4c20cb035c923c914c129daa6f7dd77c24d3d3ad58f09c89a12d8028405bb5d0

General

Target

105a7f1e9f623633f1b1439cf15f58be.exe
Size

5.7MB
MD5

105a7f1e9f623633f1b1439cf15f58be
SHA1

0fba1e00864607102f82c7e2cdc14856851da104
SHA256

4c20cb035c923c914c129daa6f7dd77c24d3d3ad58f09c89a12d8028405bb5d0
SHA512

fb7ceda860b98bf9d4def5c2ba2e2f9ee33743cd2225af19b4bffd31dcb38d6675ff77d39f5ed09bdfb0feb7582645418895c8df37e8f8bffeebac3948340127

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

services.exesihost64.exe

pid process

808 services.exe
1220 sihost64.exe

pid	process
808	services.exe
1220	sihost64.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

services.exe105a7f1e9f623633f1b1439cf15f58be.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	services.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	services.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	105a7f1e9f623633f1b1439cf15f58be.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	105a7f1e9f623633f1b1439cf15f58be.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exeservices.exe

pid process

588 cmd.exe
808 services.exe

pid	process
588	cmd.exe
808	services.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2016-54-0x0000000000400000-0x0000000000F42000-memory.dmp	themida
\Users\Admin\AppData\Roaming\Microsoft\services.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\services.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\services.exe	themida
behavioral1/memory/808-64-0x0000000000400000-0x0000000000F42000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

services.exe105a7f1e9f623633f1b1439cf15f58be.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	105a7f1e9f623633f1b1439cf15f58be.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

105a7f1e9f623633f1b1439cf15f58be.exeservices.exe

pid process

2016 105a7f1e9f623633f1b1439cf15f58be.exe
808 services.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

524 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

105a7f1e9f623633f1b1439cf15f58be.exeservices.exe

pid process

2016 105a7f1e9f623633f1b1439cf15f58be.exe
808 services.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

105a7f1e9f623633f1b1439cf15f58be.exeservices.exe

description pid process

Token: SeDebugPrivilege 2016 105a7f1e9f623633f1b1439cf15f58be.exe
Token: SeDebugPrivilege 808 services.exe

pid	process
2016	105a7f1e9f623633f1b1439cf15f58be.exe
808	services.exe

pid	process
524	schtasks.exe

pid	process
2016	105a7f1e9f623633f1b1439cf15f58be.exe
808	services.exe

description	pid	process
Token: SeDebugPrivilege	2016	105a7f1e9f623633f1b1439cf15f58be.exe
Token: SeDebugPrivilege	808	services.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

105a7f1e9f623633f1b1439cf15f58be.execmd.execmd.exeservices.exesihost64.exe

description	pid	process	target process
PID 2016 wrote to memory of 960	2016	105a7f1e9f623633f1b1439cf15f58be.exe	cmd.exe
PID 2016 wrote to memory of 960	2016	105a7f1e9f623633f1b1439cf15f58be.exe	cmd.exe
PID 2016 wrote to memory of 960	2016	105a7f1e9f623633f1b1439cf15f58be.exe	cmd.exe
PID 960 wrote to memory of 524	960	cmd.exe	schtasks.exe
PID 960 wrote to memory of 524	960	cmd.exe	schtasks.exe
PID 960 wrote to memory of 524	960	cmd.exe	schtasks.exe
PID 2016 wrote to memory of 588	2016	105a7f1e9f623633f1b1439cf15f58be.exe	cmd.exe
PID 2016 wrote to memory of 588	2016	105a7f1e9f623633f1b1439cf15f58be.exe	cmd.exe
PID 2016 wrote to memory of 588	2016	105a7f1e9f623633f1b1439cf15f58be.exe	cmd.exe
PID 588 wrote to memory of 808	588	cmd.exe	services.exe
PID 588 wrote to memory of 808	588	cmd.exe	services.exe
PID 588 wrote to memory of 808	588	cmd.exe	services.exe
PID 808 wrote to memory of 1220	808	services.exe	sihost64.exe
PID 808 wrote to memory of 1220	808	services.exe	sihost64.exe
PID 808 wrote to memory of 1220	808	services.exe	sihost64.exe
PID 1220 wrote to memory of 1968	1220	sihost64.exe	conhost.exe
PID 1220 wrote to memory of 1968	1220	sihost64.exe	conhost.exe
PID 1220 wrote to memory of 1968	1220	sihost64.exe	conhost.exe
PID 1220 wrote to memory of 1968	1220	sihost64.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\105a7f1e9f623633f1b1439cf15f58be.exe
"C:\Users\Admin\AppData\Local\Temp\105a7f1e9f623633f1b1439cf15f58be.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
3⤵
- Creates scheduled task(s)
PID:524

C:\Windows\system32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588

C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "qcorbjem"
5⤵
PID:1968

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
30c8c4ca447fd860622f594a174fef77

SHA1
31393d1438a8df8a7ae1e999302bbb1a37bcaeff

SHA256
b5092c596be24cf815584a58a20e0d373216d28e3e97d0dd41dc1eb66fbae595

SHA512
d8fc3ab0c81f1e334f8de4efe1866de0883f04f07b174aa6a769ceb71a8b9fe71975f3306567d91b5be6a35b481b1221ebc534a293ffecffc60d486032787b59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
MD5
105a7f1e9f623633f1b1439cf15f58be

SHA1
0fba1e00864607102f82c7e2cdc14856851da104

SHA256
4c20cb035c923c914c129daa6f7dd77c24d3d3ad58f09c89a12d8028405bb5d0

SHA512
fb7ceda860b98bf9d4def5c2ba2e2f9ee33743cd2225af19b4bffd31dcb38d6675ff77d39f5ed09bdfb0feb7582645418895c8df37e8f8bffeebac3948340127

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
MD5
105a7f1e9f623633f1b1439cf15f58be

SHA1
0fba1e00864607102f82c7e2cdc14856851da104

SHA256
4c20cb035c923c914c129daa6f7dd77c24d3d3ad58f09c89a12d8028405bb5d0

SHA512
fb7ceda860b98bf9d4def5c2ba2e2f9ee33743cd2225af19b4bffd31dcb38d6675ff77d39f5ed09bdfb0feb7582645418895c8df37e8f8bffeebac3948340127

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
30c8c4ca447fd860622f594a174fef77

SHA1
31393d1438a8df8a7ae1e999302bbb1a37bcaeff

SHA256
b5092c596be24cf815584a58a20e0d373216d28e3e97d0dd41dc1eb66fbae595

SHA512
d8fc3ab0c81f1e334f8de4efe1866de0883f04f07b174aa6a769ceb71a8b9fe71975f3306567d91b5be6a35b481b1221ebc534a293ffecffc60d486032787b59

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\services.exe
MD5
105a7f1e9f623633f1b1439cf15f58be

SHA1
0fba1e00864607102f82c7e2cdc14856851da104

SHA256
4c20cb035c923c914c129daa6f7dd77c24d3d3ad58f09c89a12d8028405bb5d0

SHA512
fb7ceda860b98bf9d4def5c2ba2e2f9ee33743cd2225af19b4bffd31dcb38d6675ff77d39f5ed09bdfb0feb7582645418895c8df37e8f8bffeebac3948340127

Download Submit
memory/808-64-0x0000000000400000-0x0000000000F42000-memory.dmp

Filesize
11.3MB

Download
memory/808-65-0x0000000003532000-0x0000000003534000-memory.dmp

Filesize
8KB

Download
memory/808-67-0x0000000003536000-0x0000000003537000-memory.dmp

Filesize
4KB

Download
memory/808-68-0x0000000003537000-0x0000000003538000-memory.dmp

Filesize
4KB

Download
memory/808-66-0x0000000003534000-0x0000000003536000-memory.dmp

Filesize
8KB

Download
memory/1968-72-0x0000000000060000-0x0000000000066000-memory.dmp

Filesize
24KB

Download
memory/1968-71-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/1968-73-0x0000000001CD0000-0x0000000002150000-memory.dmp

Filesize
4.5MB

Download
memory/1968-74-0x0000000001CD0000-0x0000000002150000-memory.dmp

Filesize
4.5MB

Download
memory/1968-75-0x0000000001CD0000-0x0000000002150000-memory.dmp

Filesize
4.5MB

Download
memory/1968-76-0x0000000001CD0000-0x0000000002150000-memory.dmp

Filesize
4.5MB

Download
memory/2016-54-0x0000000000400000-0x0000000000F42000-memory.dmp

Filesize
11.3MB

Download
memory/2016-58-0x000000001C214000-0x000000001C216000-memory.dmp

Filesize
8KB

Download
memory/2016-57-0x000000001C212000-0x000000001C214000-memory.dmp

Filesize
8KB

Download
memory/2016-59-0x000000001C216000-0x000000001C217000-memory.dmp

Filesize
4KB

Download
memory/2016-56-0x000000001C490000-0x000000001C684000-memory.dmp

Filesize
2.0MB

Download
memory/2016-55-0x0000000002C30000-0x0000000002E24000-memory.dmp

Filesize
2.0MB

Download
memory/2016-60-0x000000001C217000-0x000000001C218000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads