123456.exe

max time kernel117s
max time network117s
platformwindows7_x64
resourcewin7-en-20211208
submitted20-01-2022 09:14

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

123456.exe

Filesize

2MB

Completed

20-01-2022 09:16

Score

9^/10

MD5

5dc4a3b523a6f6bae722979d338b98f8

SHA1

44043d7e66ab8131ad83654e6c5d93ba04b7c25e

SHA256

6594d1a9beec1d63c08f6e7b82826647f6df74f53e1cfedaac99430f6d7581a7

Defense Evasion

Discovery

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion

Checks BIOS information in registry

123456.exe

Description

BIOS information is often read in order to detect sandboxing environments.

TTPs

Query RegistrySystem Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	123456.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	123456.exe

Themida packer

Description

Detects Themida, an advanced Windows software protection system.

Reported IOCs

resource	yara_rule
behavioral1/memory/1572-56-0x0000000000D50000-0x0000000001426000-memory.dmp	themida
behavioral1/memory/1572-57-0x0000000000D50000-0x0000000001426000-memory.dmp	themida
behavioral1/memory/1572-59-0x0000000000D50000-0x0000000001426000-memory.dmp	themida
behavioral1/memory/1572-58-0x0000000000D50000-0x0000000001426000-memory.dmp	themida

Checks whether UAC is enabled
123456.exe

Tags

evasion trojan

TTPs

System Information Discovery

Reported IOCs

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 123456.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
123456.exe

Reported IOCs

pid process

1572 123456.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	123456.exe

pid	process
1572	123456.exe

C:\Users\Admin\AppData\Local\Temp\123456.exe

"C:\Users\Admin\AppData\Local\Temp\123456.exe"

Checks BIOS information in registry
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger

PID:1572

Collection

Command and Control

Credential Access

Defense Evasion

Virtualization/Sandbox Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/1572-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Download
memory/1572-56-0x0000000000D50000-0x0000000001426000-memory.dmp

Download
memory/1572-57-0x0000000000D50000-0x0000000001426000-memory.dmp

Download
memory/1572-59-0x0000000000D50000-0x0000000001426000-memory.dmp

Download
memory/1572-58-0x0000000000D50000-0x0000000001426000-memory.dmp

Download

123456.exe

Filter: none

Tags

TTPs

Description

TTPs

Reported IOCs

Description

Tags

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Title