Overview

overview

9

Static

static

7

a7e2615032...8c.exe

windows7_x64

9

a7e2615032...8c.exe

windows10-2004_x64

9

Analysis

  • max time kernel
    147s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    15-02-2022 07:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe

  • Size

    2.6MB

  • MD5

    6937e159a174fa4109c366acf4aed9ed

  • SHA1

    90546e2e91c84758274b85da5e43cec871af8fe9

  • SHA256

    a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c

  • SHA512

    36e7509c72426253f984544e6ea8cf687f4feebe47e9643c6869948635882517d53a339be16bc2eb0e10fc5bd4b9099c76a2617b4407d3601125f1af9d00c282

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Blocklisted process makes network request 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe
    "C:\Users\Admin\AppData\Local\Temp\a7e2615032997525b722b12c6303ba286160b293d598f3704b916c1bf6fbcb8c.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\inesven.vbs"
      2⤵
        PID:4912
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\diidxpemfa.vbs"
        2⤵
        • Blocklisted process makes network request
        PID:1848
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:116
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3492

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Credential Access

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    5
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
      MD5

      54e9306f95f32e50ccd58af19753d929

      SHA1

      eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

      SHA256

      45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

      SHA512

      8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
      MD5

      5a2ff3604b9d33057b47861f5f16cbee

      SHA1

      4873dda38975714d72ecac1296331a35eb649c55

      SHA256

      a382dd51981224e866100b9ecc1402a5d890d014222dd03ca1e3c1354f8de29b

      SHA512

      7ac9e7a41033ceeb163169eb0fb4887e51de5f191dd897d10cf5c1d883e9bc92560ed7e72da6c85801271785ed5c702d8dbf6ac2dde3198f6496068453c3ee74

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\diidxpemfa.vbs
      MD5

      54ec4314cfd4a869bc4cb118646a1bc5

      SHA1

      5fa512e52c775eba2d7843136d889dbcd8c993d6

      SHA256

      9952bff78a8e88ea1f6a7991dd07deab22473138b646ec7ac0c1f7ccf57bb33c

      SHA512

      8c9c206b68c6e1f8a8a630ab4ae98a1b047a9209caad1e1652e63785762b5ca5b55b4212681300ffe784aa957cbec178aa5f002f74c95f83eadf42c5f0a92c70

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\inesven.vbs
      MD5

      6e4301c8c12b1ecec4057cce04a9c7e5

      SHA1

      09e3540c656086b1f2182a765ef5a0729ec0a11c

      SHA256

      781f7e903db5f6447b2699be1a89376e0a591e495b7827d9660d8a4bb6d08b5d

      SHA512

      39a3a7e42851a33c591eb73191fd2aba3d91fea26141807df9268d67d05e6c903d257cbc0e6065c81e7cfb1a01ac4619c0dcc2b945ccbed11a113ba2f0df36ef

      Download Submit
    • memory/116-136-0x0000018CBD820000-0x0000018CBD830000-memory.dmp
      Filesize

      64KB

      Download
    • memory/116-137-0x0000018CBD880000-0x0000018CBD890000-memory.dmp
      Filesize

      64KB

      Download
    • memory/116-138-0x0000018CBFF40000-0x0000018CBFF44000-memory.dmp
      Filesize

      16KB

      Download
    • memory/996-130-0x0000000000FB0000-0x0000000001673000-memory.dmp
      Filesize

      6.8MB

      Download
    • memory/996-131-0x0000000000FB0000-0x0000000001673000-memory.dmp
      Filesize

      6.8MB

      Download
    • memory/996-132-0x0000000000FB0000-0x0000000001673000-memory.dmp
      Filesize

      6.8MB

      Download
    • memory/996-133-0x0000000000FB0000-0x0000000001673000-memory.dmp
      Filesize

      6.8MB

      Download
    • memory/996-134-0x0000000076F54000-0x0000000076F56000-memory.dmp
      Filesize

      8KB

      Download