aecee804a01353925fc1b8a5ef763d40373202e3b7015044960ac48314a83a35 | Triage

Submit
Reports

Overview

overview

Static

static

7

6bf5cf564b...0f.exe

windows10_x64

9

6bf5cf564b...0f.exe

windows10-2004_x64

Sharing

General

Target

4758876971499520.zip
Size

3.5MB
Sample

220217-ks2glaahb9
MD5

96e0ab7282e681d35a97bef511c66c72
SHA1

2b1e119c53e1bd088ea9c0c4278ef64fbbc98c81
SHA256

aecee804a01353925fc1b8a5ef763d40373202e3b7015044960ac48314a83a35
SHA512

4b0a11c649dae3bd2decefcf45c863ef588160a061c3a89502ce1a03429d1041560a709a3d62b614ee3833a15d3d3cd8be616ccede8c84691ad4d7d98585e905

Score

10^/10

evasion persistence themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

6bf5cf564b05de2da0d9c72b580bd28d2a9155294b786d24298cf39c61b7af0f.exe

Resource

win10-de-20211208

evasion themida trojan

windows10_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

6bf5cf564b05de2da0d9c72b580bd28d2a9155294b786d24298cf39c61b7af0f.exe

Resource

win10v2004-de-20220113

evasion persistence themida trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  6bf5cf564b05de2da0d9c72b580bd28d2a9155294b786d24298cf39c61b7af0f
- Size
  
  3.5MB
- MD5
  
  41b2cdd012ea904a08f614916dbd195c
- SHA1
  
  e21f8b66d66cd0f207b72bef5b84395f1c6c0df7
- SHA256
  
  6bf5cf564b05de2da0d9c72b580bd28d2a9155294b786d24298cf39c61b7af0f
- SHA512
  
  f90b232143abb25b99ed669a212fa6f0cb8c32d86b7b27f1e515ca08f69f5f88824d35316937baaec1c0705e9f9348f81c499c870037911dc6de92a3d75a6220
Score

10^/10

evasion themida trojan persistence
- Registers COM server for autorun
  persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Executes dropped EXE
- Sets file execution options in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionthemidatrojan

behavioral2

evasionpersistencethemidatrojan

© 2018-2024

Terms | Privacy