43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

General

Target

min.exe
Size

6.3MB
MD5

7e80c2ae5587b824d8230e782089e86b
SHA1

90f0912a29b9cc7a55bd4b561e1a574e005cecf6
SHA256

43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c
SHA512

db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Score

10^/10

evasion persistence themida trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 4 IoCs

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exe

pid process

4464 RegHost.exe
1308 RegHost.exe
2728 RegHost.exe
2684 RegHost.exe

pid	process
4464	RegHost.exe
1308	RegHost.exe
2728	RegHost.exe
2684	RegHost.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4712-118-0x0000000140000000-0x000000014274C000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegHost.exeRegHost.exeRegHost.exemin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	min.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	min.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/3300-115-0x00007FF78B5A0000-0x00007FF78BEE9000-memory.dmp	themida
behavioral1/memory/3300-116-0x00007FF78B5A0000-0x00007FF78BEE9000-memory.dmp	themida
behavioral1/memory/3300-117-0x00007FF78B5A0000-0x00007FF78BEE9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/4464-123-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp	themida
behavioral1/memory/4464-124-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp	themida
behavioral1/memory/4464-125-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/1308-130-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp	themida
behavioral1/memory/1308-131-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp	themida
behavioral1/memory/1308-132-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/2728-137-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp	themida
behavioral1/memory/2728-138-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp	themida
behavioral1/memory/2728-139-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

min.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	min.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

min.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	min.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

min.exeRegHost.exeRegHost.exeRegHost.exe

description	pid	process	target process
PID 3300 set thread context of 4712	3300	min.exe	bfsvc.exe
PID 3300 set thread context of 4708	3300	min.exe	explorer.exe
PID 4464 set thread context of 660	4464	RegHost.exe	bfsvc.exe
PID 4464 set thread context of 912	4464	RegHost.exe	explorer.exe
PID 1308 set thread context of 1728	1308	RegHost.exe	bfsvc.exe
PID 1308 set thread context of 1740	1308	RegHost.exe	explorer.exe
PID 2728 set thread context of 2744	2728	RegHost.exe	bfsvc.exe
PID 2728 set thread context of 396	2728	RegHost.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe
396	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

min.exeexplorer.exeRegHost.exeexplorer.exeRegHost.exe

description	pid	process	target process
PID 3300 wrote to memory of 4712	3300	min.exe	bfsvc.exe
PID 3300 wrote to memory of 4712	3300	min.exe	bfsvc.exe
PID 3300 wrote to memory of 4712	3300	min.exe	bfsvc.exe
PID 3300 wrote to memory of 4712	3300	min.exe	bfsvc.exe
PID 3300 wrote to memory of 4712	3300	min.exe	bfsvc.exe
PID 3300 wrote to memory of 4712	3300	min.exe	bfsvc.exe
PID 3300 wrote to memory of 4712	3300	min.exe	bfsvc.exe
PID 3300 wrote to memory of 4712	3300	min.exe	bfsvc.exe
PID 3300 wrote to memory of 4712	3300	min.exe	bfsvc.exe
PID 3300 wrote to memory of 4708	3300	min.exe	explorer.exe
PID 3300 wrote to memory of 4708	3300	min.exe	explorer.exe
PID 3300 wrote to memory of 4708	3300	min.exe	explorer.exe
PID 3300 wrote to memory of 4708	3300	min.exe	explorer.exe
PID 3300 wrote to memory of 4708	3300	min.exe	explorer.exe
PID 3300 wrote to memory of 4708	3300	min.exe	explorer.exe
PID 3300 wrote to memory of 4708	3300	min.exe	explorer.exe
PID 3300 wrote to memory of 4708	3300	min.exe	explorer.exe
PID 3300 wrote to memory of 4708	3300	min.exe	explorer.exe
PID 3300 wrote to memory of 4708	3300	min.exe	explorer.exe
PID 3300 wrote to memory of 4708	3300	min.exe	explorer.exe
PID 3300 wrote to memory of 4708	3300	min.exe	explorer.exe
PID 3300 wrote to memory of 4708	3300	min.exe	explorer.exe
PID 3300 wrote to memory of 4708	3300	min.exe	explorer.exe
PID 3300 wrote to memory of 4708	3300	min.exe	explorer.exe
PID 3300 wrote to memory of 4708	3300	min.exe	explorer.exe
PID 3300 wrote to memory of 4708	3300	min.exe	explorer.exe
PID 4708 wrote to memory of 4464	4708	explorer.exe	RegHost.exe
PID 4708 wrote to memory of 4464	4708	explorer.exe	RegHost.exe
PID 4464 wrote to memory of 660	4464	RegHost.exe	bfsvc.exe
PID 4464 wrote to memory of 660	4464	RegHost.exe	bfsvc.exe
PID 4464 wrote to memory of 660	4464	RegHost.exe	bfsvc.exe
PID 4464 wrote to memory of 660	4464	RegHost.exe	bfsvc.exe
PID 4464 wrote to memory of 660	4464	RegHost.exe	bfsvc.exe
PID 4464 wrote to memory of 660	4464	RegHost.exe	bfsvc.exe
PID 4464 wrote to memory of 660	4464	RegHost.exe	bfsvc.exe
PID 4464 wrote to memory of 660	4464	RegHost.exe	bfsvc.exe
PID 4464 wrote to memory of 660	4464	RegHost.exe	bfsvc.exe
PID 4464 wrote to memory of 912	4464	RegHost.exe	explorer.exe
PID 4464 wrote to memory of 912	4464	RegHost.exe	explorer.exe
PID 4464 wrote to memory of 912	4464	RegHost.exe	explorer.exe
PID 4464 wrote to memory of 912	4464	RegHost.exe	explorer.exe
PID 4464 wrote to memory of 912	4464	RegHost.exe	explorer.exe
PID 4464 wrote to memory of 912	4464	RegHost.exe	explorer.exe
PID 4464 wrote to memory of 912	4464	RegHost.exe	explorer.exe
PID 4464 wrote to memory of 912	4464	RegHost.exe	explorer.exe
PID 4464 wrote to memory of 912	4464	RegHost.exe	explorer.exe
PID 4464 wrote to memory of 912	4464	RegHost.exe	explorer.exe
PID 4464 wrote to memory of 912	4464	RegHost.exe	explorer.exe
PID 4464 wrote to memory of 912	4464	RegHost.exe	explorer.exe
PID 4464 wrote to memory of 912	4464	RegHost.exe	explorer.exe
PID 4464 wrote to memory of 912	4464	RegHost.exe	explorer.exe
PID 4464 wrote to memory of 912	4464	RegHost.exe	explorer.exe
PID 4464 wrote to memory of 912	4464	RegHost.exe	explorer.exe
PID 4464 wrote to memory of 912	4464	RegHost.exe	explorer.exe
PID 912 wrote to memory of 1308	912	explorer.exe	RegHost.exe
PID 912 wrote to memory of 1308	912	explorer.exe	RegHost.exe
PID 1308 wrote to memory of 1728	1308	RegHost.exe	bfsvc.exe
PID 1308 wrote to memory of 1728	1308	RegHost.exe	bfsvc.exe
PID 1308 wrote to memory of 1728	1308	RegHost.exe	bfsvc.exe
PID 1308 wrote to memory of 1728	1308	RegHost.exe	bfsvc.exe
PID 1308 wrote to memory of 1728	1308	RegHost.exe	bfsvc.exe
PID 1308 wrote to memory of 1728	1308	RegHost.exe	bfsvc.exe
PID 1308 wrote to memory of 1728	1308	RegHost.exe	bfsvc.exe
PID 1308 wrote to memory of 1728	1308	RegHost.exe	bfsvc.exe

C:\Users\Admin\AppData\Local\Temp\min.exe
"C:\Users\Admin\AppData\Local\Temp\min.exe"
1⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
2⤵
PID:4712

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
4⤵
PID:660

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
6⤵
PID:1728

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1740

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2728

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
8⤵
PID:2744

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:396

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
9⤵
- Executes dropped EXE
PID:2684

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

1

T1089

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
memory/396-142-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/912-128-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1308-132-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp

Filesize
9.3MB

Download
memory/1308-130-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp

Filesize
9.3MB

Download
memory/1308-131-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp

Filesize
9.3MB

Download
memory/1740-135-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2728-139-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp

Filesize
9.3MB

Download
memory/2728-137-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp

Filesize
9.3MB

Download
memory/2728-138-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp

Filesize
9.3MB

Download
memory/3300-116-0x00007FF78B5A0000-0x00007FF78BEE9000-memory.dmp

Filesize
9.3MB

Download
memory/3300-115-0x00007FF78B5A0000-0x00007FF78BEE9000-memory.dmp

Filesize
9.3MB

Download
memory/3300-117-0x00007FF78B5A0000-0x00007FF78BEE9000-memory.dmp

Filesize
9.3MB

Download
memory/4464-124-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp

Filesize
9.3MB

Download
memory/4464-125-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp

Filesize
9.3MB

Download
memory/4464-123-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp

Filesize
9.3MB

Download
memory/4708-121-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/4708-119-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/4712-118-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads