Overview

overview

9

Static

static

7

CardingMachine.exe

windows11-21h2-x64

9

Resubmissions

21/07/2024, 05:03

240721-fprqrsvcjf 9

18/05/2024, 00:50

240518-a7abjsca2z 9

Analysis

  • max time kernel
    54s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21/07/2024, 05:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CardingMachine.exe

  • Size

    615.1MB

  • MD5

    796c4e013accc1d47e263f2438248e5e

  • SHA1

    dbca3bb74c9715a4b21259fa644a39a59bb438a7

  • SHA256

    e934ef0b1bad86d0a8d2a08a90b64b309404b2983649f8e34d400704ce8c65c0

  • SHA512

    5ae71ea3ac4f15c6143a424e1e2491294e5f2e5508ca4c05b6fa2676634140ec03e27b698ab0378726b421369e36988f56e016e145ba10b2d517577a00de926c

  • SSDEEP

    49152:lNjqYcOatzfsFfG/oDx4tDhdLDG15f9pTo0trQyYxQw:lNjFcOaxYG/M43HA5fVt8Q

Score
9/10
evasionexecutionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Themida packer 13 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CardingMachine.exe
    "C:\Users\Admin\AppData\Local\Temp\CardingMachine.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:4308
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5564
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4060
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s3bo.0.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:5728
      • C:\ProgramData\software\ULEXPY.exe
        "C:\ProgramData\software\ULEXPY.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of WriteProcessMemory
        PID:5136
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5412
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5188
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 816
          4⤵
          • Program crash
          PID:2180
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5136 -ip 5136
    1⤵
      PID:2300
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4112

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        ac4917a885cf6050b1a483e4bc4d2ea5

        SHA1

        b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

        SHA256

        e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

        SHA512

        092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        136B

        MD5

        edc83e4fa455386dccc77e50d5353701

        SHA1

        dd5a0e4ae5a9e6a4e99fbc0de749f94970f9fe76

        SHA256

        e8426dc90411b1a791bda899f02d2a4a3f473a9f4057616f34265cdd69723e97

        SHA512

        16a54dca909a0d63098d569237f7d86b02436c162800421ec34b2069b08f779ffdd7e247a7a3f5f490ea1b9e2d0e69f3b385910d8f307c063aa41142e19a6281

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        08406f6b49f1da526c6ceb10daadf759

        SHA1

        4d0d3fc40e8bd09326956f55af63433e9f255fa6

        SHA256

        e0a79fd2883a171cdb8ed5515462ff8945d6d93d5a7f6f397d8d2cd57387b9a6

        SHA512

        675108f649d60c667356207f66bfb40d8726554c68da32bc28d2079db8360f2bd93797d0c00bf96a0e9d9e41afa2ae7aa49573fc76e5a4802c1bd29e737ca94a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mrnjgljv.o1p.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\s3bo.0.bat
        Filesize

        174B

        MD5

        b6227cff93c3f146bd77146b7dec7701

        SHA1

        7d652901d26bf978e203dd492ff81eed1222cdbe

        SHA256

        f1d7500fc1a168e8229d568e33c87a1364462b1eeca4c63e5b2aa2838e0f86b3

        SHA512

        9533bfb35c0848e846e94345aaa11df300cb4b6712a72ab05196183d1bb4312b27cb19a14ada20a16a6fc8d1290972094e0f9afd1f25b17d1b8933bde29f1d54

        Download Submit

      • memory/4060-61-0x0000000073660000-0x0000000073E11000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4060-35-0x00000000069C0000-0x0000000006A0C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4060-84-0x0000000073660000-0x0000000073E11000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4060-69-0x0000000007EF0000-0x0000000007F0A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4060-68-0x0000000007DF0000-0x0000000007E05000-memory.dmp

        Filesize

        84KB

        Download

      • memory/4060-12-0x0000000073660000-0x0000000073E11000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4060-11-0x0000000073660000-0x0000000073E11000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4060-60-0x0000000073660000-0x0000000073E11000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4060-58-0x0000000073660000-0x0000000073E11000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4060-14-0x00000000059B0000-0x00000000059D2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4060-38-0x0000000070010000-0x000000007005C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4060-16-0x0000000005AC0000-0x0000000005B26000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4060-15-0x0000000005A50000-0x0000000005AB6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4060-34-0x0000000006850000-0x000000000686E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4308-6-0x00000000002B0000-0x0000000000933000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4308-0-0x00000000002B0000-0x0000000000933000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4308-1-0x0000000077776000-0x0000000077778000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4308-4-0x00000000002B0000-0x0000000000933000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4308-2-0x00000000002B0000-0x0000000000933000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4308-3-0x00000000002B0000-0x0000000000933000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4308-5-0x00000000002B0000-0x0000000000933000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4308-75-0x00000000002B0000-0x0000000000933000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/5136-92-0x0000000000840000-0x0000000000EC3000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/5136-89-0x0000000000840000-0x0000000000EC3000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/5136-115-0x0000000000840000-0x0000000000EC3000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/5136-93-0x0000000000840000-0x0000000000EC3000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/5136-91-0x0000000000840000-0x0000000000EC3000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/5136-90-0x0000000000840000-0x0000000000EC3000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/5188-136-0x0000000007D90000-0x0000000007DA5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/5188-135-0x0000000007D50000-0x0000000007D61000-memory.dmp

        Filesize

        68KB

        Download

      • memory/5188-103-0x00000000062D0000-0x0000000006627000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/5188-125-0x00000000079F0000-0x0000000007A94000-memory.dmp

        Filesize

        656KB

        Download

      • memory/5188-116-0x000000006F9A0000-0x000000006F9EC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/5188-113-0x0000000006820000-0x000000000686C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/5412-126-0x000000006F9A0000-0x000000006F9EC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/5564-67-0x0000000007B70000-0x0000000007B7E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/5564-9-0x0000000005820000-0x0000000005E4A000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/5564-39-0x0000000073660000-0x0000000073E11000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5564-36-0x0000000006BC0000-0x0000000006BF4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/5564-7-0x000000007366E000-0x000000007366F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5564-85-0x0000000073660000-0x0000000073E11000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5564-76-0x0000000007C70000-0x0000000007C78000-memory.dmp

        Filesize

        32KB

        Download

      • memory/5564-13-0x0000000073660000-0x0000000073E11000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5564-8-0x0000000005130000-0x0000000005166000-memory.dmp

        Filesize

        216KB

        Download

      • memory/5564-57-0x00000000077E0000-0x0000000007884000-memory.dmp

        Filesize

        656KB

        Download

      • memory/5564-22-0x0000000006100000-0x0000000006457000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/5564-62-0x0000000007F70000-0x00000000085EA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/5564-59-0x0000000073660000-0x0000000073E11000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5564-66-0x0000000007B40000-0x0000000007B51000-memory.dmp

        Filesize

        68KB

        Download

      • memory/5564-65-0x0000000007BC0000-0x0000000007C56000-memory.dmp

        Filesize

        600KB

        Download

      • memory/5564-10-0x0000000073660000-0x0000000073E11000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5564-63-0x0000000007930000-0x000000000794A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/5564-53-0x0000000006BA0000-0x0000000006BBE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/5564-64-0x00000000079B0000-0x00000000079BA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/5564-37-0x0000000070010000-0x000000007005C000-memory.dmp

        Filesize

        304KB

        Download