13e8c1d2caddf547574089830035c34438b4daebc9e83cb531079eacae5972ca

General

Target

Biil_Clinton_1.exe
Size

5.7MB
MD5

8e1e2c2714753ce09285b4c418a0a5ab
SHA1

7a570ef7bb007f9e28c7c0ec3d1bc3e82f12626f
SHA256

13e8c1d2caddf547574089830035c34438b4daebc9e83cb531079eacae5972ca
SHA512

68a62e9d65dd75c130ae110428d0723d4ba8f0851dc511bdfc46bb6b5ebc3112e082cfa7d9dcc1f78abd5ac33ba52a01b975889f8b125cc6e4c416845084a36d

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

services.exesihost64.exe

pid process

396 services.exe
1100 sihost64.exe

pid	process
396	services.exe
1100	sihost64.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Biil_Clinton_1.exeservices.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Biil_Clinton_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Biil_Clinton_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	services.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	services.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exeservices.exe

pid process

1104 cmd.exe
396 services.exe

pid	process
1104	cmd.exe
396	services.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1660-55-0x0000000000400000-0x0000000000F36000-memory.dmp	themida
\Users\Admin\AppData\Roaming\Microsoft\services.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\services.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\services.exe	themida
behavioral1/memory/396-70-0x0000000000400000-0x0000000000F36000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Biil_Clinton_1.exeservices.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Biil_Clinton_1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Biil_Clinton_1.exeservices.exe

pid process

1660 Biil_Clinton_1.exe
396 services.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1900 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Biil_Clinton_1.exeservices.exe

pid process

1660 Biil_Clinton_1.exe
396 services.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Biil_Clinton_1.exeservices.exe

description pid process

Token: SeDebugPrivilege 1660 Biil_Clinton_1.exe
Token: SeDebugPrivilege 396 services.exe

pid	process
1660	Biil_Clinton_1.exe
396	services.exe

pid	process
1900	schtasks.exe

pid	process
1660	Biil_Clinton_1.exe
396	services.exe

description	pid	process
Token: SeDebugPrivilege	1660	Biil_Clinton_1.exe
Token: SeDebugPrivilege	396	services.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Biil_Clinton_1.execmd.execmd.exeservices.exesihost64.exe

description	pid	process	target process
PID 1660 wrote to memory of 1488	1660	Biil_Clinton_1.exe	cmd.exe
PID 1660 wrote to memory of 1488	1660	Biil_Clinton_1.exe	cmd.exe
PID 1660 wrote to memory of 1488	1660	Biil_Clinton_1.exe	cmd.exe
PID 1488 wrote to memory of 1900	1488	cmd.exe	schtasks.exe
PID 1488 wrote to memory of 1900	1488	cmd.exe	schtasks.exe
PID 1488 wrote to memory of 1900	1488	cmd.exe	schtasks.exe
PID 1660 wrote to memory of 1104	1660	Biil_Clinton_1.exe	cmd.exe
PID 1660 wrote to memory of 1104	1660	Biil_Clinton_1.exe	cmd.exe
PID 1660 wrote to memory of 1104	1660	Biil_Clinton_1.exe	cmd.exe
PID 1104 wrote to memory of 396	1104	cmd.exe	services.exe
PID 1104 wrote to memory of 396	1104	cmd.exe	services.exe
PID 1104 wrote to memory of 396	1104	cmd.exe	services.exe
PID 396 wrote to memory of 1100	396	services.exe	sihost64.exe
PID 396 wrote to memory of 1100	396	services.exe	sihost64.exe
PID 396 wrote to memory of 1100	396	services.exe	sihost64.exe
PID 1100 wrote to memory of 864	1100	sihost64.exe	conhost.exe
PID 1100 wrote to memory of 864	1100	sihost64.exe	conhost.exe
PID 1100 wrote to memory of 864	1100	sihost64.exe	conhost.exe
PID 1100 wrote to memory of 864	1100	sihost64.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\Biil_Clinton_1.exe
"C:\Users\Admin\AppData\Local\Temp\Biil_Clinton_1.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
3⤵
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "pzqytlcxf"
5⤵
PID:864

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
cc604fb0471f21f98c7dbf3f49765fbf

SHA1
7c163779532eca828cc9873ef0bdf56e6f4ea37d

SHA256
109aa0f084697ae5223cdbe3bd2c3d0630292517f9ef1bbb0fb6013f5bc10b09

SHA512
c7e82a35597d505a96bcee389d53c0a56bf0c81ca65ede8380d2a30484e7cea826a0cc4b5350549e11577d36748c5e5fb34e24bf62507322a786b8d773f1d6e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
MD5
8e1e2c2714753ce09285b4c418a0a5ab

SHA1
7a570ef7bb007f9e28c7c0ec3d1bc3e82f12626f

SHA256
13e8c1d2caddf547574089830035c34438b4daebc9e83cb531079eacae5972ca

SHA512
68a62e9d65dd75c130ae110428d0723d4ba8f0851dc511bdfc46bb6b5ebc3112e082cfa7d9dcc1f78abd5ac33ba52a01b975889f8b125cc6e4c416845084a36d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
MD5
8e1e2c2714753ce09285b4c418a0a5ab

SHA1
7a570ef7bb007f9e28c7c0ec3d1bc3e82f12626f

SHA256
13e8c1d2caddf547574089830035c34438b4daebc9e83cb531079eacae5972ca

SHA512
68a62e9d65dd75c130ae110428d0723d4ba8f0851dc511bdfc46bb6b5ebc3112e082cfa7d9dcc1f78abd5ac33ba52a01b975889f8b125cc6e4c416845084a36d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
cc604fb0471f21f98c7dbf3f49765fbf

SHA1
7c163779532eca828cc9873ef0bdf56e6f4ea37d

SHA256
109aa0f084697ae5223cdbe3bd2c3d0630292517f9ef1bbb0fb6013f5bc10b09

SHA512
c7e82a35597d505a96bcee389d53c0a56bf0c81ca65ede8380d2a30484e7cea826a0cc4b5350549e11577d36748c5e5fb34e24bf62507322a786b8d773f1d6e6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\services.exe
MD5
8e1e2c2714753ce09285b4c418a0a5ab

SHA1
7a570ef7bb007f9e28c7c0ec3d1bc3e82f12626f

SHA256
13e8c1d2caddf547574089830035c34438b4daebc9e83cb531079eacae5972ca

SHA512
68a62e9d65dd75c130ae110428d0723d4ba8f0851dc511bdfc46bb6b5ebc3112e082cfa7d9dcc1f78abd5ac33ba52a01b975889f8b125cc6e4c416845084a36d

Download Submit
memory/396-71-0x000000001C6D0000-0x000000001C8C4000-memory.dmp

Filesize
2.0MB

Download
memory/396-73-0x000000001C452000-0x000000001C454000-memory.dmp

Filesize
8KB

Download
memory/396-76-0x000000001C457000-0x000000001C458000-memory.dmp

Filesize
4KB

Download
memory/396-75-0x000000001C456000-0x000000001C457000-memory.dmp

Filesize
4KB

Download
memory/396-74-0x000000001C454000-0x000000001C456000-memory.dmp

Filesize
8KB

Download
memory/396-72-0x000000001C6D0000-0x000000001C8C4000-memory.dmp

Filesize
2.0MB

Download
memory/396-70-0x0000000000400000-0x0000000000F36000-memory.dmp

Filesize
11.2MB

Download
memory/396-67-0x0000000000000000-mapping.dmp

Download
memory/864-85-0x000000001AD36000-0x000000001AD37000-memory.dmp

Filesize
4KB

Download
memory/864-86-0x000000001AD37000-0x000000001AD38000-memory.dmp

Filesize
4KB

Download
memory/864-84-0x000000001AD34000-0x000000001AD36000-memory.dmp

Filesize
8KB

Download
memory/864-82-0x0000000000060000-0x0000000000066000-memory.dmp

Filesize
24KB

Download
memory/864-83-0x000000001AD32000-0x000000001AD34000-memory.dmp

Filesize
8KB

Download
memory/864-81-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/864-80-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/1100-78-0x0000000000000000-mapping.dmp

Download
memory/1104-65-0x0000000000000000-mapping.dmp

Download
memory/1488-63-0x0000000000000000-mapping.dmp

Download
memory/1660-57-0x000000001C3B0000-0x000000001C5A4000-memory.dmp

Filesize
2.0MB

Download
memory/1660-62-0x0000000003747000-0x0000000003748000-memory.dmp

Filesize
4KB

Download
memory/1660-56-0x0000000002A90000-0x0000000002C84000-memory.dmp

Filesize
2.0MB

Download
memory/1660-61-0x0000000003746000-0x0000000003747000-memory.dmp

Filesize
4KB

Download
memory/1660-60-0x0000000003744000-0x0000000003746000-memory.dmp

Filesize
8KB

Download
memory/1660-55-0x0000000000400000-0x0000000000F36000-memory.dmp

Filesize
11.2MB

Download
memory/1660-59-0x0000000003742000-0x0000000003744000-memory.dmp

Filesize
8KB

Download
memory/1660-58-0x000000001C3B0000-0x000000001C5A4000-memory.dmp

Filesize
2.0MB

Download
memory/1900-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads