Xcitium Cloud Verdict

Information Discovery

Reads data out of its own binary image Show sources

api_process_name	process: 4598044bb8a3a25bac91e2a069062dce89fb7dfd.exe, pid: 2240, offset: 0x00000000, length: 0x000e5e1c
api_process_name	process: 4598044bb8a3a25bac91e2a069062dce89fb7dfd.exe, pid: 2240, offset: 0x00062a1c, length: 0x0000160d
api_process_name	process: 4598044bb8a3a25bac91e2a069062dce89fb7dfd.exe, pid: 2240, offset: 0x00064039, length: 0x00081de7

Persistence and Installation Behavior

Creates a copy of itself Show sources

file	C:\Users\user\AppData\Local\Temp\Stilstandsperioden\shonkinite\nigranilin\Enlarge\4598044bb8a3a25bac91e2a069062dce89fb7dfd.exe

Malware Analysis System Evasion

A process attempted to delay the analysis task. Show sources

api_process_name

powershell.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

Lowering of HIPS/ PFW/ Operating System Security Settings

Attempts to block SafeBoot use by removing registry keys Show sources

registry_delete

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option