Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Kopx_Perm.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    110s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Kopx_Perm.exe

  • Size

    5.5MB

  • MD5

    8c13d2fd7836abcfe22c00ace0061d40

  • SHA1

    3c9640ec84a86cb10e87f2b2d8217f034aab1d5b

  • SHA256

    cd665494b4a760a948b940d3bbae302134c282deee633f04343fe34790406001

  • SHA512

    3c192fe7231e7c0306521c2701a3c9eeac0fd0091f6d59ef0f35a2dca193fcf5ff36008065838b2cabc92757708525a4d500e315a5502cbd8d7a6e5850255285

  • SSDEEP

    49152:/WFnhV6qMFnhVSr9JkzvkjXa+FnhVSr9JkzvkjXabsBFnhVKTTFBySg6etzcwp86:/YrkzgXyrkzgX9orG8farR1

Score
10/10
cerberdiscoveryevasionransomwarethemidatrojan

Malware Config

Signatures

  • Cerber 32 IoCs

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 33 IoCs
  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 3 IoCs
    evasion
  • Suspicious behavior: LoadsDriver 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Kopx_Perm.exe
    "C:\Users\Admin\AppData\Local\Temp\Kopx_Perm.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Suspicious use of WriteProcessMemory
    PID:736
    • C:\Windows\Globalization\winxsrcsv64.exe
      "winxsrcsv64.exe" /SU AUTO
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:516
    • C:\Windows\Globalization\winxsrcsv64.exe
      "winxsrcsv64.exe" /BS 5T1GPY0C0P1DPDPO
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:4468
    • C:\Windows\Globalization\winxsrcsv64.exe
      "winxsrcsv64.exe" /CS 5T1GPY0C0P1DPDPO
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:4548
    • C:\Windows\Globalization\winxsrcsv64.exe
      "winxsrcsv64.exe" /SS 5T1GPY0C0P1DPDPO
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:1676
    • C:\Windows\Globalization\winxsrcsv64.exe
      "winxsrcsv64.exe" /SM "System manufacturer"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:4808
    • C:\Windows\Globalization\winxsrcsv64.exe
      "winxsrcsv64.exe" /SP "System Product Name"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:2404
    • C:\Windows\Globalization\winxsrcsv64.exe
      "winxsrcsv64.exe" /SV "System Version"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:812
    • C:\Windows\Globalization\winxsrcsv64.exe
      "winxsrcsv64.exe" /SK "SKU"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:4836
    • C:\Windows\Globalization\winxsrcsv64.exe
      "winxsrcsv64.exe" /BT "Default string"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:4104
    • C:\Windows\Globalization\winxsrcsv64.exe
      "winxsrcsv64.exe" /BLC "Default string"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:2800
    • C:\Windows\Globalization\winxsrcsv64.exe
      "winxsrcsv64.exe" /CM "Default string"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:708
    • C:\Windows\Globalization\winxsrcsv64.exe
      "winxsrcsv64.exe" /CV "Default string"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:4968
    • C:\Windows\Globalization\winxsrcsv64.exe
      "winxsrcsv64.exe" /CA "Default string"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:2032
    • C:\Windows\Globalization\winxsrcsv64.exe
      "winxsrcsv64.exe" /CSK "Default string"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:3000
    • C:\Windows\Globalization\winxsrcsv64.exe
      "winxsrcsv64.exe" /SF "To be filled by O.E.M."
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:2732
    • C:\Windows\Globalization\winxsrcsv64.exe
      "winxsrcsv64.exe" /PSN 5T1GPY0C0P1DPDPO
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:4000
    • C:\Windows\IME\applecleaner.exe
      "C:\Windows\IME\applecleaner.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:4820
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2456
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im EpicGamesLauncher.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:768
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im FortniteClient-Win64-Shipping.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1300
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1120
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im Battle.net.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4484
    • C:\Windows\Fonts\AMIDEWINx64.exe
      "AMIDEWINx64.exe" /SU AUTO
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:1688
    • C:\Windows\Fonts\AMIDEWINx64.exe
      "AMIDEWINx64.exe" /BS SNPJNU8PW2O4F6RR
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:2516
    • C:\Windows\Fonts\AMIDEWINx64.exe
      "AMIDEWINx64.exe" /CS SNPJNU8PW2O4F6RR
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:5076
    • C:\Windows\Fonts\AMIDEWINx64.exe
      "AMIDEWINx64.exe" /SS SNPJNU8PW2O4F6RR
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:2496
    • C:\Windows\Fonts\AMIDEWINx64.exe
      "AMIDEWINx64.exe" /SM "System manufacturer"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:928
    • C:\Windows\Fonts\AMIDEWINx64.exe
      "AMIDEWINx64.exe" /SP "System Product Name"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:2492
    • C:\Windows\Fonts\AMIDEWINx64.exe
      "AMIDEWINx64.exe" /SV "System Version"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:3452
    • C:\Windows\Fonts\AMIDEWINx64.exe
      "AMIDEWINx64.exe" /SK "SKU"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:1708
    • C:\Windows\Fonts\AMIDEWINx64.exe
      "AMIDEWINx64.exe" /BT "Default string"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:2984
    • C:\Windows\Fonts\AMIDEWINx64.exe
      "AMIDEWINx64.exe" /BLC "Default string"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:4492
    • C:\Windows\Fonts\AMIDEWINx64.exe
      "AMIDEWINx64.exe" /CM "Default string"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:2020
    • C:\Windows\Fonts\AMIDEWINx64.exe
      "AMIDEWINx64.exe" /CV "Default string"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:3092
    • C:\Windows\Fonts\AMIDEWINx64.exe
      "AMIDEWINx64.exe" /CA "Default string"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:4648
    • C:\Windows\Fonts\AMIDEWINx64.exe
      "AMIDEWINx64.exe" /CSK "Default string"
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:1628
    • C:\Windows\Fonts\AMIDEWINx64.exe
      "AMIDEWINx64.exe" /SF "To be filled by O.E.M."
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:3244
    • C:\Windows\Fonts\AMIDEWINx64.exe
      "AMIDEWINx64.exe" /PSN SNPJNU8PW2O4F6RR
      2⤵
      • Cerber
      • Executes dropped EXE
      PID:4572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Fonts\AMIDEWINx64.EXE
    Filesize

    377KB

    MD5

    64ae4aa4904d3b259dda8cc53769064f

    SHA1

    24be8fb54afd8182652819b9a307b6f66f3fc58d

    SHA256

    2c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4

    SHA512

    6c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16

    Download Submit

  • C:\Windows\Globalization\winxsrcsv64.exe
    Filesize

    379KB

    MD5

    91a31f23f3e50bd0a722e605687aed1e

    SHA1

    f56fa26aaccdd6eb3f1ea53f06674b01327cd7c4

    SHA256

    818d6d87d0facc03354bf7b0748467cf61040031248ba8b46045ed9dbe4053d8

    SHA512

    649ee112c0e9d0c63c199f0dee84332f915af336dd7ad0ff70cbd49cc148c832182ff748c67fe1dee958215ea4a095545d1a93fdeb90fbdeb6f98076b499aab0

    Download Submit

  • C:\Windows\IME\applecleaner.exe
    Filesize

    3.6MB

    MD5

    f96eb2236970fb3ea97101b923af4228

    SHA1

    e0eed80f1054acbf5389a7b8860a4503dd3e184a

    SHA256

    46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

    SHA512

    2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

    Download Submit

  • memory/736-0-0x00007FF8F69FB000-0x00007FF8F69FC000-memory.dmp

    Filesize

    4KB

    Download

  • memory/736-1-0x00007FF8F69FB000-0x00007FF8F69FC000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4820-32-0x00007FF708DA0000-0x00007FF709742000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4820-34-0x00007FF708DA0000-0x00007FF709742000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4820-36-0x00007FF708DA0000-0x00007FF709742000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4820-35-0x00007FF708DA0000-0x00007FF709742000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4820-37-0x00007FF708DA0000-0x00007FF709742000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4820-39-0x00007FF708DA0000-0x00007FF709742000-memory.dmp

    Filesize

    9.6MB

    Download