68e0c8bcb14bc94813d8c6494966d1f32b60ccca1fb9d80996707abeee3d2db5

Analysis

max time kernel
146s
max time network
149s
platform
windows10_x64
resource
win10v20201028
submitted
09-11-2020 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe
Size

8.9MB
MD5

a76688ac6e0e987395dbf946556b5354
SHA1

b43bcf90a79164d553bb2b5cb0b4dfe9032074fa
SHA256

68e0c8bcb14bc94813d8c6494966d1f32b60ccca1fb9d80996707abeee3d2db5
SHA512

1eba98221d365c7e47a1f016874da214e9944fe4eb6b5d989039ba2dd7f6e7da56df21226a48dd9666e31bb912cdcd6645f5b35746e56ed3d37a0b518468b068

Score

9^/10

discovery evasion spyware stealer themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

ivm21_protected.exeivm22_protected.exe

pid process

3144 ivm21_protected.exe
2720 ivm22_protected.exe

pid	process
3144	ivm21_protected.exe
2720	ivm22_protected.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ivm22_protected.exeSecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exeivm21_protected.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ivm22_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ivm21_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ivm21_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ivm22_protected.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/984-0-0x0000000000400000-0x000000000117E000-memory.dmp	themida
C:\ProgramData\Gds\ivm21_protected.exe	themida
C:\ProgramData\Gds\ivm21_protected.exe	themida
behavioral2/memory/3144-4-0x0000000000400000-0x0000000000AF6000-memory.dmp	themida
C:\ProgramData\Gds\ivm22_protected.exe	themida
C:\ProgramData\Gds\ivm22_protected.exe	themida
behavioral2/memory/2720-8-0x0000000000A80000-0x0000000001286000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ivm21_protected.exeivm22_protected.exeSecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ivm21_protected.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ivm22_protected.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exeivm21_protected.exeivm22_protected.exe

pid process

984 SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe
3144 ivm21_protected.exe
2720 ivm22_protected.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
15	ip-api.com

pid	process
984	SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe
3144	ivm21_protected.exe
2720	ivm22_protected.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exeivm22_protected.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ivm22_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ivm22_protected.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

ivm22_protected.exe

pid	process
2720	ivm22_protected.exe
2720	ivm22_protected.exe
2720	ivm22_protected.exe
2720	ivm22_protected.exe
2720	ivm22_protected.exe
2720	ivm22_protected.exe
2720	ivm22_protected.exe
2720	ivm22_protected.exe
2720	ivm22_protected.exe
2720	ivm22_protected.exe
2720	ivm22_protected.exe
2720	ivm22_protected.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe

description	pid	process	target process
PID 984 wrote to memory of 3144	984	SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe	ivm21_protected.exe
PID 984 wrote to memory of 3144	984	SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe	ivm21_protected.exe
PID 984 wrote to memory of 3144	984	SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe	ivm21_protected.exe
PID 984 wrote to memory of 2720	984	SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe	ivm22_protected.exe
PID 984 wrote to memory of 2720	984	SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe	ivm22_protected.exe
PID 984 wrote to memory of 2720	984	SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe	ivm22_protected.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Heur.GM.0000436180.28007.17088.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:984

C:\ProgramData\Gds\ivm21_protected.exe
C:\ProgramData\Gds\ivm21_protected.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3144

C:\ProgramData\Gds\ivm22_protected.exe
C:\ProgramData\Gds\ivm22_protected.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Gds\ivm21_protected.exe
MD5
84347d04b3e6e98b141cb2298db3372e

SHA1
cb0896f02c03d178bfbe82945f27cbd2adbb4ac0

SHA256
0a257754888ca8677ca918fe37e2661f3ea01b3672304066b3aba2d22597166b

SHA512
3aba011f37f6e74c4b709ff195a8e27a4bd5176fd2f20a8b93935a02c58f00a7daed699d2870fa21797fb307e5aa0b0e856a6938e288912daaf91fef1df5a43c

Download Submit
C:\ProgramData\Gds\ivm21_protected.exe
MD5
84347d04b3e6e98b141cb2298db3372e

SHA1
cb0896f02c03d178bfbe82945f27cbd2adbb4ac0

SHA256
0a257754888ca8677ca918fe37e2661f3ea01b3672304066b3aba2d22597166b

SHA512
3aba011f37f6e74c4b709ff195a8e27a4bd5176fd2f20a8b93935a02c58f00a7daed699d2870fa21797fb307e5aa0b0e856a6938e288912daaf91fef1df5a43c

Download Submit
C:\ProgramData\Gds\ivm22_protected.exe
MD5
15a9614f7734c084e9a95b24b16347d9

SHA1
a998de208e92ae8f0cc7e66f86add4572eb9c1d8

SHA256
91900443f4af150dfff33936e60a39b0dbf10c49d501b7e3430202e7987eeb9b

SHA512
9c29707efced04735f112f3c4a6a94fcdbfc2bb67b398c98b260ef6fa171d3391b419db64447b30e013257048ced49bdae0c00ebdb5c631107a9566155b48b52

Download Submit
C:\ProgramData\Gds\ivm22_protected.exe
MD5
15a9614f7734c084e9a95b24b16347d9

SHA1
a998de208e92ae8f0cc7e66f86add4572eb9c1d8

SHA256
91900443f4af150dfff33936e60a39b0dbf10c49d501b7e3430202e7987eeb9b

SHA512
9c29707efced04735f112f3c4a6a94fcdbfc2bb67b398c98b260ef6fa171d3391b419db64447b30e013257048ced49bdae0c00ebdb5c631107a9566155b48b52

Download Submit
memory/984-0-0x0000000000400000-0x000000000117E000-memory.dmp

Filesize
13.5MB

Download
memory/2720-5-0x0000000000000000-mapping.dmp

Download
memory/2720-8-0x0000000000A80000-0x0000000001286000-memory.dmp

Filesize
8.0MB

Download
memory/3144-1-0x0000000000000000-mapping.dmp

Download
memory/3144-4-0x0000000000400000-0x0000000000AF6000-memory.dmp

Filesize
7.0MB

Download