a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2

Analysis

max time kernel
52s
max time network
61s
platform
windows10-1703_x64
resource
win10-20220718-en
resource tags

arch:x64arch:x86image:win10-20220718-enlocale:en-usos:windows10-1703-x64system
submitted
06-08-2022 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Size

6.4MB
MD5

fad7d228308a436ec1333458bfbc3304
SHA1

737066c152957fb0c0bdaf842b391ea72709f2b1
SHA256

a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2
SHA512

8df1e1b582f91b386a344725880fa6226958d9674a6dcefbc10ae1e42a51e3862e0cddb7ab7e7e0c057f8c44395252203acf749bd38ba9021dee78280cb35b54

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1824-134-0x0000000000400000-0x00000000015C8000-memory.dmp	themida
behavioral1/memory/1824-166-0x0000000000400000-0x00000000015C8000-memory.dmp	themida
behavioral1/memory/1824-167-0x0000000000400000-0x00000000015C8000-memory.dmp	themida
behavioral1/memory/1824-168-0x0000000000400000-0x00000000015C8000-memory.dmp	themida
behavioral1/memory/1824-186-0x0000000000400000-0x00000000015C8000-memory.dmp	themida
behavioral1/memory/1824-626-0x0000000000400000-0x00000000015C8000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe

pid process

1824 a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe

pid	process
1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe

description	pid	process
Token: SeDebugPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 1	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeCreateTokenPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeAssignPrimaryTokenPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeLockMemoryPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeIncreaseQuotaPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeMachineAccountPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeTcbPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeSecurityPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeTakeOwnershipPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeLoadDriverPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeSystemProfilePrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeSystemtimePrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeProfSingleProcessPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeIncBasePriorityPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeCreatePagefilePrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeCreatePermanentPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeBackupPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeRestorePrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeShutdownPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeDebugPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeAuditPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeSystemEnvironmentPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeChangeNotifyPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeRemoteShutdownPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeUndockPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeSyncAgentPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeEnableDelegationPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeManageVolumePrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeImpersonatePrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: SeCreateGlobalPrivilege	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 31	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 32	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 33	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 34	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 35	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 36	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 37	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 38	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 39	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 40	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 41	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 42	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 43	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 44	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 45	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 46	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 47	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
Token: 48	1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe

pid	process
1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
1824	a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe

C:\Users\Admin\AppData\Local\Temp\a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe
"C:\Users\Admin\AppData\Local\Temp\a595c8030679feabf73e25979ca486d9de798d5ba7303ca102f4eb5ca8f36da2.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1824-117-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-118-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-119-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-120-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-121-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-122-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-123-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-124-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-125-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-126-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-127-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-128-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-129-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-130-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-131-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-132-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-133-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-135-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-136-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-137-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-138-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-140-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-141-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-143-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-145-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-147-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-149-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-151-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-153-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-155-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-156-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-159-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-161-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-163-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-162-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-160-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-158-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-157-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-154-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-152-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-150-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-148-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-146-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-144-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-142-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-139-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-134-0x0000000000400000-0x00000000015C8000-memory.dmp

Filesize
17.8MB

Download
memory/1824-164-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-165-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-166-0x0000000000400000-0x00000000015C8000-memory.dmp

Filesize
17.8MB

Download
memory/1824-167-0x0000000000400000-0x00000000015C8000-memory.dmp

Filesize
17.8MB

Download
memory/1824-168-0x0000000000400000-0x00000000015C8000-memory.dmp

Filesize
17.8MB

Download
memory/1824-169-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-170-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-171-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-172-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-173-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1824-174-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1824-175-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1824-176-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1824-177-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1824-178-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1824-179-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1824-180-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1824-181-0x0000000000401000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1824-186-0x0000000000400000-0x00000000015C8000-memory.dmp

Filesize
17.8MB

Download
memory/1824-621-0x0000000007E50000-0x0000000007E8C000-memory.dmp

Filesize
240KB

Download
memory/1824-622-0x0000000008020000-0x00000000081B7000-memory.dmp

Filesize
1.6MB

Download
memory/1824-623-0x0000000007E90000-0x0000000007FD0000-memory.dmp

Filesize
1.2MB

Download
memory/1824-624-0x0000000007E90000-0x0000000007FD0000-memory.dmp

Filesize
1.2MB

Download
memory/1824-626-0x0000000000400000-0x00000000015C8000-memory.dmp

Filesize
17.8MB

Download
memory/1824-627-0x0000000007E90000-0x0000000007EDB000-memory.dmp

Filesize
300KB

Download