3f786bdb79bf519691bd9857cd423915f9ee2b251d604785f7228e06b6b35969

General

Target

GiftCard-Generator_SETUP.exe
Size

3.3MB
MD5

9e0728736c39c9aad664eaa7fadd1320
SHA1

268e1488c03755b9f2ed506c46c855001327a80d
SHA256

6895ceb670704f09844ef6c808a95510aabbe765362ff5cb98a7369d04fb27c9
SHA512

3e4179bb7ae411967a34ea2a81c76f29c89a82726f636dd2ce43383d97d94c22130f382a6ce76d5181239e154fd7439894989f0a806db45e2ed49cca77103948

Score

9^/10

evasion ransomware themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

GiftCard-Generator_SETUP.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GiftCard-Generator_SETUP.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GiftCard-Generator_SETUP.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

GiftCard-Generator_SETUP.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\StepRead.tiff	GiftCard-Generator_SETUP.exe
File renamed	C:\Users\Admin\Pictures\StepRead.tiff => C:\Users\Admin\Pictures\StepRead.tiff.vFQmCsPMtrhyNPoWgMlSobg59PpKwM	GiftCard-Generator_SETUP.exe
File renamed	C:\Users\Admin\Pictures\SuspendEnable.tif => C:\Users\Admin\Pictures\SuspendEnable.tif.cUpegsqKkNlifgsPcyahwPMvvbg59PpKwM	GiftCard-Generator_SETUP.exe
File renamed	C:\Users\Admin\Pictures\CopyConvertTo.png => C:\Users\Admin\Pictures\CopyConvertTo.png.IHcFLFXcjoHlCFgLnUtPBSSmtYWbg59PpKwM	GiftCard-Generator_SETUP.exe
File renamed	C:\Users\Admin\Pictures\ExportDeny.png => C:\Users\Admin\Pictures\ExportDeny.png.gQApxldxUtwpeKqRrBtTSkuWAliObg59PpKwM	GiftCard-Generator_SETUP.exe
File renamed	C:\Users\Admin\Pictures\GetConfirm.png => C:\Users\Admin\Pictures\GetConfirm.png.OmLIhUrNsNrBHPSxeLQCbUQFdVVwbg59PpKwM	GiftCard-Generator_SETUP.exe
File renamed	C:\Users\Admin\Pictures\SendUnpublish.png => C:\Users\Admin\Pictures\SendUnpublish.png.FdjHyBLkcFRPTQhUUjHinTSvwbg59PpKwM	GiftCard-Generator_SETUP.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GiftCard-Generator_SETUP.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GiftCard-Generator_SETUP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GiftCard-Generator_SETUP.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1364-57-0x0000000000FB0000-0x00000000017E2000-memory.dmp	themida
behavioral1/memory/1364-58-0x0000000000FB0000-0x00000000017E2000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

GiftCard-Generator_SETUP.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GiftCard-Generator_SETUP.exe

Drops desktop.ini file(s) 38 IoCs

Processes:

GiftCard-Generator_SETUP.exe

description	ioc	process
File created	C:\Users\Admin\Favorites\Links\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Admin\Searches\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Admin\Videos\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Public\Music\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Public\Pictures\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Admin\Music\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Public\Music\Sample Music\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Public\Videos\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Admin\Desktop\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Admin\Downloads\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Public\Downloads\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Admin\Contacts\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Admin\Pictures\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Public\Documents\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Admin\Favorites\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Public\Libraries\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Admin\Links\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Public\Videos\Sample Videos\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Public\Desktop\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Public\Recorded TV\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Admin\Documents\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	GiftCard-Generator_SETUP.exe
File created	C:\Users\Public\desktop.ini	GiftCard-Generator_SETUP.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

GiftCard-Generator_SETUP.exe

pid process

1364 GiftCard-Generator_SETUP.exe

pid	process
1364	GiftCard-Generator_SETUP.exe

C:\Users\Admin\AppData\Local\Temp\GiftCard-Generator_SETUP.exe
"C:\Users\Admin\AppData\Local\Temp\GiftCard-Generator_SETUP.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Modifies extensions of user files
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Suspicious use of FindShellTrayWindow
PID:1364

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1364-54-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/1364-55-0x0000000000FB0000-0x00000000017E2000-memory.dmp

Filesize
8.2MB

Download
memory/1364-57-0x0000000000FB0000-0x00000000017E2000-memory.dmp

Filesize
8.2MB

Download
memory/1364-58-0x0000000000FB0000-0x00000000017E2000-memory.dmp

Filesize
8.2MB

Download
memory/1364-59-0x0000000005230000-0x00000000052E0000-memory.dmp

Filesize
704KB

Download
memory/1364-60-0x0000000004F15000-0x0000000004F26000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads