Overview

overview

9

Static

static

7

105a7f1e9f...be.exe

windows7_x64

9

105a7f1e9f...be.exe

windows10-2004_x64

9

Analysis

  • max time kernel
    158s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    05-02-2022 15:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    105a7f1e9f623633f1b1439cf15f58be.exe

  • Size

    5.7MB

  • MD5

    105a7f1e9f623633f1b1439cf15f58be

  • SHA1

    0fba1e00864607102f82c7e2cdc14856851da104

  • SHA256

    4c20cb035c923c914c129daa6f7dd77c24d3d3ad58f09c89a12d8028405bb5d0

  • SHA512

    fb7ceda860b98bf9d4def5c2ba2e2f9ee33743cd2225af19b4bffd31dcb38d6675ff77d39f5ed09bdfb0feb7582645418895c8df37e8f8bffeebac3948340127

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 51 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\105a7f1e9f623633f1b1439cf15f58be.exe
    "C:\Users\Admin\AppData\Local\Temp\105a7f1e9f623633f1b1439cf15f58be.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3804
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2756
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks computer location settings
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1808
        • C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3524
          • C:\Windows\System32\conhost.exe
            "C:\Windows\System32\conhost.exe" "qcorbjem"
            5⤵
              PID:216
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:2360
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2876

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Credential Access

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    5
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
      MD5

      30c8c4ca447fd860622f594a174fef77

      SHA1

      31393d1438a8df8a7ae1e999302bbb1a37bcaeff

      SHA256

      b5092c596be24cf815584a58a20e0d373216d28e3e97d0dd41dc1eb66fbae595

      SHA512

      d8fc3ab0c81f1e334f8de4efe1866de0883f04f07b174aa6a769ceb71a8b9fe71975f3306567d91b5be6a35b481b1221ebc534a293ffecffc60d486032787b59

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
      MD5

      30c8c4ca447fd860622f594a174fef77

      SHA1

      31393d1438a8df8a7ae1e999302bbb1a37bcaeff

      SHA256

      b5092c596be24cf815584a58a20e0d373216d28e3e97d0dd41dc1eb66fbae595

      SHA512

      d8fc3ab0c81f1e334f8de4efe1866de0883f04f07b174aa6a769ceb71a8b9fe71975f3306567d91b5be6a35b481b1221ebc534a293ffecffc60d486032787b59

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
      MD5

      105a7f1e9f623633f1b1439cf15f58be

      SHA1

      0fba1e00864607102f82c7e2cdc14856851da104

      SHA256

      4c20cb035c923c914c129daa6f7dd77c24d3d3ad58f09c89a12d8028405bb5d0

      SHA512

      fb7ceda860b98bf9d4def5c2ba2e2f9ee33743cd2225af19b4bffd31dcb38d6675ff77d39f5ed09bdfb0feb7582645418895c8df37e8f8bffeebac3948340127

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
      MD5

      105a7f1e9f623633f1b1439cf15f58be

      SHA1

      0fba1e00864607102f82c7e2cdc14856851da104

      SHA256

      4c20cb035c923c914c129daa6f7dd77c24d3d3ad58f09c89a12d8028405bb5d0

      SHA512

      fb7ceda860b98bf9d4def5c2ba2e2f9ee33743cd2225af19b4bffd31dcb38d6675ff77d39f5ed09bdfb0feb7582645418895c8df37e8f8bffeebac3948340127

      Download Submit
    • memory/216-142-0x0000012F87A20000-0x0000012F87A26000-memory.dmp
      Filesize

      24KB

      Download
    • memory/216-148-0x0000012F894C3000-0x0000012F894C5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/216-147-0x0000012F894C0000-0x0000012F894C2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/216-149-0x0000012F894C6000-0x0000012F894C7000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1808-137-0x0000000000400000-0x0000000000F42000-memory.dmp
      Filesize

      11.3MB

      Download
    • memory/2452-134-0x000000001CDB6000-0x000000001CDB7000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2452-133-0x000000001CDB3000-0x000000001CDB5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2452-130-0x0000000000400000-0x0000000000F42000-memory.dmp
      Filesize

      11.3MB

      Download
    • memory/2452-132-0x000000001CDB0000-0x000000001CDB2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2452-131-0x0000000003000000-0x00000000031F4000-memory.dmp
      Filesize

      2.0MB

      Download