e253b236af6d45f687424ca1d9354320aae579fbd539b89a85c807e3b52f4574 | Triage

Submit
Reports

Overview

overview

Static

static

7

START_ME.exe

windows7_x64

START_ME.exe

windows10_x64

assets/simulation.exe

windows7_x64

assets/simulation.exe

windows10_x64

Sharing

General

Target

607ffeb1ad2f9c06cd2ad02c.zip
Size

10.5MB
Sample

210421-rsd1nhbncx
MD5

05ebe6b7c2a76bfb2998050a97c5d868
SHA1

2c0328abdd43bdfd6e84e2ebef91639f1fff1ea8
SHA256

e253b236af6d45f687424ca1d9354320aae579fbd539b89a85c807e3b52f4574
SHA512

5a91ee4b00e9b5b9666d96e72bc9fea95c8e086d49eecc44b7374d7fe661553e9b11227ea34c26b1414867d39ac269cb9a48536cbdedf1a140f83b51691c8608

Score

10^/10

evasion pyinstaller themida trojan

Static task

static1

themida pyinstaller

Behavioral task

behavioral1

Sample

START_ME.exe

Resource

win7v20210410

evasion themida

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

START_ME.exe

Resource

win10v20210410

evasion themida

windows10_x64

0 signatures

0 seconds

Behavioral task

behavioral3

Sample

assets/simulation.exe

Resource

win7v20210408

evasion themida trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral4

Sample

assets/simulation.exe

Resource

win10v20210410

evasion themida trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://marlasinger.tylerdurdenceketi.com/vault/mitre/T1003/Invoke-Mimikatz.ps1

Targets

- Target
  
  START_ME.exe
- Size
  
  981KB
- MD5
  
  fbd344cb2db910d8d109b5b63ae11757
- SHA1
  
  0a04c5925db22547ee3f638e036366e475d8be99
- SHA256
  
  41b987215931740b614e90ba63c4f663d05eda3b8cc22fbb0e7cc7b55f4beec4
- SHA512
  
  e5b91ce7f680b7d27d736482454aa288c65f02c7761a6123846df856488231486acaec1644ec74cde4fad4db4d10a0cbeeb234885a4ab2ca73c7d674219e77b3
Score

10^/10

evasion themida
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  assets/simulation.exe
- Size
  
  10.1MB
- MD5
  
  60d094b6b04349b0a859f639e1dcf232
- SHA1
  
  6322bc20bb9bba9678153852e74fb60ab433a90b
- SHA256
  
  e32867afbaf5ea286ea07dba6bc6eb1bce738865e7091361416394a9f69d0799
- SHA512
  
  061a7a1ec113a536843747aea03fe2ce2a373960b9b8f712b57acbc5b475b9a22ff8272ea945fc6eab1a4e9575f3376a6bba78d2b527f0372f681b8499ed9da3
Score

10^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

themidapyinstaller

behavioral1

behavioral2

behavioral3

evasionthemidatrojan

behavioral4

evasionthemidatrojan

© 2018-2024

Terms | Privacy