b172ceb8fabfc98c6384540a45beb3dbc05d6a85fdf86e1878079c77ff3be80b

Analysis

max time kernel
71s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tidal Installer.exe
Size

3.3MB
MD5

928c096b170bbcfd789c2268bbcab9b4
SHA1

0ef18c6ba24139b948dc8edfa1e58355eca1134f
SHA256

b172ceb8fabfc98c6384540a45beb3dbc05d6a85fdf86e1878079c77ff3be80b
SHA512

9f68618103ad9cd1a79c9816be945783c61f9744c01156f384aa73cfe62552fca080f806db0de04ea74d2e0b05a06c50382de14530442e7630c08c3d48a94117
SSDEEP

98304:vRm0mz8HH3Uh8Lk8W2Zs2blQCccENb+Y7anx:ZTC8kck72BQDcib+Y7

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Tidal Installer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Tidal.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Tidal Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Tidal Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Tidal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Tidal.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation	Tidal Installer.exe

Executes dropped EXE 1 IoCs

pid	Process
924	Tidal.exe

Loads dropped DLL 7 IoCs

pid	Process
924	Tidal.exe
924	Tidal.exe
924	Tidal.exe
924	Tidal.exe
924	Tidal.exe
924	Tidal.exe
924	Tidal.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2456-8-0x0000000000400000-0x0000000000CC6000-memory.dmp	themida
behavioral2/memory/2456-9-0x0000000000400000-0x0000000000CC6000-memory.dmp	themida
behavioral2/files/0x0007000000023543-661.dat	themida
behavioral2/memory/924-678-0x0000000000400000-0x0000000000CEA000-memory.dmp	themida
behavioral2/memory/924-679-0x0000000000400000-0x0000000000CEA000-memory.dmp	themida
behavioral2/memory/924-697-0x0000000000400000-0x0000000000CEA000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Tidal Installer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Tidal.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2456	Tidal Installer.exe
924	Tidal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1204	924	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2456	Tidal Installer.exe
2456	Tidal Installer.exe
924	Tidal.exe
924	Tidal.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	Tidal Installer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 924	2456	Tidal Installer.exe	86
PID 2456 wrote to memory of 924	2456	Tidal Installer.exe	86
PID 2456 wrote to memory of 924	2456	Tidal Installer.exe	86

C:\Users\Admin\AppData\Local\Temp\Tidal Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Tidal Installer.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\Tidal.exe
  "C:\Users\Admin\AppData\Local\Temp\Tidal.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 1328
    3⤵
    - Program crash
    PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 924 -ip 924
1⤵
PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FontAwesome.WPF.dll

Filesize
204KB

MD5
2ace85429eee9e8320c82d878e5562b4

SHA1
77ed8b89210930d1de2495ba363519b696d0b6e2

SHA256
63d50dbe094bbce5d7bf8af08c0d919cfa5e057ca05ae7b27704a8477c8b348f

SHA512
7ce3467d1469acdb544f4f42864d94c5ae0ada252c5f096329e16d4b571fc1800bd572e52cfe902ee5d4b91d59a1a4182b07f40b7a4dfe54e338ca46684af989

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.Web.WebView2.Core.dll

Filesize
557KB

MD5
b037ca44fd19b8eedb6d5b9de3e48469

SHA1
1f328389c62cf673b3de97e1869c139d2543494e

SHA256
11e88b2ca921e5c88f64567f11bd83cbc396c10365d40972f3359fcc7965d197

SHA512
fa89ab3347fd57486cf3064ad164574f70e2c2b77c382785479bfd5ab50caa0881de3c2763a0932feac2faaf09479ef699a04ba202866dc7e92640246ba9598b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.Web.WebView2.Wpf.dll

Filesize
50KB

MD5
e107c88a6fc54cc3ceb4d85768374074

SHA1
a8d89ae75880f4fca7d7167fae23ac0d95e3d5f6

SHA256
8f821f0c818f8d817b82f76c25f90fde9fb73ff1ae99c3df3eaf2b955653c9c8

SHA512
b39e07b0c614a0fa88afb1f3b0d9bb9ba9c932e2b30899002008220ccf1acb0f018d5414aee64d92222c2c39f3ffe2c0ad2d9962d23aaa4bf5750c12c7f3e6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tidal.exe

Filesize
3.4MB

MD5
0c5fb1991da858c0a7e85bb606946753

SHA1
09cf4f943275442d3e2af7fb7a57a9282f1068ab

SHA256
a31d73cdfa871c4e76beed15dd67906859259fa5bfb6f0c571c9cf7640c13376

SHA512
d377be0f3e00ee266fd74ca469674212567f80dec1aea28548e940d960f3d9b2322a828a2eb14a173d79b4b2aa6552d0ec96bd3a4850394ff67b71a15132fbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tidal.exe.WebView2\EBWebView\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tidal.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tidal.exe.WebView2\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tidal.exe.WebView2\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
0de49051fb6f39aadd39079abd629d1c

SHA1
acb23d149ae39ed67e5dcb793a967c9e06a0cbe5

SHA256
cd42096a3ebd99d4c1c1f2960ae2ffce83c6f357447571e4cde5753181f87eb5

SHA512
c443ef2d09d77f432f77e17d98cc8a3d793c06ebd00a5fbcbe7116e42cd02fdb872c4dd7cf82c39cbb62257d60117be960d6e69551ec5383d28c7b87f61e7aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tidal.exe.WebView2\EBWebView\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tidal.exe.WebView2\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tidal.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tidal.exe.config

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\runtimes\win-x86\native\WebView2Loader.dll

Filesize
113KB

MD5
9d7744e15bb8e3d005079b18979c8544

SHA1
7b326c96e5f3f6baaf6e9390b119a4ffb3df2c64

SHA256
cc2f661aac9c05646933f717e629a69be93d8d06803066289d6dc1105aac6cd2

SHA512
732fd17714ec5ef0afd8f17d06adc895e93bea4585b6b1dabcf95c3fbe808e7b31a19c13cccfac0b30cd425cf96926749a0373a861f55fa8db442430803f4a25

Download Submit
memory/924-679-0x0000000000400000-0x0000000000CEA000-memory.dmp

Filesize
8.9MB

Download
memory/924-672-0x00000000767F0000-0x00000000768E0000-memory.dmp

Filesize
960KB

Download
memory/924-697-0x0000000000400000-0x0000000000CEA000-memory.dmp

Filesize
8.9MB

Download
memory/924-696-0x00000000767F0000-0x00000000768E0000-memory.dmp

Filesize
960KB

Download
memory/924-692-0x00000000061F0000-0x0000000006280000-memory.dmp

Filesize
576KB

Download
memory/924-688-0x0000000005AB0000-0x0000000005AEA000-memory.dmp

Filesize
232KB

Download
memory/924-684-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/924-683-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/924-678-0x0000000000400000-0x0000000000CEA000-memory.dmp

Filesize
8.9MB

Download
memory/924-670-0x0000000000400000-0x0000000000CEA000-memory.dmp

Filesize
8.9MB

Download
memory/924-675-0x00000000767F0000-0x00000000768E0000-memory.dmp

Filesize
960KB

Download
memory/924-671-0x00000000767F0000-0x00000000768E0000-memory.dmp

Filesize
960KB

Download
memory/924-673-0x00000000767F0000-0x00000000768E0000-memory.dmp

Filesize
960KB

Download
memory/2456-669-0x0000000000400000-0x0000000000CC6000-memory.dmp

Filesize
8.8MB

Download
memory/2456-9-0x0000000000400000-0x0000000000CC6000-memory.dmp

Filesize
8.8MB

Download
memory/2456-3-0x00000000767F0000-0x00000000768E0000-memory.dmp

Filesize
960KB

Download
memory/2456-19-0x000000000B080000-0x000000000B092000-memory.dmp

Filesize
72KB

Download
memory/2456-0-0x0000000000400000-0x0000000000CC6000-memory.dmp

Filesize
8.8MB

Download
memory/2456-4-0x00000000767F0000-0x00000000768E0000-memory.dmp

Filesize
960KB

Download
memory/2456-6-0x00000000767F0000-0x00000000768E0000-memory.dmp

Filesize
960KB

Download
memory/2456-8-0x0000000000400000-0x0000000000CC6000-memory.dmp

Filesize
8.8MB

Download
memory/2456-5-0x00000000767F0000-0x00000000768E0000-memory.dmp

Filesize
960KB

Download
memory/2456-674-0x0000000076810000-0x0000000076811000-memory.dmp

Filesize
4KB

Download
memory/2456-2-0x00000000767F0000-0x00000000768E0000-memory.dmp

Filesize
960KB

Download
memory/2456-16-0x000000000A080000-0x000000000A08E000-memory.dmp

Filesize
56KB

Download
memory/2456-1-0x0000000076810000-0x0000000076811000-memory.dmp

Filesize
4KB

Download
memory/2456-15-0x000000000A030000-0x000000000A068000-memory.dmp

Filesize
224KB

Download
memory/2456-17-0x0000000009630000-0x000000000963A000-memory.dmp

Filesize
40KB

Download
memory/2456-698-0x00000000767F0000-0x00000000768E0000-memory.dmp

Filesize
960KB

Download
memory/2456-700-0x00000000767F0000-0x00000000768E0000-memory.dmp

Filesize
960KB

Download