bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b

General

Target

wevtutil.exe
Size

8.2MB
MD5

23150d8faa66ce23299e2c032b8fd62f
SHA1

26c7c604d01f784931a3a95f1efeb56bfe1aec69
SHA256

bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b
SHA512

17ae25cce526a5eb11202cc779f5d62fc45b14a4d547e2eb88694dc21c83fdb853731adfd7cb47fb3499f140ddedf61175415504a0c93cb2ed3b3f25e989f5e7
SSDEEP

196608:JzxikPsLoM1ZPdUYcoV1alsmMzU5tReoS+P6n:JzIkP7M1ZP64alnB5t5SF

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	wevtutil.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe

Executes dropped EXE 1 IoCs

pid	Process
1996	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wevtutil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wevtutil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe

Deletes itself 1 IoCs

pid	Process
2028	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1300	wevtutil.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1300-55-0x0000000000160000-0x00000000009A1000-memory.dmp	themida
behavioral1/memory/1300-56-0x0000000000160000-0x00000000009A1000-memory.dmp	themida
behavioral1/files/0x000a0000000122f3-64.dat	themida
behavioral1/files/0x000a0000000122f3-66.dat	themida
behavioral1/memory/1996-68-0x0000000001170000-0x00000000019B1000-memory.dmp	themida
behavioral1/memory/1996-70-0x0000000001170000-0x00000000019B1000-memory.dmp	themida
behavioral1/memory/1300-72-0x0000000000160000-0x00000000009A1000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wevtutil.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1804	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1576	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1300	wevtutil.exe
1300	wevtutil.exe
1300	wevtutil.exe
1300	wevtutil.exe
1300	wevtutil.exe
1996	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe
1996	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe
1996	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe
1996	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe
1996	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1804	1300	wevtutil.exe	27
PID 1300 wrote to memory of 1804	1300	wevtutil.exe	27
PID 1300 wrote to memory of 1804	1300	wevtutil.exe	27
PID 1300 wrote to memory of 1804	1300	wevtutil.exe	27
PID 1300 wrote to memory of 1996	1300	wevtutil.exe	29
PID 1300 wrote to memory of 1996	1300	wevtutil.exe	29
PID 1300 wrote to memory of 1996	1300	wevtutil.exe	29
PID 1300 wrote to memory of 1996	1300	wevtutil.exe	29
PID 1300 wrote to memory of 2028	1300	wevtutil.exe	30
PID 1300 wrote to memory of 2028	1300	wevtutil.exe	30
PID 1300 wrote to memory of 2028	1300	wevtutil.exe	30
PID 1300 wrote to memory of 2028	1300	wevtutil.exe	30
PID 2028 wrote to memory of 880	2028	cmd.exe	32
PID 2028 wrote to memory of 880	2028	cmd.exe	32
PID 2028 wrote to memory of 880	2028	cmd.exe	32
PID 2028 wrote to memory of 880	2028	cmd.exe	32
PID 2028 wrote to memory of 1576	2028	cmd.exe	33
PID 2028 wrote to memory of 1576	2028	cmd.exe	33
PID 2028 wrote to memory of 1576	2028	cmd.exe	33
PID 2028 wrote to memory of 1576	2028	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\wevtutil.exe
"C:\Users\Admin\AppData\Local\Temp\wevtutil.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Dage qui podeta xesaxapo copib pab tiqu fixolol pok xowa niweke\migeyih quipaha xajiced banokora ririb bevirov kimatis.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1804
- C:\Users\Admin\Dage qui podeta xesaxapo copib pab tiqu fixolol pok xowa niweke\migeyih quipaha xajiced banokora ririb bevirov kimatis.exe
  "C:\Users\Admin\Dage qui podeta xesaxapo copib pab tiqu fixolol pok xowa niweke\migeyih quipaha xajiced banokora ririb bevirov kimatis.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  PID:1996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\wevtutil.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:880
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Dage qui podeta xesaxapo copib pab tiqu fixolol pok xowa niweke\migeyih quipaha xajiced banokora ririb bevirov kimatis.exe

Filesize
254.4MB

MD5
f0c49c9f8e31651069de489f6558a541

SHA1
17dee7c89478c26471e64d73bc14e3b16ee586d5

SHA256
2e0ad2a5d544b1ea793693bcfd77b4ecb4da82e4c80148f6623d8dec6dabd961

SHA512
f2d365205e2de03ea870789d197e2bb2635ad6776bbc640ccf021a30a1bd33e09da50b53cefd09d33bb93f16c174439c8825e5e25ba2aeb38eb0d8d06d45162f

Download Submit
\Users\Admin\Dage qui podeta xesaxapo copib pab tiqu fixolol pok xowa niweke\migeyih quipaha xajiced banokora ririb bevirov kimatis.exe

Filesize
249.5MB

MD5
2e7efc4d2e9cd90388e0c9324f2401dc

SHA1
31fdcd8878e2e985980b2bc354c26c3457b9990c

SHA256
10f9877c01b44d41933282e101e9fa90cf1cb29af6bca880012523cc39d31de8

SHA512
1f038a7c5ae26c4785eb714793d3c7a4cfe5ffd462d7648bd21ce4a6e4716f419a3221ee0e1aa87385419f0b03d53420827ed888109f34c1214f2b2af8671555

Download Submit
memory/1300-56-0x0000000000160000-0x00000000009A1000-memory.dmp

Filesize
8.3MB

Download
memory/1300-73-0x0000000002DA0000-0x0000000002F10000-memory.dmp

Filesize
1.4MB

Download
memory/1300-59-0x0000000002DA0000-0x0000000002F10000-memory.dmp

Filesize
1.4MB

Download
memory/1300-60-0x0000000002DA0000-0x0000000002F10000-memory.dmp

Filesize
1.4MB

Download
memory/1300-61-0x0000000002650000-0x0000000002D91000-memory.dmp

Filesize
7.3MB

Download
memory/1300-62-0x0000000002DA0000-0x0000000002F10000-memory.dmp

Filesize
1.4MB

Download
memory/1300-69-0x000000000D0D0000-0x000000000D911000-memory.dmp

Filesize
8.3MB

Download
memory/1300-55-0x0000000000160000-0x00000000009A1000-memory.dmp

Filesize
8.3MB

Download
memory/1300-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1300-72-0x0000000000160000-0x00000000009A1000-memory.dmp

Filesize
8.3MB

Download
memory/1300-58-0x0000000002650000-0x0000000002D91000-memory.dmp

Filesize
7.3MB

Download
memory/1300-57-0x0000000002650000-0x0000000002D91000-memory.dmp

Filesize
7.3MB

Download
memory/1996-70-0x0000000001170000-0x00000000019B1000-memory.dmp

Filesize
8.3MB

Download
memory/1996-68-0x0000000001170000-0x00000000019B1000-memory.dmp

Filesize
8.3MB

Download
memory/1996-76-0x0000000000960000-0x00000000010A1000-memory.dmp

Filesize
7.3MB

Download
memory/1996-77-0x0000000000960000-0x00000000010A1000-memory.dmp

Filesize
7.3MB

Download
memory/1996-78-0x0000000002DC0000-0x0000000002F30000-memory.dmp

Filesize
1.4MB

Download
memory/1996-79-0x0000000002DC0000-0x0000000002F30000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads