a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c

General

Target

a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe
Size

2.6MB
MD5

6937e159a174fa4109c366acf4aed9ed
SHA1

90546e2e91c84758274b85da5e43cec871af8fe9
SHA256

a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c
SHA512

36e7509c72426253f984544e6ea8cf687f4feebe47e9643c6869948635882517d53a339be16bc2eb0e10fc5bd4b9099c76a2617b4407d3601125f1af9d00c282

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

13 1540 WScript.exe
14 1540 WScript.exe
15 1540 WScript.exe
16 1540 WScript.exe

flow	pid	process
13	1540	WScript.exe
14	1540	WScript.exe
15	1540	WScript.exe
16	1540	WScript.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1532-55-0x00000000013E0000-0x0000000001AA3000-memory.dmp	themida
behavioral1/memory/1532-56-0x00000000013E0000-0x0000000001AA3000-memory.dmp	themida
behavioral1/memory/1532-57-0x00000000013E0000-0x0000000001AA3000-memory.dmp	themida
behavioral1/memory/1532-58-0x00000000013E0000-0x0000000001AA3000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe

pid process

1532 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
4	ip-api.com

pid	process
1532	a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe

pid process

1532 a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe

pid	process
1532	a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe

description	pid	process	target process
PID 1532 wrote to memory of 1336	1532	a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe	WScript.exe
PID 1532 wrote to memory of 1336	1532	a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe	WScript.exe
PID 1532 wrote to memory of 1336	1532	a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe	WScript.exe
PID 1532 wrote to memory of 1336	1532	a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe	WScript.exe
PID 1532 wrote to memory of 1540	1532	a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe	WScript.exe
PID 1532 wrote to memory of 1540	1532	a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe	WScript.exe
PID 1532 wrote to memory of 1540	1532	a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe	WScript.exe
PID 1532 wrote to memory of 1540	1532	a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe
"C:\Users\Admin\AppData\Local\Temp\a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qddcywbwxihu.vbs"
2⤵
PID:1336

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vqpxankj.vbs"
2⤵
- Blocklisted process makes network request
PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qddcywbwxihu.vbs
MD5
274ce1b7ce01753b23450c9ccb448dc9

SHA1
041394b18c7a3ce50a93a6ede4fa34f30df05686

SHA256
63d6584c870a41c54f84974c2070f1b4e3d9f4b6fb919b4649c6b5d0c772ebe8

SHA512
201e27e5c9ba6a749c3f5aad924a55b64a42f4896d2d382dbc2a66223b1c059816494411281332b69ace03da70c934b3d70bc2d9c5d093dad1108bdbdc5c1fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqpxankj.vbs
MD5
d4c346c9ff1651ff0ef2b1252b3a138e

SHA1
81d65cab15e30f363daf7cf307fda3e88189ec55

SHA256
4f6f11f24d5e0e81ea8ae197086ec4cf743ef7d1014ecc10551df9091d167c7a

SHA512
45ddd7c33f9005d1cff5793d2fcf95f01a4138a14c30649c09b5cdefaba1e40d1f0e59a67679e441fcf29ad1539db2b6810fc36bc9770708ec9b982830373793

Download Submit
memory/1532-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1532-55-0x00000000013E0000-0x0000000001AA3000-memory.dmp

Filesize
6.8MB

Download
memory/1532-56-0x00000000013E0000-0x0000000001AA3000-memory.dmp

Filesize
6.8MB

Download
memory/1532-57-0x00000000013E0000-0x0000000001AA3000-memory.dmp

Filesize
6.8MB

Download
memory/1532-58-0x00000000013E0000-0x0000000001AA3000-memory.dmp

Filesize
6.8MB

Download
memory/1532-59-0x0000000077D30000-0x0000000077D32000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads