43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

General

Target

7e80c2ae5587b824d8230e782089e86b.exe
Size

6.3MB
MD5

7e80c2ae5587b824d8230e782089e86b
SHA1

90f0912a29b9cc7a55bd4b561e1a574e005cecf6
SHA256

43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c
SHA512

db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Score

10^/10

evasion persistence themida trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

RegHost.exeRegHost.exe

pid process

1992 RegHost.exe
676 RegHost.exe

pid	process
1992	RegHost.exe
676	RegHost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/524-59-0x0000000140000000-0x000000014274C000-memory.dmp	upx
behavioral1/memory/524-60-0x0000000140000000-0x000000014274C000-memory.dmp	upx
behavioral1/memory/524-61-0x0000000140000000-0x000000014274C000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7e80c2ae5587b824d8230e782089e86b.exeRegHost.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7e80c2ae5587b824d8230e782089e86b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7e80c2ae5587b824d8230e782089e86b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe

Loads dropped DLL 3 IoCs

Processes:

explorer.exeexplorer.exe

pid process

972 explorer.exe
972 explorer.exe
1492 explorer.exe

Themida packer 15 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1928-55-0x000000013FD10000-0x0000000140659000-memory.dmp	themida
behavioral1/memory/1928-56-0x000000013FD10000-0x0000000140659000-memory.dmp	themida
behavioral1/memory/1928-57-0x000000013FD10000-0x0000000140659000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/1992-77-0x000000013F1B0000-0x000000013FAF9000-memory.dmp	themida
behavioral1/memory/1992-78-0x000000013F1B0000-0x000000013FAF9000-memory.dmp	themida
behavioral1/memory/1992-79-0x000000013F1B0000-0x000000013FAF9000-memory.dmp	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/676-97-0x000000013F6E0000-0x0000000140029000-memory.dmp	themida
behavioral1/memory/676-98-0x000000013F6E0000-0x0000000140029000-memory.dmp	themida
behavioral1/memory/676-99-0x000000013F6E0000-0x0000000140029000-memory.dmp	themida

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7e80c2ae5587b824d8230e782089e86b.exeRegHost.exeRegHost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	7e80c2ae5587b824d8230e782089e86b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

7e80c2ae5587b824d8230e782089e86b.exeRegHost.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e80c2ae5587b824d8230e782089e86b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

7e80c2ae5587b824d8230e782089e86b.exeRegHost.exeRegHost.exe

description	pid	process	target process
PID 1928 set thread context of 524	1928	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 1928 set thread context of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1992 set thread context of 1244	1992	RegHost.exe	bfsvc.exe
PID 1992 set thread context of 1492	1992	RegHost.exe	explorer.exe
PID 676 set thread context of 1748	676	RegHost.exe	bfsvc.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
1492	explorer.exe
1492	explorer.exe
1492	explorer.exe
1492	explorer.exe
1492	explorer.exe
1492	explorer.exe
1492	explorer.exe
1492	explorer.exe
1492	explorer.exe
1492	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7e80c2ae5587b824d8230e782089e86b.exeexplorer.exeRegHost.exeexplorer.exeRegHost.exe

description	pid	process	target process
PID 1928 wrote to memory of 524	1928	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 1928 wrote to memory of 524	1928	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 1928 wrote to memory of 524	1928	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 1928 wrote to memory of 524	1928	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 1928 wrote to memory of 524	1928	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 1928 wrote to memory of 524	1928	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 1928 wrote to memory of 524	1928	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 1928 wrote to memory of 524	1928	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 1928 wrote to memory of 524	1928	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 1928 wrote to memory of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1928 wrote to memory of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1928 wrote to memory of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1928 wrote to memory of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1928 wrote to memory of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1928 wrote to memory of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1928 wrote to memory of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1928 wrote to memory of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1928 wrote to memory of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1928 wrote to memory of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1928 wrote to memory of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1928 wrote to memory of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1928 wrote to memory of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1928 wrote to memory of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1928 wrote to memory of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1928 wrote to memory of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1928 wrote to memory of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1928 wrote to memory of 972	1928	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 972 wrote to memory of 1992	972	explorer.exe	RegHost.exe
PID 972 wrote to memory of 1992	972	explorer.exe	RegHost.exe
PID 972 wrote to memory of 1992	972	explorer.exe	RegHost.exe
PID 1992 wrote to memory of 1244	1992	RegHost.exe	bfsvc.exe
PID 1992 wrote to memory of 1244	1992	RegHost.exe	bfsvc.exe
PID 1992 wrote to memory of 1244	1992	RegHost.exe	bfsvc.exe
PID 1992 wrote to memory of 1244	1992	RegHost.exe	bfsvc.exe
PID 1992 wrote to memory of 1244	1992	RegHost.exe	bfsvc.exe
PID 1992 wrote to memory of 1244	1992	RegHost.exe	bfsvc.exe
PID 1992 wrote to memory of 1244	1992	RegHost.exe	bfsvc.exe
PID 1992 wrote to memory of 1244	1992	RegHost.exe	bfsvc.exe
PID 1992 wrote to memory of 1244	1992	RegHost.exe	bfsvc.exe
PID 1992 wrote to memory of 1492	1992	RegHost.exe	explorer.exe
PID 1992 wrote to memory of 1492	1992	RegHost.exe	explorer.exe
PID 1992 wrote to memory of 1492	1992	RegHost.exe	explorer.exe
PID 1992 wrote to memory of 1492	1992	RegHost.exe	explorer.exe
PID 1992 wrote to memory of 1492	1992	RegHost.exe	explorer.exe
PID 1992 wrote to memory of 1492	1992	RegHost.exe	explorer.exe
PID 1992 wrote to memory of 1492	1992	RegHost.exe	explorer.exe
PID 1992 wrote to memory of 1492	1992	RegHost.exe	explorer.exe
PID 1992 wrote to memory of 1492	1992	RegHost.exe	explorer.exe
PID 1992 wrote to memory of 1492	1992	RegHost.exe	explorer.exe
PID 1992 wrote to memory of 1492	1992	RegHost.exe	explorer.exe
PID 1992 wrote to memory of 1492	1992	RegHost.exe	explorer.exe
PID 1992 wrote to memory of 1492	1992	RegHost.exe	explorer.exe
PID 1992 wrote to memory of 1492	1992	RegHost.exe	explorer.exe
PID 1992 wrote to memory of 1492	1992	RegHost.exe	explorer.exe
PID 1992 wrote to memory of 1492	1992	RegHost.exe	explorer.exe
PID 1992 wrote to memory of 1492	1992	RegHost.exe	explorer.exe
PID 1992 wrote to memory of 1492	1992	RegHost.exe	explorer.exe
PID 1492 wrote to memory of 676	1492	explorer.exe	RegHost.exe
PID 1492 wrote to memory of 676	1492	explorer.exe	RegHost.exe
PID 1492 wrote to memory of 676	1492	explorer.exe	RegHost.exe
PID 676 wrote to memory of 1748	676	RegHost.exe	bfsvc.exe
PID 676 wrote to memory of 1748	676	RegHost.exe	bfsvc.exe
PID 676 wrote to memory of 1748	676	RegHost.exe	bfsvc.exe
PID 676 wrote to memory of 1748	676	RegHost.exe	bfsvc.exe

C:\Users\Admin\AppData\Local\Temp\7e80c2ae5587b824d8230e782089e86b.exe
"C:\Users\Admin\AppData\Local\Temp\7e80c2ae5587b824d8230e782089e86b.exe"
1⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
2⤵
PID:524

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Standard%20VGA%20Graphics%20Adapter" "Toncoin" "ton"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
4⤵
PID:1244

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Standard%20VGA%20Graphics%20Adapter" "Toncoin" "ton"
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
6⤵
PID:1748

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Standard%20VGA%20Graphics%20Adapter" "Toncoin" "ton"
6⤵
PID:800

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

1

T1089

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
memory/524-58-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/524-61-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/524-60-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/524-59-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/676-97-0x000000013F6E0000-0x0000000140029000-memory.dmp

Filesize
9.3MB

Download
memory/676-98-0x000000013F6E0000-0x0000000140029000-memory.dmp

Filesize
9.3MB

Download
memory/676-99-0x000000013F6E0000-0x0000000140029000-memory.dmp

Filesize
9.3MB

Download
memory/972-69-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/972-65-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/972-68-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/972-71-0x000007FEFC151000-0x000007FEFC153000-memory.dmp

Filesize
8KB

Download
memory/972-70-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/972-62-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/972-63-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/972-64-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/972-76-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/972-67-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/972-66-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1492-93-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1928-55-0x000000013FD10000-0x0000000140659000-memory.dmp

Filesize
9.3MB

Download
memory/1928-57-0x000000013FD10000-0x0000000140659000-memory.dmp

Filesize
9.3MB

Download
memory/1928-56-0x000000013FD10000-0x0000000140659000-memory.dmp

Filesize
9.3MB

Download
memory/1992-79-0x000000013F1B0000-0x000000013FAF9000-memory.dmp

Filesize
9.3MB

Download
memory/1992-78-0x000000013F1B0000-0x000000013FAF9000-memory.dmp

Filesize
9.3MB

Download
memory/1992-77-0x000000013F1B0000-0x000000013FAF9000-memory.dmp

Filesize
9.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads