Overview

overview

9

Static

static

7

a4bd709d2d...dd.exe

windows7_x64

9

a4bd709d2d...dd.exe

windows10_x64

9

Analysis

  • max time kernel
    150s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    19-07-2021 13:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4bd709d2da4d231ecbeca29fa852bdd.exe

  • Size

    5.9MB

  • MD5

    a4bd709d2da4d231ecbeca29fa852bdd

  • SHA1

    4cad398255d98302db4bff95ef837a8adef11472

  • SHA256

    ff03a31c53b6e540bb918372dbc2a0213e5020273c6c46fdb2ef5f86ec7a0397

  • SHA512

    7c44d71b6aa8e3939c191aed3da246e53b77c121ab6b605b7b1ab799ea49ac195050d3c7066a3e1214cd5899bc50bfc1e67063509d4eccf99481c54bf60ed8f1

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 3 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 2 IoCs
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4bd709d2da4d231ecbeca29fa852bdd.exe
    "C:\Users\Admin\AppData\Local\Temp\a4bd709d2da4d231ecbeca29fa852bdd.exe"
    1⤵
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
      "C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpACC3.tmp.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:820
        • C:\Windows\system32\timeout.exe
          timeout 4
          4⤵
          • Delays execution with timeout.exe
          PID:1064
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /f /sc MINUTE /mo 1 /tn "MicrosoftApi" /tr "'C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:1444
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {027A6E86-CFC5-40CC-82E2-CD1CBEFCABB1} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
      C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe
        "C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1520

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpACC3.tmp.cmd
    MD5

    580e08c0388a1de3befca87d60082414

    SHA1

    7eecdc5e74511b47d26df7060af56c3ac1fe9cb0

    SHA256

    d757724cf6d91b3ee52682ec23afc1f5a2ce37c2cbeb5042606765e7de005874

    SHA512

    75b6b4bdef02af10b42fa1834e0ce4d0035cb6ba2b6d8e82b1ccb25de85ec252b1fae763b93eba234d89a2e2dad2ceb5998769d79f206018feee3f0f0341035a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ICSharpCode.SharpZipLib.dll
    MD5

    5a5ab6c6bf9a23d07bc72cc19c37a432

    SHA1

    12fd67b780088a9d95eecd06c59658447e42f65c

    SHA256

    85ff339d1e0b853b0f544530fb022a30254f398d8cecfcdfa9e3c0310c3f4791

    SHA512

    16f5d6af94daa0833d4a95fcf261273f7610a6aaba01b775a358bee6c4ff25d90ad93abfcaf917256038d0abd272502c10e4e8933a062d456db3db077a7221bd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
    MD5

    a4bd709d2da4d231ecbeca29fa852bdd

    SHA1

    4cad398255d98302db4bff95ef837a8adef11472

    SHA256

    ff03a31c53b6e540bb918372dbc2a0213e5020273c6c46fdb2ef5f86ec7a0397

    SHA512

    7c44d71b6aa8e3939c191aed3da246e53b77c121ab6b605b7b1ab799ea49ac195050d3c7066a3e1214cd5899bc50bfc1e67063509d4eccf99481c54bf60ed8f1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
    MD5

    a4bd709d2da4d231ecbeca29fa852bdd

    SHA1

    4cad398255d98302db4bff95ef837a8adef11472

    SHA256

    ff03a31c53b6e540bb918372dbc2a0213e5020273c6c46fdb2ef5f86ec7a0397

    SHA512

    7c44d71b6aa8e3939c191aed3da246e53b77c121ab6b605b7b1ab799ea49ac195050d3c7066a3e1214cd5899bc50bfc1e67063509d4eccf99481c54bf60ed8f1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe
    MD5

    7d5dce7315ef85297c70b1cc5dfe90fc

    SHA1

    cd782852ecb85cbc4355003e265d5caa7003da20

    SHA256

    4c2d0c1ffd5db4f4f6027f801dee59a0c38cc9cfb55ae60280a7e4aad2b5e370

    SHA512

    aba0deb7ffd417772329489092752f6ad72edf003186baf4eabdbf30b6202c1e13d290a1bc63c9696d7fb5790e0afb250caa4ed840b158d31721e3497662550f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe
    MD5

    7d5dce7315ef85297c70b1cc5dfe90fc

    SHA1

    cd782852ecb85cbc4355003e265d5caa7003da20

    SHA256

    4c2d0c1ffd5db4f4f6027f801dee59a0c38cc9cfb55ae60280a7e4aad2b5e370

    SHA512

    aba0deb7ffd417772329489092752f6ad72edf003186baf4eabdbf30b6202c1e13d290a1bc63c9696d7fb5790e0afb250caa4ed840b158d31721e3497662550f

    Download Submit

  • \Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
    MD5

    a4bd709d2da4d231ecbeca29fa852bdd

    SHA1

    4cad398255d98302db4bff95ef837a8adef11472

    SHA256

    ff03a31c53b6e540bb918372dbc2a0213e5020273c6c46fdb2ef5f86ec7a0397

    SHA512

    7c44d71b6aa8e3939c191aed3da246e53b77c121ab6b605b7b1ab799ea49ac195050d3c7066a3e1214cd5899bc50bfc1e67063509d4eccf99481c54bf60ed8f1

    Download Submit

  • \Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe
    MD5

    7d5dce7315ef85297c70b1cc5dfe90fc

    SHA1

    cd782852ecb85cbc4355003e265d5caa7003da20

    SHA256

    4c2d0c1ffd5db4f4f6027f801dee59a0c38cc9cfb55ae60280a7e4aad2b5e370

    SHA512

    aba0deb7ffd417772329489092752f6ad72edf003186baf4eabdbf30b6202c1e13d290a1bc63c9696d7fb5790e0afb250caa4ed840b158d31721e3497662550f

    Download Submit

  • memory/820-73-0x0000000000000000-mapping.dmp

    Download

  • memory/1064-75-0x0000000000000000-mapping.dmp

    Download

  • memory/1096-84-0x0000000002110000-0x0000000002112000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1096-77-0x0000000000000000-mapping.dmp

    Download

  • memory/1096-80-0x000000013F790000-0x000000013F791000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1096-82-0x0000000000070000-0x0000000000071000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1096-83-0x000007FE80010000-0x000007FE80011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1096-86-0x0000000002660000-0x0000000002661000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1444-76-0x0000000000000000-mapping.dmp

    Download

  • memory/1520-88-0x0000000000000000-mapping.dmp

    Download

  • memory/1520-94-0x000000001D566000-0x000000001D585000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1520-93-0x000000001D560000-0x000000001D562000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1520-91-0x000000013FA40000-0x000000013FA41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1724-64-0x000007FE80010000-0x000007FE80011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1724-61-0x000000013F960000-0x000000013F961000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1724-63-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1804-70-0x0000000000070000-0x0000000000071000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1804-66-0x0000000000000000-mapping.dmp

    Download

  • memory/1804-72-0x000007FE80010000-0x000007FE80011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1804-69-0x000000013F410000-0x000000013F411000-memory.dmp

    Filesize

    4KB

    Download