dcc4719dc84d5d3ced1d5fc6f3d72d841013b1ded7a70c345e95fcde4654837d

General

Target

f9q65e3u0rz00b5i6wyclll.exe
Size

884KB
MD5

4685811c853ceaebc991c3a8406694bf
SHA1

9cd382eb91bfea5782dd09f589a31b47c2c2b53e
SHA256

3242e0a736ef8ac90430a9f272ff30a81e2afc146fcb84a25c6e56e8192791e4
SHA512

a504fbca674f15d8964ebc6fac11d9431d700ca22736c00d5bb1e51551b0d2b9e4b2b6824bdf1a778111a0ba8d2601eada2f726b9ec7a9cfa5a53fd43c235b46
SSDEEP

12288:oo6hrwBWQ1Ow8yPcT3ZinffOqJaFLGRTY7c223KmZaQRDSGEi:oo6dwBTj9U1wffO7FLG5Y7K3KmZ0GEi

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f9q65e3u0rz00b5i6wyclll.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f9q65e3u0rz00b5i6wyclll.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f9q65e3u0rz00b5i6wyclll.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral3/memory/1980-55-0x0000000003190000-0x0000000004C11000-memory.dmp	themida
behavioral3/memory/1980-57-0x0000000003190000-0x0000000004C11000-memory.dmp	themida
behavioral3/memory/1980-58-0x0000000003190000-0x0000000004C11000-memory.dmp	themida
behavioral3/memory/1980-59-0x0000000003190000-0x0000000004C11000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f9q65e3u0rz00b5i6wyclll.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1980	f9q65e3u0rz00b5i6wyclll.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "No"	f9q65e3u0rz00b5i6wyclll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords = "No"	f9q65e3u0rz00b5i6wyclll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask = "No"	f9q65e3u0rz00b5i6wyclll.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1980	f9q65e3u0rz00b5i6wyclll.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe
1980	f9q65e3u0rz00b5i6wyclll.exe

C:\Users\Admin\AppData\Local\Temp\f9q65e3u0rz00b5i6wyclll.exe
"C:\Users\Admin\AppData\Local\Temp\f9q65e3u0rz00b5i6wyclll.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1980-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/1980-55-0x0000000003190000-0x0000000004C11000-memory.dmp

Filesize
26.5MB

Download
memory/1980-56-0x0000000077190000-0x0000000077310000-memory.dmp

Filesize
1.5MB

Download
memory/1980-57-0x0000000003190000-0x0000000004C11000-memory.dmp

Filesize
26.5MB

Download
memory/1980-58-0x0000000003190000-0x0000000004C11000-memory.dmp

Filesize
26.5MB

Download
memory/1980-59-0x0000000003190000-0x0000000004C11000-memory.dmp

Filesize
26.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads