Overview

overview

9

Static

static

7

a4bd709d2d...dd.exe

windows7_x64

9

a4bd709d2d...dd.exe

windows10_x64

9

Analysis

  • max time kernel
    150s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    19-07-2021 13:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4bd709d2da4d231ecbeca29fa852bdd.exe

  • Size

    5.9MB

  • MD5

    a4bd709d2da4d231ecbeca29fa852bdd

  • SHA1

    4cad398255d98302db4bff95ef837a8adef11472

  • SHA256

    ff03a31c53b6e540bb918372dbc2a0213e5020273c6c46fdb2ef5f86ec7a0397

  • SHA512

    7c44d71b6aa8e3939c191aed3da246e53b77c121ab6b605b7b1ab799ea49ac195050d3c7066a3e1214cd5899bc50bfc1e67063509d4eccf99481c54bf60ed8f1

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 3 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 2 IoCs
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4bd709d2da4d231ecbeca29fa852bdd.exe
    "C:\Users\Admin\AppData\Local\Temp\a4bd709d2da4d231ecbeca29fa852bdd.exe"
    1⤵
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
      "C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpACC3.tmp.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:820
        • C:\Windows\system32\timeout.exe
          timeout 4
          4⤵
          • Delays execution with timeout.exe
          PID:1064
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /f /sc MINUTE /mo 1 /tn "MicrosoftApi" /tr "'C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:1444
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {027A6E86-CFC5-40CC-82E2-CD1CBEFCABB1} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
      C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe
        "C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1520

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1096-84-0x0000000002110000-0x0000000002112000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1096-80-0x000000013F790000-0x000000013F791000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1096-82-0x0000000000070000-0x0000000000071000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1096-83-0x000007FE80010000-0x000007FE80011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1096-86-0x0000000002660000-0x0000000002661000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1520-94-0x000000001D566000-0x000000001D585000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1520-93-0x000000001D560000-0x000000001D562000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1520-91-0x000000013FA40000-0x000000013FA41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1724-64-0x000007FE80010000-0x000007FE80011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1724-61-0x000000013F960000-0x000000013F961000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1724-63-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1804-70-0x0000000000070000-0x0000000000071000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1804-72-0x000007FE80010000-0x000007FE80011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1804-69-0x000000013F410000-0x000000013F411000-memory.dmp

    Filesize

    4KB

    Download