e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c

Analysis

max time kernel
41s
max time network
105s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
02-08-2022 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe
Size

5.7MB
MD5

840a3679e1935d3cae1e5eff9ba0ccee
SHA1

349d7eb53e524c3512c9b75fdd28f2dd3aa22af6
SHA256

e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c
SHA512

6ce353a6f5c089916e3c2d9587055b9161b282da9cf71be402d3476959632df1945b11ce5113a13521f179b56f9448308edae2e88c0754736a2275b82303b584

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe

Loads dropped DLL 2 IoCs

Processes:

e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe

pid	process
1332	e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe
1332	e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1332-55-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral1/memory/1332-56-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral1/memory/1332-58-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral1/memory/1332-60-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral1/memory/1332-61-0x0000000000400000-0x0000000000A13000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe
"C:\Users\Admin\AppData\Local\Temp\e5455a119f593253845eeec889045b9ae2d9a7cbbb016d2a2ddf2dee1db9b88c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nstFA0A.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nstFA0A.tmp\xml.dll
Filesize
1.4MB

MD5
344a3eccd7312bf880de26de35548cdf

SHA1
5b32e373e2471f9cda003ef6bdb797a6145984eb

SHA256
b86f5d992123abdc592cc9f7703aeaaefd73e7d977899647453b8d203e1ac1bc

SHA512
c8c3c100eb0b1daa830328ab54d56c295373ef0866bcec4b799a101e280fabac5779c9356d56baa80986ccb74581cfb9116828895efb7cfff115edea291e69bc

Download Submit
memory/1332-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/1332-55-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1332-56-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1332-58-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1332-60-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1332-61-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download