20ad6ebb675a70f37ad9e019108a818463b67174119641f160b2c7f39f35f8e3

Analysis

max time kernel
124s
max time network
44s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
31-07-2022 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AUTOKEY.exe
Size

6.5MB
MD5

68aebec982d6d6df5af8a0e66e0b1213
SHA1

44e42b332e9b65a431ca63941d372698c1f5b7d8
SHA256

20ad6ebb675a70f37ad9e019108a818463b67174119641f160b2c7f39f35f8e3
SHA512

5eda091a925b6f151cd2fb7619cd315782d2c16798f3b870a8d870e8aba72abd71a199feab8a700851198168a1b845012173ca47763fe80324233a544c792b1d

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

AUTOKEY.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AUTOKEY.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AUTOKEY.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AUTOKEY.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AUTOKEY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AUTOKEY.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1524-54-0x0000000000400000-0x00000000015C9000-memory.dmp	themida
behavioral1/memory/1524-57-0x0000000000400000-0x00000000015C9000-memory.dmp	themida
behavioral1/memory/1524-58-0x0000000000400000-0x00000000015C9000-memory.dmp	themida
behavioral1/memory/1524-59-0x0000000000400000-0x00000000015C9000-memory.dmp	themida
behavioral1/memory/1524-60-0x0000000000400000-0x00000000015C9000-memory.dmp	themida
behavioral1/memory/1524-481-0x0000000000400000-0x00000000015C9000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

AUTOKEY.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AUTOKEY.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

AUTOKEY.exe

pid process

1524 AUTOKEY.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AUTOKEY.exe

pid process

1524 AUTOKEY.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AUTOKEY.exe

pid	process
1524	AUTOKEY.exe

pid	process
1524	AUTOKEY.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

AUTOKEY.exe

description	pid	process
Token: SeDebugPrivilege	1524	AUTOKEY.exe
Token: 1	1524	AUTOKEY.exe
Token: SeCreateTokenPrivilege	1524	AUTOKEY.exe
Token: SeAssignPrimaryTokenPrivilege	1524	AUTOKEY.exe
Token: SeLockMemoryPrivilege	1524	AUTOKEY.exe
Token: SeIncreaseQuotaPrivilege	1524	AUTOKEY.exe
Token: SeMachineAccountPrivilege	1524	AUTOKEY.exe
Token: SeTcbPrivilege	1524	AUTOKEY.exe
Token: SeSecurityPrivilege	1524	AUTOKEY.exe
Token: SeTakeOwnershipPrivilege	1524	AUTOKEY.exe
Token: SeLoadDriverPrivilege	1524	AUTOKEY.exe
Token: SeSystemProfilePrivilege	1524	AUTOKEY.exe
Token: SeSystemtimePrivilege	1524	AUTOKEY.exe
Token: SeProfSingleProcessPrivilege	1524	AUTOKEY.exe
Token: SeIncBasePriorityPrivilege	1524	AUTOKEY.exe
Token: SeCreatePagefilePrivilege	1524	AUTOKEY.exe
Token: SeCreatePermanentPrivilege	1524	AUTOKEY.exe
Token: SeBackupPrivilege	1524	AUTOKEY.exe
Token: SeRestorePrivilege	1524	AUTOKEY.exe
Token: SeShutdownPrivilege	1524	AUTOKEY.exe
Token: SeDebugPrivilege	1524	AUTOKEY.exe
Token: SeAuditPrivilege	1524	AUTOKEY.exe
Token: SeSystemEnvironmentPrivilege	1524	AUTOKEY.exe
Token: SeChangeNotifyPrivilege	1524	AUTOKEY.exe
Token: SeRemoteShutdownPrivilege	1524	AUTOKEY.exe
Token: SeUndockPrivilege	1524	AUTOKEY.exe
Token: SeSyncAgentPrivilege	1524	AUTOKEY.exe
Token: SeEnableDelegationPrivilege	1524	AUTOKEY.exe
Token: SeManageVolumePrivilege	1524	AUTOKEY.exe
Token: SeImpersonatePrivilege	1524	AUTOKEY.exe
Token: SeCreateGlobalPrivilege	1524	AUTOKEY.exe
Token: 31	1524	AUTOKEY.exe
Token: 32	1524	AUTOKEY.exe
Token: 33	1524	AUTOKEY.exe
Token: 34	1524	AUTOKEY.exe
Token: 35	1524	AUTOKEY.exe
Token: 36	1524	AUTOKEY.exe
Token: 37	1524	AUTOKEY.exe
Token: 38	1524	AUTOKEY.exe
Token: 39	1524	AUTOKEY.exe
Token: 40	1524	AUTOKEY.exe
Token: 41	1524	AUTOKEY.exe
Token: 42	1524	AUTOKEY.exe
Token: 43	1524	AUTOKEY.exe
Token: 44	1524	AUTOKEY.exe
Token: 45	1524	AUTOKEY.exe
Token: 46	1524	AUTOKEY.exe
Token: 47	1524	AUTOKEY.exe
Token: 48	1524	AUTOKEY.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AUTOKEY.exe

pid process

1524 AUTOKEY.exe
1524 AUTOKEY.exe

pid	process
1524	AUTOKEY.exe
1524	AUTOKEY.exe

C:\Users\Admin\AppData\Local\Temp\AUTOKEY.exe
"C:\Users\Admin\AppData\Local\Temp\AUTOKEY.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1524

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1524-54-0x0000000000400000-0x00000000015C9000-memory.dmp

Filesize
17.8MB

Download
memory/1524-55-0x0000000076311000-0x0000000076313000-memory.dmp

Filesize
8KB

Download
memory/1524-56-0x0000000077D10000-0x0000000077E90000-memory.dmp

Filesize
1.5MB

Download
memory/1524-57-0x0000000000400000-0x00000000015C9000-memory.dmp

Filesize
17.8MB

Download
memory/1524-58-0x0000000000400000-0x00000000015C9000-memory.dmp

Filesize
17.8MB

Download
memory/1524-59-0x0000000000400000-0x00000000015C9000-memory.dmp

Filesize
17.8MB

Download
memory/1524-60-0x0000000000400000-0x00000000015C9000-memory.dmp

Filesize
17.8MB

Download
memory/1524-61-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-62-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-63-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-64-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-66-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-65-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-67-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-68-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-70-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-69-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-71-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-72-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-73-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-74-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-76-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-75-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-79-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-78-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-77-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-80-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-81-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-86-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-85-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-84-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-83-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-82-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-120-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-119-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-118-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-117-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-116-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-115-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-114-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-113-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-112-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-111-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-110-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-109-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-108-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-107-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-106-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-105-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-104-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-103-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-102-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-101-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-100-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-99-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-98-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-97-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-96-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-95-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-94-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-93-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-92-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-91-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-90-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-89-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-88-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-87-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1524-477-0x0000000003A00000-0x0000000003A3C000-memory.dmp

Filesize
240KB

Download
memory/1524-478-0x0000000004400000-0x0000000004501000-memory.dmp

Filesize
1.0MB

Download
memory/1524-479-0x0000000003A40000-0x0000000003A8C000-memory.dmp

Filesize
304KB

Download
memory/1524-480-0x0000000003110000-0x000000000312C000-memory.dmp

Filesize
112KB

Download
memory/1524-482-0x0000000077D10000-0x0000000077E90000-memory.dmp

Filesize
1.5MB

Download
memory/1524-481-0x0000000000400000-0x00000000015C9000-memory.dmp

Filesize
17.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads