3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21

Analysis

max time kernel
165s
max time network
168s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-07-2022 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exe
Size

1.6MB
MD5

6a8e345d1d03a3f756161d6d8dfefbb3
SHA1

e363a41468963a0fe955faf70c3f77e5859020e5
SHA256

3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21
SHA512

d6e37360357e604d3f379f384861e1bad753f1abe4eeb07fb608a8dee4a7f06495886aab9fc5ff6f4666b78a3bc8fb767b6f6ef7860c55f5d432facc44d1df3f

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

clip.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ clip.exe
Executes dropped EXE 2 IoCs

Processes:

clip.execlip.exe

pid process

1520 clip.exe
1248 clip.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	clip.exe

pid	process
1520	clip.exe
1248	clip.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

clip.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	clip.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	clip.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\clip.exe	themida
C:\Users\Admin\AppData\Local\Temp\clip.exe	themida
behavioral2/memory/1520-195-0x0000000000D10000-0x000000000116F000-memory.dmp	themida
behavioral2/memory/1520-288-0x0000000000D10000-0x000000000116F000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\clip.exe	themida
behavioral2/memory/1248-452-0x0000000000D10000-0x000000000116F000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

clip.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA clip.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

clip.exe

pid process

1520 clip.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3820 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

clip.exe

pid process

1520 clip.exe
1520 clip.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	clip.exe

pid	process
1520	clip.exe

pid	process
3820	schtasks.exe

pid	process
1520	clip.exe
1520	clip.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.execlip.execlip.exe

description	pid	process	target process
PID 2088 wrote to memory of 1520	2088	3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exe	clip.exe
PID 2088 wrote to memory of 1520	2088	3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exe	clip.exe
PID 2088 wrote to memory of 1520	2088	3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1520 wrote to memory of 1248	1520	clip.exe	clip.exe
PID 1248 wrote to memory of 3820	1248	clip.exe	schtasks.exe
PID 1248 wrote to memory of 3820	1248	clip.exe	schtasks.exe
PID 1248 wrote to memory of 3820	1248	clip.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exe
"C:\Users\Admin\AppData\Local\Temp\3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Local\Temp\clip.exe
"C:\Users\Admin\AppData\Local\Temp\clip.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\clip.exe
C:\Users\Admin\AppData\Local\Temp\clip.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
4⤵
- Creates scheduled task(s)
PID:3820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\clip.exe
Filesize
1.5MB

MD5
bb4c351464c3b5c3a1206a414f7e3464

SHA1
9da01f3c740740d735cff9d98bf994b29950714b

SHA256
df95aed0e5012b89c906f5ce1643dd00819bcac40bb2e490ea97a00dad71b83d

SHA512
f779e3aa1bcd3bde36d56a00ab46af8f6e0477efdacbc3a73f72fa06c3ec9f1e7f3d1dcd1cfbfdc7c181ae1aa71a2f3fc3e26be6cb7006fbac24cad457a27242

Download Submit
C:\Users\Admin\AppData\Local\Temp\clip.exe
Filesize
1.5MB

MD5
bb4c351464c3b5c3a1206a414f7e3464

SHA1
9da01f3c740740d735cff9d98bf994b29950714b

SHA256
df95aed0e5012b89c906f5ce1643dd00819bcac40bb2e490ea97a00dad71b83d

SHA512
f779e3aa1bcd3bde36d56a00ab46af8f6e0477efdacbc3a73f72fa06c3ec9f1e7f3d1dcd1cfbfdc7c181ae1aa71a2f3fc3e26be6cb7006fbac24cad457a27242

Download Submit
C:\Users\Admin\AppData\Local\Temp\clip.exe
Filesize
1.5MB

MD5
bb4c351464c3b5c3a1206a414f7e3464

SHA1
9da01f3c740740d735cff9d98bf994b29950714b

SHA256
df95aed0e5012b89c906f5ce1643dd00819bcac40bb2e490ea97a00dad71b83d

SHA512
f779e3aa1bcd3bde36d56a00ab46af8f6e0477efdacbc3a73f72fa06c3ec9f1e7f3d1dcd1cfbfdc7c181ae1aa71a2f3fc3e26be6cb7006fbac24cad457a27242

Download Submit
memory/1248-453-0x0000000010410000-0x0000000010416000-memory.dmp

Filesize
24KB

Download
memory/1248-452-0x0000000000D10000-0x000000000116F000-memory.dmp

Filesize
4.4MB

Download
memory/1248-375-0x0000000000000000-mapping.dmp

Download
memory/1520-183-0x0000000000000000-mapping.dmp

Download
memory/1520-195-0x0000000000D10000-0x000000000116F000-memory.dmp

Filesize
4.4MB

Download
memory/1520-288-0x0000000000D10000-0x000000000116F000-memory.dmp

Filesize
4.4MB

Download
memory/2088-149-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-155-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-124-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-125-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-126-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-127-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-128-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-129-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-130-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-131-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-132-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-133-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-134-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-135-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-136-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-137-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-138-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-139-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-140-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-141-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-142-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-143-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-144-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-145-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-146-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-147-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-148-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-121-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-150-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-151-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-152-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-153-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-154-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-122-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-156-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-157-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-158-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-159-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-160-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-161-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-162-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-163-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-164-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-166-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-168-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-170-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-169-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-167-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-165-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-171-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-173-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-174-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-172-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-176-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-175-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-119-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-118-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-177-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-178-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-180-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-179-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-181-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-116-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-117-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/3820-433-0x0000000000000000-mapping.dmp

Download