Malware Analysis Report

2025-06-16 05:18

Sample ID 220117-lmpraahce9
Target 3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8
SHA256 d3b9ef895c0023f920b80cdc47303013ee118805dbe49d178a571aff1a23d039
Tags
themida cryptbot evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d3b9ef895c0023f920b80cdc47303013ee118805dbe49d178a571aff1a23d039

Threat Level: Known bad

The file 3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8 was found to be: Known bad.

Malicious Activity Summary

themida cryptbot evasion spyware stealer trojan

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Deletes itself

Checks BIOS information in registry

Checks computer location settings

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-17 09:39

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-17 09:39

Reported

2022-01-17 09:42

Platform

win7-en-20211208

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe

"C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\VdenQkXAOJBC & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 4

Network

N/A

Files

memory/748-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

memory/748-55-0x0000000000380000-0x0000000000A12000-memory.dmp

memory/748-56-0x0000000000380000-0x0000000000A12000-memory.dmp

memory/748-57-0x0000000000380000-0x0000000000A12000-memory.dmp

memory/748-58-0x0000000000380000-0x0000000000A12000-memory.dmp

memory/724-59-0x0000000000000000-mapping.dmp

memory/1344-60-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-17 09:39

Reported

2022-01-17 09:41

Platform

win10v2004-en-20220112

Max time kernel

4265070s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe"

Signatures

CryptBot

spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotification.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotification.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\MusNotification.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\MusNotification.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe

"C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\SQTCiWfvP & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 4

C:\Windows\system32\MusNotification.exe

C:\Windows\system32\MusNotification.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.windows.com udp
US 8.8.8.8:53 arc.msn.com udp
US 52.184.215.140:443 arc.msn.com tcp
US 8.8.8.8:53 slscr.update.microsoft.com udp
IE 20.54.89.106:443 slscr.update.microsoft.com tcp
US 8.8.8.8:53 fe3cr.delivery.mp.microsoft.com udp
US 8.8.8.8:53 fe3cr.delivery.mp.microsoft.com udp
US 40.125.122.151:443 fe3cr.delivery.mp.microsoft.com tcp
NL 20.101.57.9:123 time.windows.com udp
US 8.8.8.8:53 slscr.update.microsoft.com udp
IE 20.54.89.106:443 slscr.update.microsoft.com tcp
IE 20.54.89.106:443 slscr.update.microsoft.com tcp
US 8.8.8.8:53 ris.api.iris.microsoft.com udp
US 52.252.42.28:443 ris.api.iris.microsoft.com tcp
US 8.8.8.8:53 img-prod-cms-rt-microsoft-com.akamaized.net udp
FR 2.22.147.112:443 img-prod-cms-rt-microsoft-com.akamaized.net tcp

Files

memory/1436-130-0x0000000000940000-0x0000000000FD2000-memory.dmp

memory/1436-131-0x0000000000940000-0x0000000000FD2000-memory.dmp

memory/1436-132-0x0000000000940000-0x0000000000FD2000-memory.dmp

memory/1436-133-0x0000000000940000-0x0000000000FD2000-memory.dmp

memory/1752-134-0x0000000000000000-mapping.dmp

memory/4084-135-0x0000000000000000-mapping.dmp