26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680

Analysis

max time kernel
118s
max time network
132s
platform
windows7_x64
resource
win7-en-20211208
submitted
15-02-2022 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe
Size

3.1MB
MD5

e02a6d825992d0532b21584beeb2e91a
SHA1

375ddee62c5598026fcb1420dba4273e95cabb8d
SHA256

26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680
SHA512

80bfeb85caa5244d262684d21f02b5ccc2c206b670ae88628badf3104d90c907d211930bf3b7620ad61b4b3b1fedcd9a76c35556ed321766dbfb96cfa95621ba

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

13 1600 WScript.exe
14 1600 WScript.exe
15 1600 WScript.exe
16 1600 WScript.exe
Executes dropped EXE 2 IoCs

Processes:

enmesh.exeflaviavp.exe

pid process

1084 enmesh.exe
472 flaviavp.exe

flow	pid	process
13	1600	WScript.exe
14	1600	WScript.exe
15	1600	WScript.exe
16	1600	WScript.exe

pid	process
1084	enmesh.exe
472	flaviavp.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

flaviavp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	flaviavp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	flaviavp.exe

Loads dropped DLL 9 IoCs

Processes:

26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exeenmesh.exeflaviavp.exe

pid	process
960	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe
960	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe
960	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe
1084	enmesh.exe
1084	enmesh.exe
1084	enmesh.exe
960	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe
472	flaviavp.exe
472	flaviavp.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe	themida
C:\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe	themida
\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe	themida
\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe	themida
C:\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe	themida
behavioral1/memory/472-70-0x00000000003E0000-0x0000000000AA5000-memory.dmp	themida
behavioral1/memory/472-71-0x00000000003E0000-0x0000000000AA5000-memory.dmp	themida
behavioral1/memory/472-72-0x00000000003E0000-0x0000000000AA5000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

flaviavp.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA flaviavp.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

flaviavp.exe

pid process

472 flaviavp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	flaviavp.exe

flow	ioc
4	ip-api.com

pid	process
472	flaviavp.exe

Drops file in Program Files directory 3 IoCs

Processes:

26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe

Drops file in Windows directory 1 IoCs

Processes:

enmesh.exe

description ioc process

File opened for modification C:\Windows\ enmesh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\	enmesh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

flaviavp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	flaviavp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	flaviavp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

enmesh.exe

pid process

1084 enmesh.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

flaviavp.exe

pid process

472 flaviavp.exe

pid	process
1084	enmesh.exe

pid	process
472	flaviavp.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exeflaviavp.exe

description	pid	process	target process
PID 960 wrote to memory of 1084	960	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	enmesh.exe
PID 960 wrote to memory of 1084	960	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	enmesh.exe
PID 960 wrote to memory of 1084	960	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	enmesh.exe
PID 960 wrote to memory of 1084	960	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	enmesh.exe
PID 960 wrote to memory of 1084	960	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	enmesh.exe
PID 960 wrote to memory of 1084	960	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	enmesh.exe
PID 960 wrote to memory of 1084	960	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	enmesh.exe
PID 960 wrote to memory of 472	960	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	flaviavp.exe
PID 960 wrote to memory of 472	960	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	flaviavp.exe
PID 960 wrote to memory of 472	960	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	flaviavp.exe
PID 960 wrote to memory of 472	960	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	flaviavp.exe
PID 960 wrote to memory of 472	960	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	flaviavp.exe
PID 960 wrote to memory of 472	960	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	flaviavp.exe
PID 960 wrote to memory of 472	960	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	flaviavp.exe
PID 472 wrote to memory of 1056	472	flaviavp.exe	WScript.exe
PID 472 wrote to memory of 1056	472	flaviavp.exe	WScript.exe
PID 472 wrote to memory of 1056	472	flaviavp.exe	WScript.exe
PID 472 wrote to memory of 1056	472	flaviavp.exe	WScript.exe
PID 472 wrote to memory of 1056	472	flaviavp.exe	WScript.exe
PID 472 wrote to memory of 1056	472	flaviavp.exe	WScript.exe
PID 472 wrote to memory of 1056	472	flaviavp.exe	WScript.exe
PID 472 wrote to memory of 1600	472	flaviavp.exe	WScript.exe
PID 472 wrote to memory of 1600	472	flaviavp.exe	WScript.exe
PID 472 wrote to memory of 1600	472	flaviavp.exe	WScript.exe
PID 472 wrote to memory of 1600	472	flaviavp.exe	WScript.exe
PID 472 wrote to memory of 1600	472	flaviavp.exe	WScript.exe
PID 472 wrote to memory of 1600	472	flaviavp.exe	WScript.exe
PID 472 wrote to memory of 1600	472	flaviavp.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe
"C:\Users\Admin\AppData\Local\Temp\26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\geason\enmesh.exe
"C:\Users\Admin\AppData\Local\Temp\geason\enmesh.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
PID:1084

C:\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe
"C:\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\binpcvuhr.vbs"
3⤵
PID:1056

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gshpjsjgxtxd.vbs"
3⤵
- Blocklisted process makes network request
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\binpcvuhr.vbs
MD5
6855c2f4dd1749f3005ac3efea1fc09a

SHA1
913e8656bdfcabda4c5c25c33b2b8b4dd054b89f

SHA256
12323bf2fc4a0784003c8bdd6a379b644c676166b838348fdf13e4f18dba4867

SHA512
a556125e61f53e8b45fd700a50f4dc8befa936db9e5911c4f1ce41ed51083af2a3d973a06a3bf4df4804d88ee6206b82107f3f94df5cc79a51c3835e80fb0aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\geason\enmesh.exe
MD5
ccbc63bdca7c5436c81f32ccfae9456c

SHA1
1d4c3083166ef769f8f0e4296c9dc8b56b12ba8b

SHA256
2061a4ba324c47bdc95660d47a7ac6b624e01d847ff4170975e7deb28500525a

SHA512
37e1c1c0c922b8f1c1ed37a40b2d5e36f06f7b6d1138abf10b5b97482f9665c6515d837080e99a60251cba6935b087dc704914a7c82364aa2e3b9439ac2a8916

Download Submit
C:\Users\Admin\AppData\Local\Temp\geason\enmesh.exe
MD5
ccbc63bdca7c5436c81f32ccfae9456c

SHA1
1d4c3083166ef769f8f0e4296c9dc8b56b12ba8b

SHA256
2061a4ba324c47bdc95660d47a7ac6b624e01d847ff4170975e7deb28500525a

SHA512
37e1c1c0c922b8f1c1ed37a40b2d5e36f06f7b6d1138abf10b5b97482f9665c6515d837080e99a60251cba6935b087dc704914a7c82364aa2e3b9439ac2a8916

Download Submit
C:\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe
MD5
9c8142047df3966d72ee64a59b467a29

SHA1
ad46a75ae11827c7776a41662abb7d0ba0d6e33a

SHA256
22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f

SHA512
4761aa85d4afec93f3b829fb9060d9f8af501674398c5764bcaf7bace8a35bef49028d326cbff956127c1600964cfb9a59b19973ca0bad0bcb91833b9bb33bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe
MD5
9c8142047df3966d72ee64a59b467a29

SHA1
ad46a75ae11827c7776a41662abb7d0ba0d6e33a

SHA256
22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f

SHA512
4761aa85d4afec93f3b829fb9060d9f8af501674398c5764bcaf7bace8a35bef49028d326cbff956127c1600964cfb9a59b19973ca0bad0bcb91833b9bb33bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gshpjsjgxtxd.vbs
MD5
476f122006b739161636a22acc4ed426

SHA1
b4474315228a62dcf015515056d42c64438680a2

SHA256
eb5e4530d0034437e90654d0d9cc3f522e894746ed3066032c78a075f2272c15

SHA512
c668ed97ffde85e5ad189d939c9501bba34bb9c05e6ccb0c4f380ebd3d070a36dcd44db08dc4a689f926a8da9822159dfaa525ba942b5c4728bbc06f83569a05

Download Submit
\Users\Admin\AppData\Local\Temp\geason\enmesh.exe
MD5
ccbc63bdca7c5436c81f32ccfae9456c

SHA1
1d4c3083166ef769f8f0e4296c9dc8b56b12ba8b

SHA256
2061a4ba324c47bdc95660d47a7ac6b624e01d847ff4170975e7deb28500525a

SHA512
37e1c1c0c922b8f1c1ed37a40b2d5e36f06f7b6d1138abf10b5b97482f9665c6515d837080e99a60251cba6935b087dc704914a7c82364aa2e3b9439ac2a8916

Download Submit
\Users\Admin\AppData\Local\Temp\geason\enmesh.exe
MD5
ccbc63bdca7c5436c81f32ccfae9456c

SHA1
1d4c3083166ef769f8f0e4296c9dc8b56b12ba8b

SHA256
2061a4ba324c47bdc95660d47a7ac6b624e01d847ff4170975e7deb28500525a

SHA512
37e1c1c0c922b8f1c1ed37a40b2d5e36f06f7b6d1138abf10b5b97482f9665c6515d837080e99a60251cba6935b087dc704914a7c82364aa2e3b9439ac2a8916

Download Submit
\Users\Admin\AppData\Local\Temp\geason\enmesh.exe
MD5
ccbc63bdca7c5436c81f32ccfae9456c

SHA1
1d4c3083166ef769f8f0e4296c9dc8b56b12ba8b

SHA256
2061a4ba324c47bdc95660d47a7ac6b624e01d847ff4170975e7deb28500525a

SHA512
37e1c1c0c922b8f1c1ed37a40b2d5e36f06f7b6d1138abf10b5b97482f9665c6515d837080e99a60251cba6935b087dc704914a7c82364aa2e3b9439ac2a8916

Download Submit
\Users\Admin\AppData\Local\Temp\geason\enmesh.exe
MD5
ccbc63bdca7c5436c81f32ccfae9456c

SHA1
1d4c3083166ef769f8f0e4296c9dc8b56b12ba8b

SHA256
2061a4ba324c47bdc95660d47a7ac6b624e01d847ff4170975e7deb28500525a

SHA512
37e1c1c0c922b8f1c1ed37a40b2d5e36f06f7b6d1138abf10b5b97482f9665c6515d837080e99a60251cba6935b087dc704914a7c82364aa2e3b9439ac2a8916

Download Submit
\Users\Admin\AppData\Local\Temp\geason\enmesh.exe
MD5
ccbc63bdca7c5436c81f32ccfae9456c

SHA1
1d4c3083166ef769f8f0e4296c9dc8b56b12ba8b

SHA256
2061a4ba324c47bdc95660d47a7ac6b624e01d847ff4170975e7deb28500525a

SHA512
37e1c1c0c922b8f1c1ed37a40b2d5e36f06f7b6d1138abf10b5b97482f9665c6515d837080e99a60251cba6935b087dc704914a7c82364aa2e3b9439ac2a8916

Download Submit
\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe
MD5
9c8142047df3966d72ee64a59b467a29

SHA1
ad46a75ae11827c7776a41662abb7d0ba0d6e33a

SHA256
22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f

SHA512
4761aa85d4afec93f3b829fb9060d9f8af501674398c5764bcaf7bace8a35bef49028d326cbff956127c1600964cfb9a59b19973ca0bad0bcb91833b9bb33bc0

Download Submit
\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe
MD5
9c8142047df3966d72ee64a59b467a29

SHA1
ad46a75ae11827c7776a41662abb7d0ba0d6e33a

SHA256
22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f

SHA512
4761aa85d4afec93f3b829fb9060d9f8af501674398c5764bcaf7bace8a35bef49028d326cbff956127c1600964cfb9a59b19973ca0bad0bcb91833b9bb33bc0

Download Submit
\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe
MD5
9c8142047df3966d72ee64a59b467a29

SHA1
ad46a75ae11827c7776a41662abb7d0ba0d6e33a

SHA256
22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f

SHA512
4761aa85d4afec93f3b829fb9060d9f8af501674398c5764bcaf7bace8a35bef49028d326cbff956127c1600964cfb9a59b19973ca0bad0bcb91833b9bb33bc0

Download Submit
\Users\Admin\AppData\Local\Temp\nsdDF58.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/472-71-0x00000000003E0000-0x0000000000AA5000-memory.dmp

Filesize
6.8MB

Download
memory/472-72-0x00000000003E0000-0x0000000000AA5000-memory.dmp

Filesize
6.8MB

Download
memory/472-70-0x00000000003E0000-0x0000000000AA5000-memory.dmp

Filesize
6.8MB

Download
memory/960-54-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/1084-76-0x0000000000520000-0x0000000000568000-memory.dmp

Filesize
288KB

Download
memory/1084-75-0x0000000000520000-0x0000000000568000-memory.dmp

Filesize
288KB

Download
memory/1084-80-0x000000000045A000-0x000000000045C000-memory.dmp

Filesize
8KB

Download
memory/1084-79-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download