0425a05ec76c206a8f63014ba5448757e6a11249f2aeae2ae5b92e6588156e46

General

Target

exfilty.exe
Size

3.7MB
MD5

6c2add46386dbda1ac0ae2f6fda7aa75
SHA1

fd410794cea5ba3ec4d4bf34015e55a7808a43e8
SHA256

0425a05ec76c206a8f63014ba5448757e6a11249f2aeae2ae5b92e6588156e46
SHA512

f745e707e7bff8dd3bc48fbed8b6f26c430618d30a93e5f6ced7170956629c8d0aa2277efd6f640284da7c9d97aec5d52091a53c8053a812d02f4a54673a4ad4
SSDEEP

98304:pO/xf14Sko0+3hyNYLOn926VLrM7ipJBqo55C:UO0RxyNY6LrMKBqom

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	exfilty.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	exfilty.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	exfilty.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1928-54-0x000000013FC30000-0x0000000140615000-memory.dmp	themida
behavioral1/memory/1928-56-0x000000013FC30000-0x0000000140615000-memory.dmp	themida
behavioral1/memory/1928-58-0x000000013FC30000-0x0000000140615000-memory.dmp	themida
behavioral1/memory/1928-59-0x000000013FC30000-0x0000000140615000-memory.dmp	themida
behavioral1/memory/1928-67-0x000000013FC30000-0x0000000140615000-memory.dmp	themida
behavioral1/memory/1928-69-0x000000013FC30000-0x0000000140615000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	exfilty.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1928	exfilty.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1192	1928	exfilty.exe	27
PID 1928 wrote to memory of 1192	1928	exfilty.exe	27
PID 1928 wrote to memory of 1192	1928	exfilty.exe	27
PID 1192 wrote to memory of 616	1192	cmd.exe	28
PID 1192 wrote to memory of 616	1192	cmd.exe	28
PID 1192 wrote to memory of 616	1192	cmd.exe	28
PID 1192 wrote to memory of 1052	1192	cmd.exe	29
PID 1192 wrote to memory of 1052	1192	cmd.exe	29
PID 1192 wrote to memory of 1052	1192	cmd.exe	29
PID 1192 wrote to memory of 1080	1192	cmd.exe	30
PID 1192 wrote to memory of 1080	1192	cmd.exe	30
PID 1192 wrote to memory of 1080	1192	cmd.exe	30
PID 1928 wrote to memory of 944	1928	exfilty.exe	31
PID 1928 wrote to memory of 944	1928	exfilty.exe	31
PID 1928 wrote to memory of 944	1928	exfilty.exe	31
PID 1928 wrote to memory of 912	1928	exfilty.exe	32
PID 1928 wrote to memory of 912	1928	exfilty.exe	32
PID 1928 wrote to memory of 912	1928	exfilty.exe	32

C:\Users\Admin\AppData\Local\Temp\exfilty.exe
"C:\Users\Admin\AppData\Local\Temp\exfilty.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\exfilty.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\exfilty.exe" MD5
    3⤵
    PID:616
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1052
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:/You Like man :laugh: >nul 2>&1
  2⤵
  PID:944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/616-64-0x00000000FFE41000-0x00000000FFE43000-memory.dmp

Filesize
8KB

Download
memory/1928-59-0x000000013FC30000-0x0000000140615000-memory.dmp

Filesize
9.9MB

Download
memory/1928-54-0x000000013FC30000-0x0000000140615000-memory.dmp

Filesize
9.9MB

Download
memory/1928-58-0x000000013FC30000-0x0000000140615000-memory.dmp

Filesize
9.9MB

Download
memory/1928-57-0x00000000778E0000-0x0000000077A89000-memory.dmp

Filesize
1.7MB

Download
memory/1928-56-0x000000013FC30000-0x0000000140615000-memory.dmp

Filesize
9.9MB

Download
memory/1928-67-0x000000013FC30000-0x0000000140615000-memory.dmp

Filesize
9.9MB

Download
memory/1928-68-0x00000000778E0000-0x0000000077A89000-memory.dmp

Filesize
1.7MB

Download
memory/1928-69-0x000000013FC30000-0x0000000140615000-memory.dmp

Filesize
9.9MB

Download
memory/1928-70-0x00000000778E0000-0x0000000077A89000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads