systembc | 715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac

Virtualization/Sandbox Evasion

T1497

Processes:

715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exeDllResource.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DllResource.exe

Executes dropped EXE 1 IoCs

Processes:

DllResource.exe

pid process

4208 DllResource.exe

pid	process
4208	DllResource.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

DllResource.exe715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DllResource.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DllResource.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/5044-132-0x0000000000400000-0x0000000001022000-memory.dmp	themida
behavioral1/memory/5044-136-0x0000000000400000-0x0000000001022000-memory.dmp	themida
C:\Users\Admin\TypeRes\DllResource.exe	themida
C:\Users\Admin\TypeRes\DllResource.exe	themida
behavioral1/memory/5044-146-0x0000000000400000-0x0000000001022000-memory.dmp	themida
behavioral1/memory/4208-151-0x0000000000400000-0x0000000001022000-memory.dmp	themida
behavioral1/memory/4208-155-0x0000000000400000-0x0000000001022000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exeDllResource.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DllResource.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exeDllResource.exe

pid process

5044 715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe
4208 DllResource.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2504 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2552 PING.EXE

pid	process
2504	schtasks.exe

pid	process
2552	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exeDllResource.exe

pid	process
5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe
5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe
5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe
5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe
5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe
5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe
5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe
5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe
5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe
5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe
5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe
5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe
4208	DllResource.exe
4208	DllResource.exe
4208	DllResource.exe
4208	DllResource.exe
4208	DllResource.exe
4208	DllResource.exe
4208	DllResource.exe
4208	DllResource.exe
4208	DllResource.exe
4208	DllResource.exe
4208	DllResource.exe
4208	DllResource.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.execmd.exe

description	pid	process	target process
PID 5044 wrote to memory of 2504	5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe	schtasks.exe
PID 5044 wrote to memory of 2504	5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe	schtasks.exe
PID 5044 wrote to memory of 2504	5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe	schtasks.exe
PID 5044 wrote to memory of 4208	5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe	DllResource.exe
PID 5044 wrote to memory of 4208	5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe	DllResource.exe
PID 5044 wrote to memory of 4208	5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe	DllResource.exe
PID 5044 wrote to memory of 3180	5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe	cmd.exe
PID 5044 wrote to memory of 3180	5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe	cmd.exe
PID 5044 wrote to memory of 3180	5044	715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe	cmd.exe
PID 3180 wrote to memory of 220	3180	cmd.exe	chcp.com
PID 3180 wrote to memory of 220	3180	cmd.exe	chcp.com
PID 3180 wrote to memory of 220	3180	cmd.exe	chcp.com
PID 3180 wrote to memory of 2552	3180	cmd.exe	PING.EXE
PID 3180 wrote to memory of 2552	3180	cmd.exe	PING.EXE
PID 3180 wrote to memory of 2552	3180	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe
"C:\Users\Admin\AppData\Local\Temp\715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\TypeRes\DllResource.exe"
2⤵
- Creates scheduled task(s)
PID:2504

C:\Users\Admin\TypeRes\DllResource.exe
"C:\Users\Admin\TypeRes\DllResource.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\715a725a1a6ae5c7d3437b0c2914afef7d585aafa068e2d2e9331826000e1bac.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:220

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

3

Virtualization/Sandbox Evasion

T1497

System Information Discovery

4

Remote System Discovery