5781173908ae9208be64f02dd0e5cc0dc6ed0d98b16ae577b560b95cc136cb3d

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-en-20211104
submitted
05-12-2021 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aInjector Win64_x32.exe
Size

4.0MB
MD5

0633e40fa1f37b748cf61f04dba96445
SHA1

0710b691613be0f6ccf54f8e0bb4d8d7cf3c930c
SHA256

5781173908ae9208be64f02dd0e5cc0dc6ed0d98b16ae577b560b95cc136cb3d
SHA512

ffd608a67b60d2e02edf9e5090e18e9e0568846e10db66a7b0ce5ce8414acf19c4aa82b7dcab5c9a9fd341ff4e194df4938d8ce3cf5e9bb18040d7aa9a00ab94

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aInjector Win64_x32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aInjector Win64_x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aInjector Win64_x32.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/980-59-0x0000000000CF0000-0x0000000000CF1000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

aInjector Win64_x32.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aInjector Win64_x32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

aInjector Win64_x32.exe

pid process

980 aInjector Win64_x32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

aInjector Win64_x32.exe

description pid process

Token: SeDebugPrivilege 980 aInjector Win64_x32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aInjector Win64_x32.exe

flow	ioc
4	ip-api.com

pid	process
980	aInjector Win64_x32.exe

description	pid	process
Token: SeDebugPrivilege	980	aInjector Win64_x32.exe

C:\Users\Admin\AppData\Local\Temp\aInjector Win64_x32.exe
"C:\Users\Admin\AppData\Local\Temp\aInjector Win64_x32.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/980-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download
memory/980-59-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/980-61-0x0000000000590000-0x00000000005EA000-memory.dmp

Filesize
360KB

Download
memory/980-62-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/980-63-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download