74bec14e77146923dae84d4aeb0ca036182b967f4ee69818c972d1c19906eede

General

Target

Brute.exe
Size

3.6MB
MD5

a96e9cb0519ef7a3ab1fa9c1f52e8cbd
SHA1

5e2169ceaf3e28289bc6c5ec4ac1b469d17f5ba8
SHA256

c2e3de80d6a602cd08cba211d41af12236fb7faa63ed046eff261bdc4408e63c
SHA512

d333cf02075e1f23b54edc0e44112df1fc71519f2b2a3dfad2d27b253e90c80dc265a1e6f2f340fb76395e00307e7bd12f563faeae589331d73918de8c26cde1

Score

10^/10

evasion persistence suricata themida trojan

Malware Config

Signatures

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

upd_433.exe

pid process

4708 upd_433.exe

pid	process
4708	upd_433.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Brute.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Brute.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Brute.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3916-125-0x0000000000B00000-0x000000000147E000-memory.dmp	themida
behavioral2/memory/3916-126-0x0000000000B00000-0x000000000147E000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

upd_433.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinMgmt = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinKey\\WinMgmt.exe\""	upd_433.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Brute.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Brute.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Brute.exe

pid process

3916 Brute.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

920 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Brute.exe

pid process

3916 Brute.exe
3916 Brute.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Brute.exe

description pid process

Token: SeDebugPrivilege 3916 Brute.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Brute.exe

pid	process
3916	Brute.exe

pid	process
920	schtasks.exe

pid	process
3916	Brute.exe
3916	Brute.exe

description	pid	process
Token: SeDebugPrivilege	3916	Brute.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Brute.exeupd_433.execmd.exe

description	pid	process	target process
PID 3916 wrote to memory of 4708	3916	Brute.exe	upd_433.exe
PID 3916 wrote to memory of 4708	3916	Brute.exe	upd_433.exe
PID 3916 wrote to memory of 4708	3916	Brute.exe	upd_433.exe
PID 4708 wrote to memory of 520	4708	upd_433.exe	cmd.exe
PID 4708 wrote to memory of 520	4708	upd_433.exe	cmd.exe
PID 4708 wrote to memory of 520	4708	upd_433.exe	cmd.exe
PID 520 wrote to memory of 920	520	cmd.exe	schtasks.exe
PID 520 wrote to memory of 920	520	cmd.exe	schtasks.exe
PID 520 wrote to memory of 920	520	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Brute.exe
"C:\Users\Admin\AppData\Local\Temp\Brute.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916

C:\Users\Admin\AppData\Local\Temp\upd_433.exe
"C:\Users\Admin\AppData\Local\Temp\upd_433.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc minute /mo 5 /st 09:05 /tn "WinMgmt.exe" /tr '"C:\Users\Admin\AppData\Roaming\WinKey\WinMgmt.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc minute /mo 5 /st 09:05 /tn "WinMgmt.exe" /tr '"C:\Users\Admin\AppData\Roaming\WinKey\WinMgmt.exe"'
4⤵
- Creates scheduled task(s)
PID:920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\upd_433.exe
MD5
fe3f40b77341f9e428c67087f2e6bd92

SHA1
36a7670d930db2cc1755b5de9461d225e8f2f722

SHA256
669cf6310c411f45e2808cfb6beb1b0bb65edb2965fe11205417e81d01ebc5db

SHA512
c5ad0e17ef8eebac846513196b5488194bfeba8080821e404a8d3cf64eeecfa86dbb28d6625d960c36b906d65176d2782c26280537e5bc1976d3b04681a97536

Download Submit
C:\Users\Admin\AppData\Local\Temp\upd_433.exe
MD5
fe3f40b77341f9e428c67087f2e6bd92

SHA1
36a7670d930db2cc1755b5de9461d225e8f2f722

SHA256
669cf6310c411f45e2808cfb6beb1b0bb65edb2965fe11205417e81d01ebc5db

SHA512
c5ad0e17ef8eebac846513196b5488194bfeba8080821e404a8d3cf64eeecfa86dbb28d6625d960c36b906d65176d2782c26280537e5bc1976d3b04681a97536

Download Submit
memory/3916-124-0x0000000073C3E000-0x0000000073C3F000-memory.dmp

Filesize
4KB

Download
memory/3916-130-0x0000000005E40000-0x0000000005E4A000-memory.dmp

Filesize
40KB

Download
memory/3916-122-0x00000000749F6000-0x00000000749F7000-memory.dmp

Filesize
4KB

Download
memory/3916-126-0x0000000000B00000-0x000000000147E000-memory.dmp

Filesize
9.5MB

Download
memory/3916-127-0x00000000062E0000-0x00000000067DE000-memory.dmp

Filesize
5.0MB

Download
memory/3916-128-0x0000000005E80000-0x0000000005F12000-memory.dmp

Filesize
584KB

Download
memory/3916-129-0x0000000006060000-0x0000000006061000-memory.dmp

Filesize
4KB

Download
memory/3916-125-0x0000000000B00000-0x000000000147E000-memory.dmp

Filesize
9.5MB

Download
memory/3916-131-0x0000000006063000-0x0000000006065000-memory.dmp

Filesize
8KB

Download
memory/3916-123-0x0000000077A64000-0x0000000077A65000-memory.dmp

Filesize
4KB

Download
memory/3916-121-0x0000000074AE6000-0x0000000074AE7000-memory.dmp

Filesize
4KB

Download
memory/3916-138-0x000000000AC20000-0x000000000AD2E000-memory.dmp

Filesize
1.1MB

Download
memory/4708-134-0x0000000073C3E000-0x0000000073C3F000-memory.dmp

Filesize
4KB

Download
memory/4708-136-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/4708-137-0x00000000055E0000-0x000000000567C000-memory.dmp

Filesize
624KB

Download
memory/4708-135-0x00000000009F0000-0x0000000000BAC000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads