Overview

overview

9

Static

static

7

airplane.wtf.exe

windows10_x64

9

Analysis

  • max time kernel
    41s
  • max time network
    42s
  • platform
    windows10_x64
  • resource
    win10-de-20211208
  • submitted
    14-02-2022 15:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    airplane.wtf.exe

  • Size

    3.8MB

  • MD5

    fb1e695f13801baad5faec13476caea0

  • SHA1

    234cbf5fb007db06026223c9bf0dc2a57c633570

  • SHA256

    f47b1ed305aa05b5b84e7b994e8e6e5e8013831fec6b8922e8309d5ce28f12bc

  • SHA512

    258005109e2b4e8974411c292dc06293783c904649bd61792c814e532cfd578e00a8576cda26158d20718d484774a3362ce0fe6140ddeb30169c28ea506f04ad

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\airplane.wtf.exe
    "C:\Users\Admin\AppData\Local\Temp\airplane.wtf.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3168

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3168-116-0x0000000000AC0000-0x0000000001476000-memory.dmp
    Filesize

    9.7MB

    Download
  • memory/3168-118-0x0000000000AC0000-0x0000000001476000-memory.dmp
    Filesize

    9.7MB

    Download
  • memory/3168-119-0x00000000777D6000-0x00000000777D7000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3168-117-0x0000000074C76000-0x0000000074C77000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3168-121-0x00000000735BE000-0x00000000735BF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3168-120-0x0000000077AB4000-0x0000000077AB5000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3168-122-0x0000000006350000-0x000000000684E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3168-123-0x0000000005D90000-0x0000000005E22000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3168-124-0x0000000005D30000-0x0000000005D3A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3168-125-0x0000000005FB0000-0x0000000005FB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3168-126-0x0000000009C30000-0x0000000009D34000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3168-127-0x0000000009D40000-0x0000000009E3E000-memory.dmp
    Filesize

    1016KB

    Download
  • memory/3168-128-0x0000000005FB3000-0x0000000005FB5000-memory.dmp
    Filesize

    8KB

    Download