123456.exe

General
Target

123456.exe

Filesize

2MB

Completed

20-01-2022 09:16

Score
9/10
MD5

5dc4a3b523a6f6bae722979d338b98f8

SHA1

44043d7e66ab8131ad83654e6c5d93ba04b7c25e

SHA256

6594d1a9beec1d63c08f6e7b82826647f6df74f53e1cfedaac99430f6d7581a7

Malware Config
Signatures 5

Filter: none

Defense Evasion
Discovery
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Checks BIOS information in registry
    123456.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion123456.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion123456.exe
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1572-56-0x0000000000D50000-0x0000000001426000-memory.dmpthemida
    behavioral1/memory/1572-57-0x0000000000D50000-0x0000000001426000-memory.dmpthemida
    behavioral1/memory/1572-59-0x0000000000D50000-0x0000000001426000-memory.dmpthemida
    behavioral1/memory/1572-58-0x0000000000D50000-0x0000000001426000-memory.dmpthemida
  • Checks whether UAC is enabled
    123456.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA123456.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    123456.exe

    Reported IOCs

    pidprocess
    1572123456.exe
Processes 1
  • C:\Users\Admin\AppData\Local\Temp\123456.exe
    "C:\Users\Admin\AppData\Local\Temp\123456.exe"
    Checks BIOS information in registry
    Checks whether UAC is enabled
    Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1572
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/1572-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

                      • memory/1572-56-0x0000000000D50000-0x0000000001426000-memory.dmp

                      • memory/1572-57-0x0000000000D50000-0x0000000001426000-memory.dmp

                      • memory/1572-59-0x0000000000D50000-0x0000000001426000-memory.dmp

                      • memory/1572-58-0x0000000000D50000-0x0000000001426000-memory.dmp