Malware Analysis Report

2025-08-05 17:24

Sample ID 221031-2t11wsdhf2
Target 20.zip
SHA256 44a6389937c8a2dcbadfb5d04829a2c36fbcc27b37ddc9719847801222d0cce5
Tags
themida evasion trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

44a6389937c8a2dcbadfb5d04829a2c36fbcc27b37ddc9719847801222d0cce5

Threat Level: Likely malicious

The file 20.zip was found to be: Likely malicious.

Malicious Activity Summary

themida evasion trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Looks up external IP address via web service

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 22:53

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 22:53

Reported

2022-10-31 23:06

Platform

win10-20220812-es

Max time kernel

719s

Max time network

623s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\20.zip

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords = "No" C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask = "No" C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "No" C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords = "No" C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask = "No" C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "No" C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\20.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\" -an -ai#7zMap26490:66:7zEvent18462

C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe

"C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.ahk

C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe

C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.ahk

Network

Country Destination Domain Proto
US 20.42.73.25:443 tcp
NL 8.248.3.254:80 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 titiopatas4599.hopto.org udp
US 137.184.158.185:80 titiopatas4599.hopto.org tcp
US 34.117.59.81:80 ipinfo.io tcp
US 137.184.158.185:80 titiopatas4599.hopto.org tcp

Files

C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe

MD5 03c469798bf1827d989f09f346ce95f7
SHA1 05e491bc1b8fbfbfdca24b565f2464137f30691e
SHA256 de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
SHA512 d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

memory/4416-116-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-117-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-118-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-119-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-120-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-121-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-125-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-126-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-128-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-129-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-130-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-131-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-132-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-133-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-134-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-135-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-136-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-137-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-138-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-127-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-123-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-124-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-122-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-140-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-139-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-141-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-142-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-143-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-144-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-145-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-146-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-147-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-148-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-149-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-150-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-151-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-152-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-153-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-154-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-155-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-156-0x0000000077700000-0x000000007788E000-memory.dmp

C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.ahk

MD5 9882ec7fce0f08d20e7138aeffb11aca
SHA1 ccdc032eabac74359032e4f418075bcd13e9781d
SHA256 851dc30759f774cda21fdbdc06a3f782097ef464c488f8aa5a23e301142e042c
SHA512 f5cbdd6ad3884ba20f83312720752fb2dc6a09aeffd4408d0b133ffe87616cffb0e5cbd1f3317524f2440ad41b3cc3b98c836263accad12ac1f72a924c238ca3

memory/4416-158-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-159-0x0000000077700000-0x000000007788E000-memory.dmp

C:\Users\Admin\Documents\bgdwubmodm.xqg

MD5 186b119d39e666a41a602ff6c9605b70
SHA1 99599a7c7620265b9e30dc1b7028b34ec274464c
SHA256 3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
SHA512 be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75

\Users\Admin\Documents\bgdwubmodm.xqg

MD5 186b119d39e666a41a602ff6c9605b70
SHA1 99599a7c7620265b9e30dc1b7028b34ec274464c
SHA256 3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
SHA512 be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75

\Users\Admin\Documents\bgdwubmodm.xqg

MD5 186b119d39e666a41a602ff6c9605b70
SHA1 99599a7c7620265b9e30dc1b7028b34ec274464c
SHA256 3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
SHA512 be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75

memory/4416-163-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-164-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-165-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-166-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-168-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-167-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-169-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-170-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-171-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-172-0x0000000004960000-0x00000000064E4000-memory.dmp

memory/4416-173-0x0000000004960000-0x00000000064E4000-memory.dmp

memory/4416-174-0x0000000004960000-0x00000000064E4000-memory.dmp

memory/4416-175-0x0000000004960000-0x00000000064E4000-memory.dmp

memory/4416-176-0x0000000004960000-0x00000000064E4000-memory.dmp

memory/4416-177-0x0000000077700000-0x000000007788E000-memory.dmp

memory/4416-178-0x0000000004960000-0x00000000064E4000-memory.dmp

memory/4416-179-0x0000000004960000-0x00000000064E4000-memory.dmp

memory/4416-180-0x0000000004960000-0x00000000064E4000-memory.dmp

memory/4416-181-0x0000000004960000-0x00000000064E4000-memory.dmp

memory/4416-182-0x0000000004960000-0x00000000064E4000-memory.dmp

memory/4416-183-0x0000000004960000-0x00000000064E4000-memory.dmp

C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe

MD5 03c469798bf1827d989f09f346ce95f7
SHA1 05e491bc1b8fbfbfdca24b565f2464137f30691e
SHA256 de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
SHA512 d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

memory/680-229-0x0000000000000000-mapping.dmp

memory/5072-246-0x0000000000000000-mapping.dmp

C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe

MD5 03c469798bf1827d989f09f346ce95f7
SHA1 05e491bc1b8fbfbfdca24b565f2464137f30691e
SHA256 de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
SHA512 d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

\Users\Admin\Documents\bgdwubmodm.xqg

MD5 186b119d39e666a41a602ff6c9605b70
SHA1 99599a7c7620265b9e30dc1b7028b34ec274464c
SHA256 3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
SHA512 be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75

\Users\Admin\Documents\bgdwubmodm.xqg

MD5 186b119d39e666a41a602ff6c9605b70
SHA1 99599a7c7620265b9e30dc1b7028b34ec274464c
SHA256 3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
SHA512 be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-31 22:53

Reported

2022-10-31 23:06

Platform

win10v2004-20220812-es

Max time kernel

712s

Max time network

515s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\20.zip

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "No" C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FormSuggest Passwords = "No" C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FormSuggest PW Ask = "No" C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A
N/A N/A C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\20.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\" -an -ai#7zMap8665:66:7zEvent1725

C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe

"C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"

C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe

"C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"

C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe

"C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"

C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe

"C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
US 20.189.173.1:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 titiopatas4599.hopto.org udp
US 137.184.158.185:80 titiopatas4599.hopto.org tcp

Files

C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe

MD5 03c469798bf1827d989f09f346ce95f7
SHA1 05e491bc1b8fbfbfdca24b565f2464137f30691e
SHA256 de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
SHA512 d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe

MD5 03c469798bf1827d989f09f346ce95f7
SHA1 05e491bc1b8fbfbfdca24b565f2464137f30691e
SHA256 de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
SHA512 d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe

MD5 03c469798bf1827d989f09f346ce95f7
SHA1 05e491bc1b8fbfbfdca24b565f2464137f30691e
SHA256 de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
SHA512 d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe

MD5 03c469798bf1827d989f09f346ce95f7
SHA1 05e491bc1b8fbfbfdca24b565f2464137f30691e
SHA256 de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
SHA512 d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.ahk

MD5 186b119d39e666a41a602ff6c9605b70
SHA1 99599a7c7620265b9e30dc1b7028b34ec274464c
SHA256 3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
SHA512 be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75

C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.exe

MD5 03c469798bf1827d989f09f346ce95f7
SHA1 05e491bc1b8fbfbfdca24b565f2464137f30691e
SHA256 de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
SHA512 d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

C:\Users\Admin\Documents\l4jb9w049j00h704k2exk46qooo.ahk

MD5 9882ec7fce0f08d20e7138aeffb11aca
SHA1 ccdc032eabac74359032e4f418075bcd13e9781d
SHA256 851dc30759f774cda21fdbdc06a3f782097ef464c488f8aa5a23e301142e042c
SHA512 f5cbdd6ad3884ba20f83312720752fb2dc6a09aeffd4408d0b133ffe87616cffb0e5cbd1f3317524f2440ad41b3cc3b98c836263accad12ac1f72a924c238ca3

C:\Users\Admin\Documents\bgdwubmodm.xqg

MD5 186b119d39e666a41a602ff6c9605b70
SHA1 99599a7c7620265b9e30dc1b7028b34ec274464c
SHA256 3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
SHA512 be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75

C:\Users\Admin\Documents\bgdwubmodm.xqg

MD5 186b119d39e666a41a602ff6c9605b70
SHA1 99599a7c7620265b9e30dc1b7028b34ec274464c
SHA256 3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
SHA512 be22de499169903b83d6c3c44c6368bda91de8ab636c331424e99cbe01b38cf593a08e293c5f57ab4a4fde9f2a032deef5d94c6664014f02f71a948af5e3ab75

memory/3328-141-0x0000000004660000-0x00000000061E4000-memory.dmp

memory/3328-143-0x0000000076E70000-0x0000000077013000-memory.dmp

memory/3328-142-0x0000000004660000-0x00000000061E4000-memory.dmp

memory/3328-144-0x0000000004660000-0x00000000061E4000-memory.dmp

memory/3328-145-0x0000000004660000-0x00000000061E4000-memory.dmp

memory/3328-146-0x0000000004660000-0x00000000061E4000-memory.dmp

memory/3328-147-0x0000000004660000-0x00000000061E4000-memory.dmp

memory/3328-148-0x0000000004660000-0x00000000061E4000-memory.dmp

memory/3328-149-0x0000000004660000-0x00000000061E4000-memory.dmp

memory/3328-150-0x0000000004660000-0x00000000061E4000-memory.dmp

memory/3328-151-0x0000000004660000-0x00000000061E4000-memory.dmp

memory/3328-152-0x0000000004660000-0x00000000061E4000-memory.dmp

memory/3328-153-0x0000000004660000-0x00000000061E4000-memory.dmp

memory/3328-154-0x0000000076E70000-0x0000000077013000-memory.dmp