bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36

Analysis

max time kernel
164s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
19-03-2022 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
Size

24.0MB
MD5

320aa03413b0e294938db1deccfc314e
SHA1

14c2a2915801555144bf0664e1d90bde6f5cd8c0
SHA256

bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36
SHA512

e7c3362b4ac71db417658ca2fe801fab49b108fff34343e46883ebef5f401990a6adca95b608e9ed75a6ae83d165eaa0602bb174392f6c894d943cf633ec3de5

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/4196-142-0x0000000000160000-0x0000000001DF0000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4196	bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe

C:\Users\Admin\AppData\Local\Temp\bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe
"C:\Users\Admin\AppData\Local\Temp\bb0ecdccb3372022bdf71f0d75c76eb7ad8309a40ea1ef424ce6fdc5b71aba36.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/408-147-0x000002680A160000-0x000002680A170000-memory.dmp

Filesize
64KB

Download
memory/408-149-0x000002680A580000-0x000002680A584000-memory.dmp

Filesize
16KB

Download
memory/408-148-0x000002680A390000-0x000002680A3A0000-memory.dmp

Filesize
64KB

Download
memory/4196-145-0x00000000102C0000-0x0000000010864000-memory.dmp

Filesize
5.6MB

Download
memory/4196-133-0x0000000076820000-0x0000000076910000-memory.dmp

Filesize
960KB

Download
memory/4196-135-0x0000000076820000-0x0000000076910000-memory.dmp

Filesize
960KB

Download
memory/4196-137-0x0000000076820000-0x0000000076910000-memory.dmp

Filesize
960KB

Download
memory/4196-136-0x0000000076820000-0x0000000076910000-memory.dmp

Filesize
960KB

Download
memory/4196-138-0x0000000076EE0000-0x0000000077083000-memory.dmp

Filesize
1.6MB

Download
memory/4196-142-0x0000000000160000-0x0000000001DF0000-memory.dmp

Filesize
28.6MB

Download
memory/4196-143-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/4196-144-0x0000000006AF0000-0x0000000006AF1000-memory.dmp

Filesize
4KB

Download
memory/4196-130-0x0000000076820000-0x0000000076910000-memory.dmp

Filesize
960KB

Download
memory/4196-146-0x0000000008600000-0x0000000008692000-memory.dmp

Filesize
584KB

Download
memory/4196-134-0x0000000076820000-0x0000000076910000-memory.dmp

Filesize
960KB

Download
memory/4196-132-0x0000000076820000-0x0000000076910000-memory.dmp

Filesize
960KB

Download
memory/4196-131-0x0000000076820000-0x0000000076910000-memory.dmp

Filesize
960KB

Download
memory/4196-150-0x0000000006AF3000-0x0000000006AF5000-memory.dmp

Filesize
8KB

Download
memory/4196-151-0x00000000099E0000-0x0000000009A46000-memory.dmp

Filesize
408KB

Download
memory/4196-152-0x0000000006AF5000-0x0000000006AF6000-memory.dmp

Filesize
4KB

Download
memory/4196-153-0x0000000006AF6000-0x0000000006AF7000-memory.dmp

Filesize
4KB

Download
memory/4196-154-0x0000000006AF7000-0x0000000006AF8000-memory.dmp

Filesize
4KB

Download
memory/4196-155-0x0000000009FD0000-0x0000000009FDA000-memory.dmp

Filesize
40KB

Download
memory/4196-156-0x000000000D580000-0x000000000D5AE000-memory.dmp

Filesize
184KB

Download
memory/4196-157-0x000000000D5B0000-0x000000000D5E8000-memory.dmp

Filesize
224KB

Download
memory/4196-158-0x0000000006AF8000-0x0000000006AF9000-memory.dmp

Filesize
4KB

Download
memory/4196-159-0x0000000006AF9000-0x0000000006AFF000-memory.dmp

Filesize
24KB

Download