Analysis
-
max time kernel
13s -
max time network
14s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 23:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
thraxv2.exe
Resource
win10v2004-20240611-en
5 signatures
300 seconds
General
-
Target
thraxv2.exe
-
Size
66.6MB
-
MD5
b97a9d91e3f7a275e5b4f29de356b2fb
-
SHA1
8f12afb3d4a93847e918b5402af22621acf957bd
-
SHA256
ad30658ce6a1789a1aba53be2ce805f544f32ad754fa131d8ee221f362cc93f0
-
SHA512
b5e8d75220fd2bceb9a838d54b75432067393332b256b45391958e8e77845b9f3c72b82749017768a90cb38ae757cad2ddb835bb588fe6a421b3086550dad002
-
SSDEEP
1572864:k7T5M6A29Cr0WIOfZL1GzvZeXjI4PWthlP5h8h:cqB29BifF1IvZez1Wt
Score
5/10
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
pid Process 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe 5484 thraxv2.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5484 thraxv2.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5484 thraxv2.exe 5484 thraxv2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5484 wrote to memory of 1208 5484 thraxv2.exe 85 PID 5484 wrote to memory of 1208 5484 thraxv2.exe 85 PID 1208 wrote to memory of 4332 1208 cmd.exe 87 PID 1208 wrote to memory of 4332 1208 cmd.exe 87 PID 1208 wrote to memory of 3472 1208 cmd.exe 88 PID 1208 wrote to memory of 3472 1208 cmd.exe 88 PID 1208 wrote to memory of 2780 1208 cmd.exe 89 PID 1208 wrote to memory of 2780 1208 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\thraxv2.exe"C:\Users\Admin\AppData\Local\Temp\thraxv2.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5484 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\thraxv2.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\thraxv2.exe" MD53⤵PID:4332
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:3472
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:2780
-
-