f3360f4841b3f4ed6e6c7d42315248473002bcd4f7262db1c813d6074b50240e

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe
Size

3.0MB
MD5

c9bfd91a0597d00185737ce65a753be9
SHA1

2658367b5f88891d970392f153595fdb87bdec91
SHA256

f3360f4841b3f4ed6e6c7d42315248473002bcd4f7262db1c813d6074b50240e
SHA512

aa458b785e7f417fd07ee007f96bd290c526e1a4ed22d1cccd713179ec3f8ee2ff81303036c45a4a92b012b3094e06a773a79fad1b1dc9dd390e0711d5ee2236
SSDEEP

49152:axTtE+G757NEqpmvgIMwoUNZq2aLOed/zc7NLD5O7OpJwHMMvKIDYE+pERcPE645:ayFH0Zoywqeta15OapGsMDupERmEtVUQ

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
664	map.exe
1780	cmddd.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSRygfVfLYNvQGnlwvdjulDct\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\VSRygfVfLYNvQGnlwvdjulDct"	map.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe

Loads dropped DLL 2 IoCs

pid	Process
1800	cmd.exe
580	cmd.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1608-54-0x000000013F0C0000-0x000000013F90D000-memory.dmp	themida
behavioral1/memory/1608-68-0x000000013F0C0000-0x000000013F90D000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\cmddd.exe	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe
File created	C:\Windows\System32\Driver.sys	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe
File created	C:\Windows\System32\map.exe	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1608	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1780	cmddd.exe
1780	cmddd.exe
1780	cmddd.exe
1780	cmddd.exe
1780	cmddd.exe
1780	cmddd.exe
1780	cmddd.exe
1780	cmddd.exe
1780	cmddd.exe
1780	cmddd.exe
1780	cmddd.exe
1780	cmddd.exe
1780	cmddd.exe
1780	cmddd.exe
1780	cmddd.exe
1780	cmddd.exe
1780	cmddd.exe
1780	cmddd.exe
1780	cmddd.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	map.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	664	map.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1800	1608	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe	29
PID 1608 wrote to memory of 1800	1608	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe	29
PID 1608 wrote to memory of 1800	1608	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe	29
PID 1800 wrote to memory of 664	1800	cmd.exe	30
PID 1800 wrote to memory of 664	1800	cmd.exe	30
PID 1800 wrote to memory of 664	1800	cmd.exe	30
PID 1608 wrote to memory of 580	1608	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe	31
PID 1608 wrote to memory of 580	1608	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe	31
PID 1608 wrote to memory of 580	1608	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe	31
PID 580 wrote to memory of 1780	580	cmd.exe	32
PID 580 wrote to memory of 1780	580	cmd.exe	32
PID 580 wrote to memory of 1780	580	cmd.exe	32
PID 1780 wrote to memory of 1820	1780	cmddd.exe	33
PID 1780 wrote to memory of 1820	1780	cmddd.exe	33
PID 1780 wrote to memory of 1820	1780	cmddd.exe	33
PID 1780 wrote to memory of 1464	1780	cmddd.exe	34
PID 1780 wrote to memory of 1464	1780	cmddd.exe	34
PID 1780 wrote to memory of 1464	1780	cmddd.exe	34
PID 1780 wrote to memory of 1296	1780	cmddd.exe	35
PID 1780 wrote to memory of 1296	1780	cmddd.exe	35
PID 1780 wrote to memory of 1296	1780	cmddd.exe	35
PID 1780 wrote to memory of 972	1780	cmddd.exe	36
PID 1780 wrote to memory of 972	1780	cmddd.exe	36
PID 1780 wrote to memory of 972	1780	cmddd.exe	36
PID 1780 wrote to memory of 1184	1780	cmddd.exe	37
PID 1780 wrote to memory of 1184	1780	cmddd.exe	37
PID 1780 wrote to memory of 1184	1780	cmddd.exe	37
PID 1780 wrote to memory of 1148	1780	cmddd.exe	38
PID 1780 wrote to memory of 1148	1780	cmddd.exe	38
PID 1780 wrote to memory of 1148	1780	cmddd.exe	38
PID 1780 wrote to memory of 1280	1780	cmddd.exe	39
PID 1780 wrote to memory of 1280	1780	cmddd.exe	39
PID 1780 wrote to memory of 1280	1780	cmddd.exe	39
PID 1780 wrote to memory of 1616	1780	cmddd.exe	40
PID 1780 wrote to memory of 1616	1780	cmddd.exe	40
PID 1780 wrote to memory of 1616	1780	cmddd.exe	40
PID 1780 wrote to memory of 1968	1780	cmddd.exe	41
PID 1780 wrote to memory of 1968	1780	cmddd.exe	41
PID 1780 wrote to memory of 1968	1780	cmddd.exe	41
PID 1780 wrote to memory of 1812	1780	cmddd.exe	42
PID 1780 wrote to memory of 1812	1780	cmddd.exe	42
PID 1780 wrote to memory of 1812	1780	cmddd.exe	42
PID 1780 wrote to memory of 288	1780	cmddd.exe	43
PID 1780 wrote to memory of 288	1780	cmddd.exe	43
PID 1780 wrote to memory of 288	1780	cmddd.exe	43
PID 1780 wrote to memory of 2000	1780	cmddd.exe	44
PID 1780 wrote to memory of 2000	1780	cmddd.exe	44
PID 1780 wrote to memory of 2000	1780	cmddd.exe	44
PID 1780 wrote to memory of 1620	1780	cmddd.exe	45
PID 1780 wrote to memory of 1620	1780	cmddd.exe	45
PID 1780 wrote to memory of 1620	1780	cmddd.exe	45
PID 1780 wrote to memory of 1556	1780	cmddd.exe	46
PID 1780 wrote to memory of 1556	1780	cmddd.exe	46
PID 1780 wrote to memory of 1556	1780	cmddd.exe	46
PID 1780 wrote to memory of 1624	1780	cmddd.exe	47
PID 1780 wrote to memory of 1624	1780	cmddd.exe	47
PID 1780 wrote to memory of 1624	1780	cmddd.exe	47
PID 1780 wrote to memory of 1392	1780	cmddd.exe	48
PID 1780 wrote to memory of 1392	1780	cmddd.exe	48
PID 1780 wrote to memory of 1392	1780	cmddd.exe	48
PID 1780 wrote to memory of 1100	1780	cmddd.exe	49
PID 1780 wrote to memory of 1100	1780	cmddd.exe	49
PID 1780 wrote to memory of 1100	1780	cmddd.exe	49
PID 1780 wrote to memory of 1404	1780	cmddd.exe	50

C:\Users\Admin\AppData\Local\Temp\ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe
"C:\Users\Admin\AppData\Local\Temp\ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\map.exe C:\Windows\System32\Driver.sys
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\System32\map.exe
    C:\Windows\System32\map.exe C:\Windows\System32\Driver.sys
    3⤵
    - Executes dropped EXE
    - Sets service image path in registry
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmddd.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\System32\cmddd.exe
    C:\Windows\System32\cmddd.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\cmddd.exe

Filesize
244KB

MD5
d0330639eccb977654e6cb58ef5dd691

SHA1
26278a1a65e587dc1fb0c117bacaa1084a1c1221

SHA256
44591e400baa45e98832ba4706c1c55f5fe3b2cc86225d1ed0b30a92f125a941

SHA512
d684811d7ad2fb0e223574ab70ddc50ed1cee24564b81890d13d7457395c87a04d5937a2e11959e3c74c4f9a9fc6d94ac4a91ee673640c95884fbc8bfae54f29

Download Submit
C:\Windows\System32\cmddd.exe

Filesize
244KB

MD5
d0330639eccb977654e6cb58ef5dd691

SHA1
26278a1a65e587dc1fb0c117bacaa1084a1c1221

SHA256
44591e400baa45e98832ba4706c1c55f5fe3b2cc86225d1ed0b30a92f125a941

SHA512
d684811d7ad2fb0e223574ab70ddc50ed1cee24564b81890d13d7457395c87a04d5937a2e11959e3c74c4f9a9fc6d94ac4a91ee673640c95884fbc8bfae54f29

Download Submit
C:\Windows\System32\map.exe

Filesize
134KB

MD5
e1cbb6cc58f3ed1bc81f59bea5b1db3c

SHA1
a9ce68cc285c5794546adeddfbdefb4328151511

SHA256
60972c9864e6edb571f6d8cfa93853ff48c2c1e07f36f2b6ff0673dfbc4b010a

SHA512
660487d13692b13130c199f52b5713799349610df16a0287655947654d643162593382abc1ccb9e7e3a867377bc2aa239f0973dd0223276e12cc2b00d51f3950

Download Submit
\Windows\System32\cmddd.exe

Filesize
244KB

MD5
d0330639eccb977654e6cb58ef5dd691

SHA1
26278a1a65e587dc1fb0c117bacaa1084a1c1221

SHA256
44591e400baa45e98832ba4706c1c55f5fe3b2cc86225d1ed0b30a92f125a941

SHA512
d684811d7ad2fb0e223574ab70ddc50ed1cee24564b81890d13d7457395c87a04d5937a2e11959e3c74c4f9a9fc6d94ac4a91ee673640c95884fbc8bfae54f29

Download Submit
\Windows\System32\map.exe

Filesize
134KB

MD5
e1cbb6cc58f3ed1bc81f59bea5b1db3c

SHA1
a9ce68cc285c5794546adeddfbdefb4328151511

SHA256
60972c9864e6edb571f6d8cfa93853ff48c2c1e07f36f2b6ff0673dfbc4b010a

SHA512
660487d13692b13130c199f52b5713799349610df16a0287655947654d643162593382abc1ccb9e7e3a867377bc2aa239f0973dd0223276e12cc2b00d51f3950

Download Submit
memory/1608-68-0x000000013F0C0000-0x000000013F90D000-memory.dmp

Filesize
8.3MB

Download
memory/1608-69-0x00000000772A0000-0x0000000077449000-memory.dmp

Filesize
1.7MB

Download
memory/1608-54-0x000000013F0C0000-0x000000013F90D000-memory.dmp

Filesize
8.3MB

Download
memory/1608-56-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

Filesize
8KB

Download
memory/1608-55-0x00000000772A0000-0x0000000077449000-memory.dmp

Filesize
1.7MB

Download