Overview

overview

9

Static

static

7

Client.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    1793s
  • max time network
    1802s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-06-2024 05:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    4.1MB

  • MD5

    6739b48a36b2608c5326f124db06bcb3

  • SHA1

    b6adddecfb69b7652f363060aeaec79586ab17f9

  • SHA256

    384ffec47a0a4278444b6d27fc893621643dbedbf76715b892625765c65a72ec

  • SHA512

    477ab4321b6143de4c88f306585573a70a7cf87150d267369ad33be33a38a3eb5f3b18d3bf92d934b98616bbaf441340d808d612ca6240cd7bb85fae3a476eab

  • SSDEEP

    98304:guWzWlWTDZL9Itk77iU/7PCfprx4oKMuk2jv+dXf0:gdfTDZL9sk77yN9u9raXf0

Score
9/10
evasionspywarestealerthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 16 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Windows\System32\winver.exe
      "C:\Windows\System32\winver.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C taskkill /f /im winver.exe > nul 2>nul
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4216
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im winver.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2740
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Client.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:800
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Client.exe" MD5
        3⤵
          PID:3136
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:4084
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:2204
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM cod.exe > nul 2>nul
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2816
            • C:\Windows\system32\taskkill.exe
              TASKKILL /F /IM cod.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3684
          • C:\Windows\SoftwareDistribution\Download\eicfe.exe
            "C:\Windows\SoftwareDistribution\Download\eicfe.exe"
            2⤵
            • Executes dropped EXE
            PID:448
          • C:\Windows\SYSTEM32\cmd.exe
            cmd /C C:\Windows\SysWOW64\CodFix.exe > nul 2>nul
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4152
            • C:\Windows\SysWOW64\CodFix.exe
              C:\Windows\SysWOW64\CodFix.exe
              3⤵
              • Executes dropped EXE
              PID:3612
          • C:\Windows\System32\rdpclip.exe
            "C:\Windows\System32\rdpclip.exe"
            2⤵
            • Suspicious behavior: AddClipboardFormatListener
            PID:2376
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Signature checksum failed. The request was either tampered with, or your session ended and you need to run the program again. && timeout /t 5"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3880
            • C:\Windows\system32\cmd.exe
              cmd /C "color b && title Error && echo Signature checksum failed. The request was either tampered with, or your session ended and you need to run the program again. && timeout /t 5"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4484
              • C:\Windows\system32\timeout.exe
                timeout /t 5
                4⤵
                • Delays execution with timeout.exe
                PID:2508
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3684 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:1240
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4248 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:3592

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SoftwareDistribution\Download\eicfe.exe
              Filesize

              166KB

              MD5

              e18256b25103a8ae390718bd3ca2920e

              SHA1

              dadcade4c7fa85d7179ce067c00a3d95fdacbf18

              SHA256

              4b4ec7b8c6fe3554e5684e8c4b28b7d54f265a1c3685abbd00164a976447788c

              SHA512

              2815ecb6942070cdc249c68dd67cc57e711a0d2406c21897f5f13d6f9ca5af3d5f8b82d60564d0b61a80c1b609527b0c35835c38a207b329529fa5eb3ba65cdf

              Download Submit

            • C:\Windows\SysWOW64\CodFix.exe
              Filesize

              18KB

              MD5

              f5dbd7a0a8dab5e3a23d0521e8773329

              SHA1

              5f61b55460f5bb323a72763a8703aebd9d70c812

              SHA256

              39438d4bcb0cd200b9fd1a38f517d6e4674df25fedd54f98873f3a9010ecb9a0

              SHA512

              2e20891aac5b24273a797f96d0410e35aed48ce3b217f45746335b8a7e4974c4dcc9aaada6b160edbcb1b2e59b29c02fa187dbfaf51b43feb8f8a7ce29482778

              Download Submit

            • memory/3020-14-0x0000024795BB0000-0x0000024795BE5000-memory.dmp

              Filesize

              212KB

              Download

            • memory/3020-11-0x0000024795BB0000-0x0000024795BE5000-memory.dmp

              Filesize

              212KB

              Download

            • memory/3020-13-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/3020-64-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/3020-84-0x00007FFCC1390000-0x00007FFCC1585000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/3020-9-0x0000024795BB0000-0x0000024795BE5000-memory.dmp

              Filesize

              212KB

              Download

            • memory/3020-10-0x0000024795BF0000-0x0000024795BF1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3736-5-0x00007FF7C9A70000-0x00007FF7CA541000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3736-2-0x00007FF7C9A70000-0x00007FF7CA541000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3736-6-0x00007FF7C9A70000-0x00007FF7CA541000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3736-8-0x00007FF7C9A70000-0x00007FF7CA541000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3736-7-0x00007FF7C9A70000-0x00007FF7CA541000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3736-22-0x00007FF7C9A70000-0x00007FF7CA541000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3736-21-0x00007FF7C9A70000-0x00007FF7CA541000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3736-20-0x00007FF7C9A70000-0x00007FF7CA541000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3736-23-0x00007FF7C9A70000-0x00007FF7CA541000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3736-4-0x00007FF7C9A70000-0x00007FF7CA541000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3736-1-0x00007FFCC1430000-0x00007FFCC1432000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3736-39-0x00007FF7C9A70000-0x00007FF7CA541000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3736-45-0x00007FF7C9A70000-0x00007FF7CA541000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3736-49-0x00007FF7C9A70000-0x00007FF7CA541000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3736-3-0x00007FF7C9A70000-0x00007FF7CA541000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3736-82-0x00007FF7C9A70000-0x00007FF7CA541000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3736-0-0x00007FF7C9A70000-0x00007FF7CA541000-memory.dmp

              Filesize

              10.8MB

              Download