d24441e5bb3497db8f6c39a3579b1415efa467e18308f1f9dff228d721b0bdde

General

Target

c436c42e07c1c93c8aeb48b35b51a4a9.exe
Size

2.5MB
MD5

c436c42e07c1c93c8aeb48b35b51a4a9
SHA1

4ecb0d749df3b76e6fd367bb8cf7fdc2b50a8b26
SHA256

d24441e5bb3497db8f6c39a3579b1415efa467e18308f1f9dff228d721b0bdde
SHA512

8f825fb4799a12908c36fec6ee9c6198a139ef40da7e074df8496cd89cf0bbf1221abfea3c0ad90ca88de7a59931a16250c89490600b0dce351ca574ecd145f0

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

25 600 WScript.exe

flow	pid	process
25	600	WScript.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c436c42e07c1c93c8aeb48b35b51a4a9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c436c42e07c1c93c8aeb48b35b51a4a9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c436c42e07c1c93c8aeb48b35b51a4a9.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2600-115-0x0000000001350000-0x00000000019CD000-memory.dmp	themida
behavioral2/memory/2600-116-0x0000000001350000-0x00000000019CD000-memory.dmp	themida
behavioral2/memory/2600-117-0x0000000001350000-0x00000000019CD000-memory.dmp	themida
behavioral2/memory/2600-119-0x0000000001350000-0x00000000019CD000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

c436c42e07c1c93c8aeb48b35b51a4a9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c436c42e07c1c93c8aeb48b35b51a4a9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

c436c42e07c1c93c8aeb48b35b51a4a9.exe

pid process

2600 c436c42e07c1c93c8aeb48b35b51a4a9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
8	ip-api.com

pid	process
2600	c436c42e07c1c93c8aeb48b35b51a4a9.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c436c42e07c1c93c8aeb48b35b51a4a9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	c436c42e07c1c93c8aeb48b35b51a4a9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	c436c42e07c1c93c8aeb48b35b51a4a9.exe

Modifies registry class 1 IoCs

Processes:

c436c42e07c1c93c8aeb48b35b51a4a9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	c436c42e07c1c93c8aeb48b35b51a4a9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c436c42e07c1c93c8aeb48b35b51a4a9.exe

pid process

2600 c436c42e07c1c93c8aeb48b35b51a4a9.exe
2600 c436c42e07c1c93c8aeb48b35b51a4a9.exe

pid	process
2600	c436c42e07c1c93c8aeb48b35b51a4a9.exe
2600	c436c42e07c1c93c8aeb48b35b51a4a9.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c436c42e07c1c93c8aeb48b35b51a4a9.exe

description	pid	process	target process
PID 2600 wrote to memory of 3420	2600	c436c42e07c1c93c8aeb48b35b51a4a9.exe	WScript.exe
PID 2600 wrote to memory of 3420	2600	c436c42e07c1c93c8aeb48b35b51a4a9.exe	WScript.exe
PID 2600 wrote to memory of 3420	2600	c436c42e07c1c93c8aeb48b35b51a4a9.exe	WScript.exe
PID 2600 wrote to memory of 600	2600	c436c42e07c1c93c8aeb48b35b51a4a9.exe	WScript.exe
PID 2600 wrote to memory of 600	2600	c436c42e07c1c93c8aeb48b35b51a4a9.exe	WScript.exe
PID 2600 wrote to memory of 600	2600	c436c42e07c1c93c8aeb48b35b51a4a9.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\c436c42e07c1c93c8aeb48b35b51a4a9.exe
"C:\Users\Admin\AppData\Local\Temp\c436c42e07c1c93c8aeb48b35b51a4a9.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rfndknntro.vbs"
2⤵
PID:3420

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\imihdkl.vbs"
2⤵
- Blocklisted process makes network request
PID:600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Web Service

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
ef4d27f7f766985edcd314472851cec9

SHA1
6574dd1e7ffcc517c2b571d666a008a21c949b7a

SHA256
8c2ee0a065d57e81c5a7feffe77f5c732f5b7d7ddf82f521dd1887821ffc59f4

SHA512
6d53cb934dd0f1187834b01999f4db495db6256e90d0926a9165ab4ab34c7907d6265c6a1f7134bc8ff1ace538e1786ece1339fd01e8a8d9e017acc7e5451e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\imihdkl.vbs
MD5
628498cdb3f98fd550262e45d1782ac6

SHA1
b1d552c862949fc0615f18c511b7ab2c950c4e97

SHA256
6d444fc4409d8875ad323bb559d882a38c0c60732a19e6aff67cd85c9623dad6

SHA512
5819f86994a9dff9b62dda6dfec53875e3006705f57655df0958dc36589578ecbaf2df2c5c8c3a2b78310016250ea46b1e37f3a9dfbf7b788e3f18db2db42c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfndknntro.vbs
MD5
d674f55811058c3c4e10bbb232de90c9

SHA1
ad8e25233ace21e1bf8aaf7c58d8387b83222a5c

SHA256
d4723fa19a526f827985b2ea0768093af0ecae1e8d1c051bd11f150567623d7f

SHA512
f0f492f88231321b161ef377dbfb01f9958aa430b24a4bcd6aae9fd6a1b7c9c1c284df6747a1ffde3205c56a372728ccd90bdffa7d8dbfcf9fc319c07a77ebe5

Download Submit
memory/600-122-0x0000000000000000-mapping.dmp

Download
memory/2600-115-0x0000000001350000-0x00000000019CD000-memory.dmp

Filesize
6.5MB

Download
memory/2600-116-0x0000000001350000-0x00000000019CD000-memory.dmp

Filesize
6.5MB

Download
memory/2600-118-0x00000000775A0000-0x000000007772E000-memory.dmp

Filesize
1.6MB

Download
memory/2600-117-0x0000000001350000-0x00000000019CD000-memory.dmp

Filesize
6.5MB

Download
memory/2600-119-0x0000000001350000-0x00000000019CD000-memory.dmp

Filesize
6.5MB

Download
memory/3420-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads