea0cc1f8482cd5d957

                      SHA1

                      10361e74c70852bf754c36ec4b801a72626af453

                      SHA256

                      fb72cbf91f8f821b6089d93b681cf491ebdbe40e4ebdefa42024372325810e12

                      SHA512

                      55c2cb510a61b30f1872b46afbf0692231ec5f7d54e005f767b80225e12e22cf96a3dcf899d82aac7c0d605c319f107a5bca5770c986629f221daccecab9b8fd

                      Download Submit

                    • C:\Users\Admin\Pictures\F0gcTddEotD5tdsJYuCzczHW.exe
                      Filesize

                      7KB

                      MD5

                      77f762f953163d7639dff697104e1470

                      SHA1

                      ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

                      SHA256

                      d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

                      SHA512

                      d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

                      Download Submit

                    • C:\Users\Admin\Pictures\PKLpnG5JAVNlKNSVx5HdZ2aG.exe
                      Filesize

                      2.6MB

                      MD5

                      11fa099427de1758fb2db7d4838900c7

                      SHA1

                      56bac68b0f6b8327492c2a2e0d5ffc5f06c797c0

                      SHA256

                      f4c782f429689beabe535ac02bd11c61b5a50f444f621718727cb824eb78e4d4

                      SHA512

                      5f6ab124b0acdd83a7cd92e44c8c19387c16c131081750e3878b93c458b115b0ae26d0e717231955a90784c3326da8ca994b13563f8ac317a48e405046be5565

                      Download Submit

                    • C:\Users\Admin\Pictures\VDVvJvqrj95KXcYNry0FtUnc.exe
                      Filesize

                      4.1MB

                      MD5

                      2b280af8564ec31c459cf1a1cc024321

                      SHA1

                      466a34bfd20669a2ab3aa4cb3c56926eff4fe117

                      SHA256

                      9de5d9efe2d90bacce4f3768ce583e72a8122c7125ac99450ae82595f860d07d

                      SHA512

                      ccd8fb268c558989df1f831733b9166bd89b6cbe3616cad90d377c8aa3611311cb0210e3ca84e767a175d3c25db9ca9e39251ade6e8a449b6630867ec51fdb37

                      Download Submit

                    • C:\Users\Admin\Pictures\VFBtPAAuETOdUu9kYmuUmsOc.exe
                      Filesize

                      4.1MB

                      MD5

                      ece5f529c7e61852edaff1b04f091406

                      SHA1

                      b76da008f9db8d7389661e7f2babdf364a33e02d

                      SHA256

                      8f1928c0b27b9a4226c459938d0f28444b2c32b39f64ed872469a54a4f556faf

                      SHA512

                      32e71e0fde425b8425c909feda5292b0401ab9f7137b6ca8f13c7014262d4de48f431722408a491043d6587d7f3a855a298cbabe05cea1a22cfec3e822f5376c

                      Download Submit

                    • C:\Windows\System32\GroupPolicy\gpt.ini
                      Filesize

                      127B

                      MD5

                      8ef9853d1881c5fe4d681bfb31282a01

                      SHA1

                      a05609065520e4b4e553784c566430ad9736f19f

                      SHA256

                      9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

                      SHA512

                      5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

                      Download Submit

                    • memory/568-6-0x00007FFA0A4D3000-0x00007FFA0A4D5000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/568-13-0x0000029BF2E80000-0x0000029BF2EA2000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/568-17-0x00007FFA0A4D0000-0x00007FFA0AF92000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/568-22-0x00007FFA0A4D0000-0x00007FFA0AF92000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/568-7-0x00007FFA0A4D0000-0x00007FFA0AF92000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/1340-101-0x0000000140000000-0x00000001408F4000-memory.dmp

                      Filesize

                      9.0MB

                      Download

                    • memory/3800-23-0x00007FFA0A4D0000-0x00007FFA0AF92000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/3800-0-0x00007FFA0A4D3000-0x00007FFA0A4D5000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/3800-3-0x00007FFA0A4D0000-0x00007FFA0AF92000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/3800-2-0x0000019819FE0000-0x000001981A03E000-memory.dmp

                      Filesize

                      376KB

                      Download

                    • memory/3800-1-0x0000019819AB0000-0x0000019819ABA000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/4352-5-0x000000007519E000-0x000000007519F000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4352-4-0x0000000000400000-0x0000000000408000-memory.dmp

                      Filesize

                      32KB

                      Download