f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f

General

Target

f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe
Size

2.6MB
MD5

fda089a638a02b64c5175fbed3e4918b
SHA1

eef6c75a650b5d1f2f34b988fc88ceb328312c15
SHA256

f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f
SHA512

7a9d15d37fa40898b49015f457546439a61ba7ba644b082d1c6bd0f10a6a7fded631937e255839beadf966c6577650f30601333bbb852a1a9625d1e561355c96

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

13 1364 WScript.exe
14 1364 WScript.exe
15 1364 WScript.exe
16 1364 WScript.exe

flow	pid	process
13	1364	WScript.exe
14	1364	WScript.exe
15	1364	WScript.exe
16	1364	WScript.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1672-56-0x00000000008A0000-0x0000000000F61000-memory.dmp	themida
behavioral1/memory/1672-57-0x00000000008A0000-0x0000000000F61000-memory.dmp	themida
behavioral1/memory/1672-58-0x00000000008A0000-0x0000000000F61000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe

pid process

1672 f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
4	ip-api.com

pid	process
1672	f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe

pid process

1672 f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe

pid	process
1672	f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe

description	pid	process	target process
PID 1672 wrote to memory of 976	1672	f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe	WScript.exe
PID 1672 wrote to memory of 976	1672	f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe	WScript.exe
PID 1672 wrote to memory of 976	1672	f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe	WScript.exe
PID 1672 wrote to memory of 976	1672	f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe	WScript.exe
PID 1672 wrote to memory of 1364	1672	f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe	WScript.exe
PID 1672 wrote to memory of 1364	1672	f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe	WScript.exe
PID 1672 wrote to memory of 1364	1672	f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe	WScript.exe
PID 1672 wrote to memory of 1364	1672	f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe
"C:\Users\Admin\AppData\Local\Temp\f294a9d0f15513f519dfda080b37906851d8614d1211abc5f6141cd6ef6bfe7f.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\euomdaxd.vbs"
2⤵
PID:976

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aqlolcf.vbs"
2⤵
- Blocklisted process makes network request
PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Web Service

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aqlolcf.vbs
MD5
5b4664d8f8e2fc265a4c5125ac1a73c5

SHA1
f4f029984a529eb61f256c751ff9f60365c67fe3

SHA256
973c174c7b1ecc2459f8744d59d9ddf26a0d36e5344d0965f98be99070d79c8e

SHA512
00ff1576ad542bb1a6526634aaa3ff1a02633dad1fb59b634d1305aaf5098bc1a8ea50f723274e042cb3677b639c85b9032ea9c81ba0a010cad3af2afa7f697b

Download Submit
C:\Users\Admin\AppData\Local\Temp\euomdaxd.vbs
MD5
f3862ac6032672613e2f4bd737b4dec4

SHA1
49b6089d9aa48a7b8e7e5d172f6e9baab64c9846

SHA256
d3e35f9974a26413e2e60d44b06cc908b9a7044777d8df8ad4fb6af7a1b499d6

SHA512
a9c00d6406c867830789a926071d0f60ee5f221e46964d187ac91232f27b971d43c40536bfb753ca4f4e680b95f78e4eb059e3923fd83f80fc889b5ad7c7c10e

Download Submit
memory/1672-54-0x0000000075341000-0x0000000075343000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x0000000077440000-0x0000000077442000-memory.dmp

Filesize
8KB

Download
memory/1672-56-0x00000000008A0000-0x0000000000F61000-memory.dmp

Filesize
6.8MB

Download
memory/1672-57-0x00000000008A0000-0x0000000000F61000-memory.dmp

Filesize
6.8MB

Download
memory/1672-58-0x00000000008A0000-0x0000000000F61000-memory.dmp

Filesize
6.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads