Malware Analysis Report

2024-11-13 14:25

Sample ID 210928-n7pm5abgh9
Target 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3
SHA256 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3
Tags
themida echelon evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3

Threat Level: Known bad

The file 3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3 was found to be: Known bad.

Malicious Activity Summary

themida echelon evasion spyware stealer trojan

Echelon

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks BIOS information in registry

Reads user/profile data of web browsers

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-28 12:02

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-28 12:02

Reported

2021-09-28 12:05

Platform

win10-en-20210920

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe"

Signatures

Echelon

stealer spyware echelon

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe

"C:\Users\Admin\AppData\Local\Temp\3b347a4641e8553c4ecbee8e6d86c32311cd9348d61eb55929aae076e82f96c3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 1124

Network

Country Destination Domain Proto
FR 2.16.119.157:443 tcp
US 8.8.8.8:53 g.api.mega.co.nz udp
LU 66.203.125.13:443 g.api.mega.co.nz tcp

Files

memory/440-115-0x0000000077700000-0x000000007788E000-memory.dmp

memory/440-117-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/440-119-0x0000000006050000-0x0000000006051000-memory.dmp

memory/440-120-0x0000000006C30000-0x0000000006C31000-memory.dmp

memory/440-121-0x00000000067C0000-0x00000000067C1000-memory.dmp

memory/440-122-0x0000000005FE0000-0x0000000006046000-memory.dmp

memory/440-123-0x0000000005FE0000-0x0000000006046000-memory.dmp

memory/440-124-0x0000000007130000-0x0000000007131000-memory.dmp

memory/440-125-0x0000000005FE0000-0x0000000006046000-memory.dmp

memory/440-126-0x0000000007C30000-0x0000000007C31000-memory.dmp