52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191

General

Target

52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe
Size

2.6MB
MD5

db9f562738a4cd6adbfde0669264da02
SHA1

350c4acbd7a7b26e3ef5d4aaaecf660c7a8a07d1
SHA256

52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191
SHA512

35b7d1f9f40e49563092c523a0a27554d22e8587e3378aea46711d20c155ac2746d24c19c15c7db3a915480e04ef738d6d19cac6a5ce1c6b881a506b2ee968e7

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

41 3204 WScript.exe

flow	pid	process
41	3204	WScript.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4824-130-0x00000000003C0000-0x0000000000A8B000-memory.dmp	themida
behavioral2/memory/4824-131-0x00000000003C0000-0x0000000000A8B000-memory.dmp	themida
behavioral2/memory/4824-132-0x00000000003C0000-0x0000000000A8B000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe

pid process

4824 52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe

flow	ioc
13	ip-api.com

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe

Modifies registry class 1 IoCs

Processes:

52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe

pid	process
4824	52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe
4824	52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	1484	svchost.exe
Token: SeCreatePagefilePrivilege	1484	svchost.exe
Token: SeShutdownPrivilege	1484	svchost.exe
Token: SeCreatePagefilePrivilege	1484	svchost.exe
Token: SeShutdownPrivilege	1484	svchost.exe
Token: SeCreatePagefilePrivilege	1484	svchost.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe
Token: SeRestorePrivilege	4272	TiWorker.exe
Token: SeSecurityPrivilege	4272	TiWorker.exe
Token: SeBackupPrivilege	4272	TiWorker.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe

description	pid	process	target process
PID 4824 wrote to memory of 3212	4824	52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe	WScript.exe
PID 4824 wrote to memory of 3212	4824	52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe	WScript.exe
PID 4824 wrote to memory of 3212	4824	52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe	WScript.exe
PID 4824 wrote to memory of 3204	4824	52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe	WScript.exe
PID 4824 wrote to memory of 3204	4824	52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe	WScript.exe
PID 4824 wrote to memory of 3204	4824	52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe
"C:\Users\Admin\AppData\Local\Temp\52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rvaatpsboq.vbs"
2⤵
PID:3212

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mlpfsstg.vbs"
2⤵
- Blocklisted process makes network request
PID:3204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Web Service

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

5

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5
343c9e85e48427e136bf3ee3133bef40

SHA1
a1599baa279455e0bafc335e38bd04b5b7784b70

SHA256
aec21c9760918ed3560b0e6ab9fa4dba3f23a2a2de5df35c7c3b4beb752906a1

SHA512
ed42a65523457414a3c9987c3cfcca814d457e5eb46b06566e4047e90e621b5f37ab3c6187802e350282a8cd92b4378bccef4dad56257b028a511a347096cba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mlpfsstg.vbs

MD5
40c5d3f7a576c68a9c875532121faf62

SHA1
ff6a8f4fec183c31252da2ef90b8ba7865e21470

SHA256
9029c1f4f3f692a12a06c7886802882d4bf0af99f0fa26a0fe9a7fcac9d97c5b

SHA512
2ee19c2c4b81ba33da0eb103e45d357b4df2edc67e71943e99fb2cf449f8654d3215544e80f10bbc3d4124c9988ecf97017d952c94925877e52922612cf7ffe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvaatpsboq.vbs

MD5
5ce67265bcf6fe559e7dd152827ca14f

SHA1
4790d0909150bc302e97f0f6335ab1857c4d06ff

SHA256
54ca2dbc047cbc82fdd1140ba233c7cbfbd701e89f3739b019dff14d7ecd8f59

SHA512
b77343345841bb0f1c476fd6600790fa0769a4e23da8b59bab248fcc8b6a1b9272bb193fe0f21668ebd0545713b0ca34be9f39bb95b1edbef520c7e882579ca7

Download Submit
memory/1484-135-0x000002899CF30000-0x000002899CF40000-memory.dmp

Filesize
64KB

Download
memory/1484-136-0x000002899CF90000-0x000002899CFA0000-memory.dmp

Filesize
64KB

Download
memory/1484-137-0x000002899FC80000-0x000002899FC84000-memory.dmp

Filesize
16KB

Download
memory/4824-130-0x00000000003C0000-0x0000000000A8B000-memory.dmp

Filesize
6.8MB

Download
memory/4824-131-0x00000000003C0000-0x0000000000A8B000-memory.dmp

Filesize
6.8MB

Download
memory/4824-133-0x0000000077C24000-0x0000000077C26000-memory.dmp

Filesize
8KB

Download
memory/4824-132-0x00000000003C0000-0x0000000000A8B000-memory.dmp

Filesize
6.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads