64f622a1f573000d62900a8b048d8971a9b9c8b750aa077973d9e5deb0b50d7c

Resubmissions

Analysis

max time kernel
123s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AppFile_v4/setup.exe
Size

797.0MB
MD5

62e9d7714c85c824642d896247187aa5
SHA1

1dc0cc3541a93049c13effb36d9fbe27444a5c48
SHA256

604201c7cc370c0975b74c769f900a00267c048f7f3e0ece835f75b93e1ab839
SHA512

1c8057dde21fb7e2879bad756b8f3622085b02e206018e3bed91d63e05c028a8d984a6e8fcef543ba6a7c7584788d98811ca21aaf7602c12d2924a96a0a4f920
SSDEEP

98304:fWAHmwZ7DfvzXXxAam+/toU1LYnnzbHpZQBTZV:fRH3Znv7hAnuYPJZQ

Score

10^/10

evasion spyware stealer themida trojan

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

setup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

setup.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\Documents\SimpleAdobe\kp2Ox4rS9phe2af8H6mPN57x.exe	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation setup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	setup.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1980-0-0x0000000140000000-0x0000000140D0E000-memory.dmp	themida
behavioral1/memory/1980-8-0x0000000140000000-0x0000000140D0E000-memory.dmp	themida
behavioral1/memory/1980-10-0x0000000140000000-0x0000000140D0E000-memory.dmp	themida
behavioral1/memory/1980-7-0x0000000140000000-0x0000000140D0E000-memory.dmp	themida
behavioral1/memory/1980-9-0x0000000140000000-0x0000000140D0E000-memory.dmp	themida
behavioral1/memory/1980-18-0x0000000140000000-0x0000000140D0E000-memory.dmp	themida
behavioral1/memory/1980-21-0x0000000140000000-0x0000000140D0E000-memory.dmp	themida
behavioral1/memory/1980-29-0x0000000140000000-0x0000000140D0E000-memory.dmp	themida
behavioral1/memory/1980-169-0x0000000140000000-0x0000000140D0E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA setup.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

38 ipinfo.io
35 api.myip.com
36 api.myip.com
37 ipinfo.io

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

flow	ioc
38	ipinfo.io
35	api.myip.com
36	api.myip.com
37	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

setup.exe

pid process

1980 setup.exe
1980 setup.exe

pid	process
1980	setup.exe
1980	setup.exe

C:\Users\Admin\AppData\Local\Temp\AppFile_v4\setup.exe
"C:\Users\Admin\AppData\Local\Temp\AppFile_v4\setup.exe"
1⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\SimpleAdobe\06W57P8O528HHmGomk4ZMzv1.exe
Filesize
1.3MB

MD5
a97d24cc8f19c45ab500d935e1d911fc

SHA1
ee10e964b8e2fcf3aaadae427b11a2c920d2316a

SHA256
955fb1a3afb27a02086df849a0acfc5c0fe1070ec26bdebf6b90177aa32778b7

SHA512
2dcebd28dbd378c8b5a3b6874a9b6f210cf8c62a9e91510deacf0fa6d18f80ef4bda09a04fc601db37dfcf7c049aec5102a90a6a35e0a41e4868cc6573d63ad2

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\0NGk1tcdNGeYxlaPHdy9WSIN.exe
Filesize
340KB

MD5
c8cad70465e9fbdfd084dbacb2065f9e

SHA1
afcc9a9e680b9fbaba8ce01ed524c559cf970c53

SHA256
62f2b3fa98a0f9aa9b90b4174f9886faaa0c7b3fe8827dd24115faf26af15c93

SHA512
42c49e622acee89c44f72f0d732dc76619ece1d7ff67a87877859104b2632747e771d211c5a0265f91797eedb65347d5d7fd9cc0babac543e030aff64f19b86c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\3RhM_ZvwI8CqxHzwyc3N0TSe.exe
Filesize
421KB

MD5
505b64b9feafa422a03c0348ef0fa690

SHA1
187a7f6355498077f6042be86dbc5feff89880b9

SHA256
3920e42e0f905ebb9209a184f314cac6c45b11ab20aac43f22a35e935d1804e5

SHA512
0de819b0d26362338775c189326a129349c272781f7a248b2c83ed8b3d343decb7f8566a43816f881836372a6125033c6c6b3ddaabdc4fe9c15e3f09195f318e

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\JExQHG2BGTcd1Y0hv9mAFErg.exe
Filesize
7.3MB

MD5
23f5a800ff80df357974bbf2a872c6e9

SHA1
24d9e300bb466d5ce3f23cb7c072f01d97e3f7c4

SHA256
e4373a7ddfa4684b5c509cfc44f4bcf7a9c948c63c320d9d830555c5bc991e3b

SHA512
baaf594f590fe95ae306f4525dc3fdb2ce97225de8a6acbcbef3e3c37a4616be7bee22a37330ae96b5194f39a78dcb2796e36a33ec324f2d129d8737b67793b4

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\KY9uC_92FyNET0QShkP5QzwL.exe
Filesize
3.6MB

MD5
f39ed4e6caf549915a96b72522d3eb6b

SHA1
30504b56a971bd936f501df480b7fb0745529f1d

SHA256
7bb36bb136cee4cee06f8ff38efacabb0e60e24e838964ba8c5e49568fa75982

SHA512
f59950f7c0f2c4832d6e7e85caedc9a6fb83b92aa47696dbcb961e4ed74b891956b3aeebe103facef68244d29450fc432bada04e033da725405cf2130bf1273d

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\OjFKTek0Y8iYbDMabj6jFieK.exe
Filesize
3.6MB

MD5
131e367009cf014321e7a70e70c4067c

SHA1
4c02332af53519fdae235f804f5144ba9c7e725d

SHA256
c4c7045103f42bea7bc9afb11433e4f49d767be0d0b28b678a824e5627804b89

SHA512
3702fefbcf4eab279484359f61d997b7c32d9c77dd9e255a44e96de9373d18b68ff262037494203f181c359aca549020dcfea3db01d11f8f51e224261259f99e

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Yyi_58NxkEJDhah5A2Z3769N.exe
Filesize
2.8MB

MD5
64e769e16f853835dd768a9b65626407

SHA1
87c0e29f2335809e3e70aaee47187db3ee8ceece

SHA256
5ece0d233ac404577a0ae14c8195299d239e4bbf3cb004b56cdeddf77de94733

SHA512
f275730523bbf75d6f96bef1255be756fd84ae570d0d5aae7f29a513da15b2d7f9b1b057912accb15be5de27e80067b2e83a07b4e78968cb412c2f0ffdd35879

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\d5u7y0QTaF8Q_Jh3czzGuzV3.exe
Filesize
2.8MB

MD5
17687f01ca5191c5e9dd733b30248ea2

SHA1
9b63db46a9d58b945dd9b850236ed8d4d7d3567a

SHA256
37b3035464123d188316fc8e7574f2e31768df08aca8e9dc2adceb41d34f2428

SHA512
d366482d520fb250de54441daa9744129e692c24faeec2e7dce071370cfeeb00b50ef10fe47a3d788d3c4a17719d6133420ab99c6384798ea2017dca6260eb3c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\eTBkDnOwGX_kNMkybsUaRTDA.exe
Filesize
458KB

MD5
995e6c3faf10464676b5f22da4f6061f

SHA1
02fd7c9b128409e1bf0e767bdbe44c651540cd7d

SHA256
09e688885879f6058c6567e45d61431b5b3c560ee8cc05df310177a21a508d23

SHA512
ab0df0d8dd569a5a68c3bf107a5c7c13d3642a8d7e76ec48011a950daeed0ab3f822354da8099988dfe175e9f8dc6632b1e57260e176c64629ff309d98e9ed2e

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\ge94imcvc6c3ucxK3Sl7f9AQ.exe
Filesize
1.8MB

MD5
147c6b51cb9b68f7a0a42a29c859164f

SHA1
3e708ef7e1d6655b27a7370cb7719a5ff2dbeacf

SHA256
fb85b81253e6dd25198bbabb4dffd3628e07a9b7f1543a5aae299a360eed43ec

SHA512
3ae6e4c5b2cf06961d3aad7dca6b4f1be71c8f487d38e49ae633f67e76ebc69041b604fed8d7df2f5dd8554370555470bf3f5d58cd9866e36769d12857c7fc4c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\inYpuWzaE7w8WsVeYeeJxJMk.exe
Filesize
310KB

MD5
ee84f59af8cb2ba82f1086a18c9b14bf

SHA1
72a4e51c7cdedb2dd402dd1da5624cce5463bad6

SHA256
f11cf678986fa5c45fd77952c802f46c802e4ef255d0cb1785336cccb9071c2e

SHA512
0578130df3d32df6a7e72b0acf5baa3b431b9ee10b1fa3671b031d15ca5f5d9b2f35d51ee6efacac9fd17a0ef78a05b41b8f315b8add0b81d0f080e6e846dbeb

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\jPuETxY_X68qc95JEBmiqBgT.exe
Filesize
314KB

MD5
f090e9622ff313cab77d204330acb92f

SHA1
d7424e2a25d416985ec3bb7f8319d395814ccb66

SHA256
83d6c17e232f80d694ae45b4b3afb4e707ecc1530c62a82a2fc539db6f8b6cd0

SHA512
b129d3a7d97cd553ca37dcc1227c6e64ec9f3345bac2328ab97ae85ad9977f3fd07913688a24e84e0288d6986fd598d8b4f602911b92ca56677e67ec691fe859

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\kp2Ox4rS9phe2af8H6mPN57x.exe
Filesize
5.0MB

MD5
fb89f0ac0b34c519fed9aa4e2ad7cd3a

SHA1
9c26c8b4b6674abcdce46e8bf36a4b051338c052

SHA256
ae973d44c63b1057e21f61ea517d31e9ae1998d8ff074dc25fdf608cfc7664b1

SHA512
3a46cc216145ae1a7d3c8d2d59d2b8e5c782e1a84dcc5cad85dbda302269ec7e32916e8dee1f596c8685136d255cdbc65a1828579e93afcb1c51b6922d310186

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\qtAzUiOJBep7HwYJDwdbEX17.exe
Filesize
6.1MB

MD5
4cc9eaca83cb8342f7baefcd5584e5a3

SHA1
fe669d4204fd2954301a9fca0e498d611a1e034b

SHA256
5092f2dea769bc6d2e39c41961a92307e527809d04c0e61435abc9ff687cb97c

SHA512
13332ba334e65a22c922a203244f137cf87eb152c6ae43fcbda2f511e88d5f10f18c95774ade40d8fbe8ccca03cb8e78bb97ff419cd5351e7b3ba9d7ddb32149

Download Submit
memory/1980-8-0x0000000140000000-0x0000000140D0E000-memory.dmp

Filesize
13.1MB

Download
memory/1980-10-0x0000000140000000-0x0000000140D0E000-memory.dmp

Filesize
13.1MB

Download
memory/1980-21-0x0000000140000000-0x0000000140D0E000-memory.dmp

Filesize
13.1MB

Download
memory/1980-20-0x00007FFF1908B000-0x00007FFF1908C000-memory.dmp

Filesize
4KB

Download
memory/1980-18-0x0000000140000000-0x0000000140D0E000-memory.dmp

Filesize
13.1MB

Download
memory/1980-9-0x0000000140000000-0x0000000140D0E000-memory.dmp

Filesize
13.1MB

Download
memory/1980-7-0x0000000140000000-0x0000000140D0E000-memory.dmp

Filesize
13.1MB

Download
memory/1980-29-0x0000000140000000-0x0000000140D0E000-memory.dmp

Filesize
13.1MB

Download
memory/1980-0-0x0000000140000000-0x0000000140D0E000-memory.dmp

Filesize
13.1MB

Download
memory/1980-6-0x00007FFF19070000-0x00007FFF1912E000-memory.dmp

Filesize
760KB

Download
memory/1980-1-0x00007FFF1908B000-0x00007FFF1908C000-memory.dmp

Filesize
4KB

Download
memory/1980-2-0x00007FFF19070000-0x00007FFF1912E000-memory.dmp

Filesize
760KB

Download
memory/1980-3-0x00007FFF19070000-0x00007FFF1912E000-memory.dmp

Filesize
760KB

Download
memory/1980-4-0x00007FFF19070000-0x00007FFF1912E000-memory.dmp

Filesize
760KB

Download
memory/1980-169-0x0000000140000000-0x0000000140D0E000-memory.dmp

Filesize
13.1MB

Download
memory/1980-5-0x00007FFF19070000-0x00007FFF1912E000-memory.dmp

Filesize
760KB

Download