3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac

Analysis

max time kernel
119s
max time network
123s
platform
windows10_x64
resource
win10-en-20211208
submitted
20-12-2021 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Size

8.6MB
MD5

916d89ca529c0a7a07c4a55c0d2e1560
SHA1

687e508ca7fe82ae9055ab6b335eac30af0bd791
SHA256

3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac
SHA512

bcf3618c2c064fec590088f2e1659bc050cf3eadc9a66b55ab40982f830685725a8c40e16ee3b5bf307077ab8daaf250fbd06e7246979ee483452650bc4652fb

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2668-116-0x0000000000400000-0x0000000001BAD000-memory.dmp	themida
behavioral1/memory/2668-117-0x0000000000400000-0x0000000001BAD000-memory.dmp	themida
behavioral1/memory/2668-118-0x0000000000400000-0x0000000001BAD000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe

pid process

2668 3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe

pid	process
2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe

description	pid	process
Token: SeDebugPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 1	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeCreateTokenPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeAssignPrimaryTokenPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeLockMemoryPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeIncreaseQuotaPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeMachineAccountPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeTcbPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeSecurityPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeTakeOwnershipPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeLoadDriverPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeSystemProfilePrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeSystemtimePrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeProfSingleProcessPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeIncBasePriorityPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeCreatePagefilePrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeCreatePermanentPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeBackupPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeRestorePrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeShutdownPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeDebugPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeAuditPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeSystemEnvironmentPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeChangeNotifyPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeRemoteShutdownPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeUndockPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeSyncAgentPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeEnableDelegationPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeManageVolumePrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeImpersonatePrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: SeCreateGlobalPrivilege	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 31	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 32	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 33	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 34	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 35	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 36	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 37	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 38	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 39	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 40	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 41	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 42	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 43	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 44	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 45	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 46	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 47	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
Token: 48	2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe

pid	process
2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe

pid	process
2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe

pid	process
2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
2668	3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe

C:\Users\Admin\AppData\Local\Temp\3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe
"C:\Users\Admin\AppData\Local\Temp\3d07efde85a5ded500f658ef0e2fbd446851b593a79c9bb46055293cb3d42dac.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2668-115-0x00000000777C0000-0x000000007794E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-116-0x0000000000400000-0x0000000001BAD000-memory.dmp

Filesize
23.7MB

Download
memory/2668-117-0x0000000000400000-0x0000000001BAD000-memory.dmp

Filesize
23.7MB

Download
memory/2668-118-0x0000000000400000-0x0000000001BAD000-memory.dmp

Filesize
23.7MB

Download
memory/2668-119-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-120-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-121-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-122-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-123-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-124-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-125-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-126-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-127-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-128-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-129-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-130-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-131-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-132-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-133-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-134-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-135-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-136-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-137-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-138-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-139-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-140-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-141-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-142-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-143-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-144-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-146-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-145-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-147-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-148-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-149-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-150-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-151-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-152-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-153-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-154-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-155-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-156-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-157-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-158-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-159-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-160-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-161-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-163-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-162-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-164-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-165-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-166-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-167-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-168-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-170-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-169-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-171-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-172-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-173-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-174-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-175-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-176-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-178-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-177-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-179-0x0000000000401000-0x000000000080D000-memory.dmp

Filesize
4.0MB

Download
memory/2668-535-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/2668-536-0x0000000005FCE000-0x000000000610B000-memory.dmp

Filesize
1.2MB

Download
memory/2668-537-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/2668-538-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/2668-540-0x0000000005CC0000-0x0000000005CC1000-memory.dmp

Filesize
4KB

Download
memory/2668-539-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

Filesize
4KB

Download
memory/2668-542-0x0000000005E00000-0x0000000005E01000-memory.dmp

Filesize
4KB

Download
memory/2668-541-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/2668-543-0x0000000006310000-0x00000000063E1000-memory.dmp

Filesize
836KB

Download
memory/2668-544-0x0000000006310000-0x00000000063E1000-memory.dmp

Filesize
836KB

Download
memory/2668-545-0x0000000006310000-0x00000000063E1000-memory.dmp

Filesize
836KB

Download