e341a13e9d2d6974d68018a8d8f28f4a40ef8b1fe063384eda97ebbbad7ab80a

General

Target

aInjector Win64_x32.exe
Size

3.6MB
MD5

45539053a6c4a180b590a7af970fc3ab
SHA1

8a091f013cdbe5b0f7308692a75bd95c544a7e5a
SHA256

e341a13e9d2d6974d68018a8d8f28f4a40ef8b1fe063384eda97ebbbad7ab80a
SHA512

498c61bb0949ef48e1bf834e3fce02ddc7b857e794ce02d97c615f03d2c93420799cd7476bdd4bb15768396cd28668060da0c6e9914039d6bc010f32ddafea85

Score

10^/10

evasion themida trojan

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 884 created 3732 884 WerFault.exe aInjector Win64_x32.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

description	pid	process	target process
PID 884 created 3732	884	WerFault.exe	aInjector Win64_x32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aInjector Win64_x32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aInjector Win64_x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aInjector Win64_x32.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3732-119-0x0000000000070000-0x0000000000071000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

aInjector Win64_x32.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aInjector Win64_x32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

aInjector Win64_x32.exe

pid process

3732 aInjector Win64_x32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

884 3732 WerFault.exe aInjector Win64_x32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aInjector Win64_x32.exe

flow	ioc
18	ip-api.com

pid	process
3732	aInjector Win64_x32.exe

pid	pid_target	process	target process
884	3732	WerFault.exe	aInjector Win64_x32.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
884	WerFault.exe
884	WerFault.exe
884	WerFault.exe
884	WerFault.exe
884	WerFault.exe
884	WerFault.exe
884	WerFault.exe
884	WerFault.exe
884	WerFault.exe
884	WerFault.exe
884	WerFault.exe
884	WerFault.exe
884	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

aInjector Win64_x32.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3732	aInjector Win64_x32.exe
Token: SeRestorePrivilege	884	WerFault.exe
Token: SeBackupPrivilege	884	WerFault.exe
Token: SeDebugPrivilege	884	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\aInjector Win64_x32.exe
"C:\Users\Admin\AppData\Local\Temp\aInjector Win64_x32.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 114008
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3732-118-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/3732-119-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/3732-121-0x00000000054C0000-0x000000000551A000-memory.dmp

Filesize
360KB

Download
memory/3732-122-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/3732-123-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/3732-124-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/3732-125-0x0000000006D40000-0x0000000006D41000-memory.dmp

Filesize
4KB

Download
memory/3732-126-0x00000000064F0000-0x00000000064F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads