20ad6ebb675a70f37ad9e019108a818463b67174119641f160b2c7f39f35f8e3

Analysis

max time kernel
167s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2022 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AUTOKEY.exe
Size

6.5MB
MD5

68aebec982d6d6df5af8a0e66e0b1213
SHA1

44e42b332e9b65a431ca63941d372698c1f5b7d8
SHA256

20ad6ebb675a70f37ad9e019108a818463b67174119641f160b2c7f39f35f8e3
SHA512

5eda091a925b6f151cd2fb7619cd315782d2c16798f3b870a8d870e8aba72abd71a199feab8a700851198168a1b845012173ca47763fe80324233a544c792b1d

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

AUTOKEY.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AUTOKEY.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AUTOKEY.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AUTOKEY.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AUTOKEY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AUTOKEY.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4744-132-0x0000000000400000-0x00000000015C9000-memory.dmp	themida
behavioral2/memory/4744-133-0x0000000000400000-0x00000000015C9000-memory.dmp	themida
behavioral2/memory/4744-134-0x0000000000400000-0x00000000015C9000-memory.dmp	themida
behavioral2/memory/4744-136-0x0000000000400000-0x00000000015C9000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

AUTOKEY.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AUTOKEY.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

AUTOKEY.exe

pid process

4744 AUTOKEY.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AUTOKEY.exe

pid process

4744 AUTOKEY.exe
4744 AUTOKEY.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AUTOKEY.exe

pid	process
4744	AUTOKEY.exe

pid	process
4744	AUTOKEY.exe
4744	AUTOKEY.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

AUTOKEY.exe

description	pid	process
Token: SeDebugPrivilege	4744	AUTOKEY.exe
Token: 1	4744	AUTOKEY.exe
Token: SeCreateTokenPrivilege	4744	AUTOKEY.exe
Token: SeAssignPrimaryTokenPrivilege	4744	AUTOKEY.exe
Token: SeLockMemoryPrivilege	4744	AUTOKEY.exe
Token: SeIncreaseQuotaPrivilege	4744	AUTOKEY.exe
Token: SeMachineAccountPrivilege	4744	AUTOKEY.exe
Token: SeTcbPrivilege	4744	AUTOKEY.exe
Token: SeSecurityPrivilege	4744	AUTOKEY.exe
Token: SeTakeOwnershipPrivilege	4744	AUTOKEY.exe
Token: SeLoadDriverPrivilege	4744	AUTOKEY.exe
Token: SeSystemProfilePrivilege	4744	AUTOKEY.exe
Token: SeSystemtimePrivilege	4744	AUTOKEY.exe
Token: SeProfSingleProcessPrivilege	4744	AUTOKEY.exe
Token: SeIncBasePriorityPrivilege	4744	AUTOKEY.exe
Token: SeCreatePagefilePrivilege	4744	AUTOKEY.exe
Token: SeCreatePermanentPrivilege	4744	AUTOKEY.exe
Token: SeBackupPrivilege	4744	AUTOKEY.exe
Token: SeRestorePrivilege	4744	AUTOKEY.exe
Token: SeShutdownPrivilege	4744	AUTOKEY.exe
Token: SeDebugPrivilege	4744	AUTOKEY.exe
Token: SeAuditPrivilege	4744	AUTOKEY.exe
Token: SeSystemEnvironmentPrivilege	4744	AUTOKEY.exe
Token: SeChangeNotifyPrivilege	4744	AUTOKEY.exe
Token: SeRemoteShutdownPrivilege	4744	AUTOKEY.exe
Token: SeUndockPrivilege	4744	AUTOKEY.exe
Token: SeSyncAgentPrivilege	4744	AUTOKEY.exe
Token: SeEnableDelegationPrivilege	4744	AUTOKEY.exe
Token: SeManageVolumePrivilege	4744	AUTOKEY.exe
Token: SeImpersonatePrivilege	4744	AUTOKEY.exe
Token: SeCreateGlobalPrivilege	4744	AUTOKEY.exe
Token: 31	4744	AUTOKEY.exe
Token: 32	4744	AUTOKEY.exe
Token: 33	4744	AUTOKEY.exe
Token: 34	4744	AUTOKEY.exe
Token: 35	4744	AUTOKEY.exe
Token: 36	4744	AUTOKEY.exe
Token: 37	4744	AUTOKEY.exe
Token: 38	4744	AUTOKEY.exe
Token: 39	4744	AUTOKEY.exe
Token: 40	4744	AUTOKEY.exe
Token: 41	4744	AUTOKEY.exe
Token: 42	4744	AUTOKEY.exe
Token: 43	4744	AUTOKEY.exe
Token: 44	4744	AUTOKEY.exe
Token: 45	4744	AUTOKEY.exe
Token: 46	4744	AUTOKEY.exe
Token: 47	4744	AUTOKEY.exe
Token: 48	4744	AUTOKEY.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AUTOKEY.exe

pid process

4744 AUTOKEY.exe
4744 AUTOKEY.exe

pid	process
4744	AUTOKEY.exe
4744	AUTOKEY.exe

C:\Users\Admin\AppData\Local\Temp\AUTOKEY.exe
"C:\Users\Admin\AppData\Local\Temp\AUTOKEY.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4744-132-0x0000000000400000-0x00000000015C9000-memory.dmp

Filesize
17.8MB

Download
memory/4744-133-0x0000000000400000-0x00000000015C9000-memory.dmp

Filesize
17.8MB

Download
memory/4744-135-0x0000000077240000-0x00000000773E3000-memory.dmp

Filesize
1.6MB

Download
memory/4744-134-0x0000000000400000-0x00000000015C9000-memory.dmp

Filesize
17.8MB

Download
memory/4744-136-0x0000000000400000-0x00000000015C9000-memory.dmp

Filesize
17.8MB

Download
memory/4744-137-0x0000000077240000-0x00000000773E3000-memory.dmp

Filesize
1.6MB

Download
memory/4744-138-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-140-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-139-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-141-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-142-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-143-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-144-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-145-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-146-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-149-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-148-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-150-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-151-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-152-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-153-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-154-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-155-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-157-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-158-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-159-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-160-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-161-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-162-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-164-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-165-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-167-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-169-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-170-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-172-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-174-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-176-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-178-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-180-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-183-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-185-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-188-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-191-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-194-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-197-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-198-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-196-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-195-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-193-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-192-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-190-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-189-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-187-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-186-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-184-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-182-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-181-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-179-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-177-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-175-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-173-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-171-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-168-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-166-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-163-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-156-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-147-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/4744-558-0x0000000007AD0000-0x0000000007B0C000-memory.dmp

Filesize
240KB

Download
memory/4744-565-0x0000000007B10000-0x0000000007B5C000-memory.dmp

Filesize
304KB

Download
memory/4744-566-0x0000000001B80000-0x0000000001B9D000-memory.dmp

Filesize
116KB

Download
memory/4744-567-0x0000000007AD0000-0x0000000007B0C000-memory.dmp

Filesize
240KB

Download
memory/4744-568-0x0000000001B80000-0x0000000001B9D000-memory.dmp

Filesize
116KB

Download