dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e

General

Target

dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe
Size

2.4MB
MD5

2ca1fa563d961e96561622edcab5d864
SHA1

d9fcd898fe5ddc4a19ae97a6c4ff1f2664a808ac
SHA256

dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e
SHA512

916443f39a0e14431b369a6b9c8d37ab12689559f39f3bbd0f9988aa17db2a914c01c9e14cbf7be92146427046e81c76e3dc91f1e767428079c60956e1414b7d

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

13 1536 WScript.exe
14 1536 WScript.exe
15 1536 WScript.exe
16 1536 WScript.exe

flow	pid	process
13	1536	WScript.exe
14	1536	WScript.exe
15	1536	WScript.exe
16	1536	WScript.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1072-55-0x0000000001280000-0x00000000018EE000-memory.dmp	themida
behavioral1/memory/1072-56-0x0000000001280000-0x00000000018EE000-memory.dmp	themida
behavioral1/memory/1072-57-0x0000000001280000-0x00000000018EE000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe

pid process

1072 dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
4	ip-api.com

pid	process
1072	dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe

pid process

1072 dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe

pid	process
1072	dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe

description	pid	process	target process
PID 1072 wrote to memory of 1812	1072	dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe	WScript.exe
PID 1072 wrote to memory of 1812	1072	dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe	WScript.exe
PID 1072 wrote to memory of 1812	1072	dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe	WScript.exe
PID 1072 wrote to memory of 1812	1072	dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe	WScript.exe
PID 1072 wrote to memory of 1536	1072	dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe	WScript.exe
PID 1072 wrote to memory of 1536	1072	dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe	WScript.exe
PID 1072 wrote to memory of 1536	1072	dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe	WScript.exe
PID 1072 wrote to memory of 1536	1072	dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe
"C:\Users\Admin\AppData\Local\Temp\dc0b3b9b3bdc64d5074f2126ed397258effa721601c645428bcc653b8cdf2f4e.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fgfjlwu.vbs"
2⤵
PID:1812

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\shhqttdd.vbs"
2⤵
- Blocklisted process makes network request
PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fgfjlwu.vbs
MD5
659c37cf26a1cacfdddd3f6825fa4e90

SHA1
c78b4d148126ccac0ad3116b356a3170f674c343

SHA256
0c2e8d25fe726c9fd77f70ca1c31d051c84f196a276d8419fd9afdcef12b8732

SHA512
056ec4eba7ffa96fa50fbcac40f763b79fc567077853d434c4ac3a86980e72299382d62bdc210354652f9c7330cb571a9ac10189d7349b2aea40e2f45498fb09

Download Submit
C:\Users\Admin\AppData\Local\Temp\shhqttdd.vbs
MD5
f541b7297a1718b237a840ed1d783d7e

SHA1
4d4d33cf0934c8b67db52f923cdd90d6c6af6fd2

SHA256
ff7bd6ddaefa92ef8a4d2c6dcf61421ceddb2ab8d9deb648e5d75994fa52c5d3

SHA512
5c758149fd1d0ebbbd87ee4cdb9c930892f0194d7d9ccb0a17b365f820a6da4280b8a5ebc0b228be4ec0ffd02fe5011e0677c517d0429ce8ed4e15224446a0e3

Download Submit
memory/1072-53-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1072-54-0x0000000077850000-0x0000000077852000-memory.dmp

Filesize
8KB

Download
memory/1072-55-0x0000000001280000-0x00000000018EE000-memory.dmp

Filesize
6.4MB

Download
memory/1072-56-0x0000000001280000-0x00000000018EE000-memory.dmp

Filesize
6.4MB

Download
memory/1072-57-0x0000000001280000-0x00000000018EE000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads