22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f

General

Target

22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe
Size

2.6MB
MD5

9c8142047df3966d72ee64a59b467a29
SHA1

ad46a75ae11827c7776a41662abb7d0ba0d6e33a
SHA256

22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f
SHA512

4761aa85d4afec93f3b829fb9060d9f8af501674398c5764bcaf7bace8a35bef49028d326cbff956127c1600964cfb9a59b19973ca0bad0bcb91833b9bb33bc0

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

13 1104 WScript.exe
14 1104 WScript.exe
15 1104 WScript.exe
16 1104 WScript.exe

flow	pid	process
13	1104	WScript.exe
14	1104	WScript.exe
15	1104	WScript.exe
16	1104	WScript.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1488-55-0x0000000001120000-0x00000000017E5000-memory.dmp	themida
behavioral1/memory/1488-56-0x0000000001120000-0x00000000017E5000-memory.dmp	themida
behavioral1/memory/1488-57-0x0000000001120000-0x00000000017E5000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe

pid process

1488 22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
4	ip-api.com

pid	process
1488	22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe

pid process

1488 22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe

pid	process
1488	22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe

description	pid	process	target process
PID 1488 wrote to memory of 1768	1488	22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe	WScript.exe
PID 1488 wrote to memory of 1768	1488	22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe	WScript.exe
PID 1488 wrote to memory of 1768	1488	22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe	WScript.exe
PID 1488 wrote to memory of 1768	1488	22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe	WScript.exe
PID 1488 wrote to memory of 1104	1488	22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe	WScript.exe
PID 1488 wrote to memory of 1104	1488	22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe	WScript.exe
PID 1488 wrote to memory of 1104	1488	22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe	WScript.exe
PID 1488 wrote to memory of 1104	1488	22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe
"C:\Users\Admin\AppData\Local\Temp\22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jqpiwbxq.vbs"
2⤵
PID:1768

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\psykwlf.vbs"
2⤵
- Blocklisted process makes network request
PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Web Service

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jqpiwbxq.vbs

MD5
36f8e82ec147bccb080c71fa0dcfcd21

SHA1
c18c661e3a772abdcaf8a971b3244fc19e4509e2

SHA256
90e81a9dd2cc283a14a5af89be573127373c7429bc02b0b9207f9d1ff4744eaa

SHA512
0f06f3ec8a0043373ed5ce161568e7f9171bc0657a8c43acdfa5cf94563d682c750bbf216e85eada80f51fd5fff2eebfba7b2c45d636bc340810ef147963de6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\psykwlf.vbs

MD5
de20e928a7ec55c74c9e759a3e38aecf

SHA1
0d8462eecee46ae9739443084f0f40efa619a414

SHA256
2d6afa5f017acae4e2eb79341a08324db870fa0668ba49c29f616d2afa489678

SHA512
569d599dbce2d570c6daaf3fa5e131cdb9716941f70c6246eb068647dfbf6aaf9bce4f17de0b231bdee288eb0c23ba2e2f09e1fa02054371124e4c80c85617e3

Download Submit
memory/1488-54-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1488-55-0x0000000001120000-0x00000000017E5000-memory.dmp

Filesize
6.8MB

Download
memory/1488-56-0x0000000001120000-0x00000000017E5000-memory.dmp

Filesize
6.8MB

Download
memory/1488-57-0x0000000001120000-0x00000000017E5000-memory.dmp

Filesize
6.8MB

Download
memory/1488-58-0x0000000077CD0000-0x0000000077CD2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads