25cc2c215100cf171977ad78e9875ddeda107eee38e3043ef135d833cccba6f0

General

Target

PourUP_FN.exe
Size

5.1MB
MD5

71b34d0a9d79207cf575e6ea8611dbb5
SHA1

837c8a8e57ce91a366431dbb0e3393577659c060
SHA256

25cc2c215100cf171977ad78e9875ddeda107eee38e3043ef135d833cccba6f0
SHA512

154b0fef843b08dc4d8c5f06a2b9223316dd6079c53da980c055afd99ff424053fed8d6fc5471cfd3400584f11feb83e94b3a669d95df48fd967f5cce2b9115b
SSDEEP

98304:G+d/S4SF29wP3cIwmcWK3hCIMlu8bb08qngKR88304+r2k6TCxQEANqQG:G6/S422VJWKJMYX8qgBgl+yk6rNqQ

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Bgixwfbsvurxpour up fn.exe

Executes dropped EXE 1 IoCs

pid	Process
592	Bgixwfbsvurxpour up fn.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Bgixwfbsvurxpour up fn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Bgixwfbsvurxpour up fn.exe

Loads dropped DLL 5 IoCs

pid	Process
1752	PourUP_FN.exe
1504	Process not Found
1044	WerFault.exe
1044	WerFault.exe
1044	WerFault.exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0008000000012701-62.dat	themida
behavioral1/files/0x0008000000012701-64.dat	themida
behavioral1/files/0x0008000000012701-65.dat	themida
behavioral1/files/0x0008000000012701-66.dat	themida
behavioral1/memory/592-68-0x000000013F970000-0x0000000140317000-memory.dmp	themida
behavioral1/memory/592-69-0x000000013F970000-0x0000000140317000-memory.dmp	themida
behavioral1/memory/592-71-0x000000013F970000-0x0000000140317000-memory.dmp	themida
behavioral1/memory/592-74-0x000000013F970000-0x0000000140317000-memory.dmp	themida
behavioral1/files/0x0008000000012701-84.dat	themida
behavioral1/files/0x0008000000012701-85.dat	themida
behavioral1/files/0x0008000000012701-89.dat	themida
behavioral1/memory/592-91-0x000000013F970000-0x0000000140317000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Upfoidgotl = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tsyeoxzsxt\\Upfoidgotl.exe\""	PourUP_FN.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Bgixwfbsvurxpour up fn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
592	Bgixwfbsvurxpour up fn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 864	1752	PourUP_FN.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1044	592	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
892	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	PourUP_FN.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	864	PourUP_FN.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 892	1752	PourUP_FN.exe	28
PID 1752 wrote to memory of 892	1752	PourUP_FN.exe	28
PID 1752 wrote to memory of 892	1752	PourUP_FN.exe	28
PID 1752 wrote to memory of 892	1752	PourUP_FN.exe	28
PID 1752 wrote to memory of 592	1752	PourUP_FN.exe	30
PID 1752 wrote to memory of 592	1752	PourUP_FN.exe	30
PID 1752 wrote to memory of 592	1752	PourUP_FN.exe	30
PID 1752 wrote to memory of 592	1752	PourUP_FN.exe	30
PID 1752 wrote to memory of 864	1752	PourUP_FN.exe	32
PID 1752 wrote to memory of 864	1752	PourUP_FN.exe	32
PID 1752 wrote to memory of 864	1752	PourUP_FN.exe	32
PID 1752 wrote to memory of 864	1752	PourUP_FN.exe	32
PID 1752 wrote to memory of 864	1752	PourUP_FN.exe	32
PID 1752 wrote to memory of 864	1752	PourUP_FN.exe	32
PID 1752 wrote to memory of 864	1752	PourUP_FN.exe	32
PID 1752 wrote to memory of 864	1752	PourUP_FN.exe	32
PID 1752 wrote to memory of 864	1752	PourUP_FN.exe	32
PID 592 wrote to memory of 1044	592	Bgixwfbsvurxpour up fn.exe	33
PID 592 wrote to memory of 1044	592	Bgixwfbsvurxpour up fn.exe	33
PID 592 wrote to memory of 1044	592	Bgixwfbsvurxpour up fn.exe	33

C:\Users\Admin\AppData\Local\Temp\PourUP_FN.exe
"C:\Users\Admin\AppData\Local\Temp\PourUP_FN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Users\Admin\AppData\Local\Temp\Bgixwfbsvurxpour up fn.exe
  "C:\Users\Admin\AppData\Local\Temp\Bgixwfbsvurxpour up fn.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 592 -s 132
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1044
- C:\Users\Admin\AppData\Local\Temp\PourUP_FN.exe
  C:\Users\Admin\AppData\Local\Temp\PourUP_FN.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bgixwfbsvurxpour up fn.exe

Filesize
3.6MB

MD5
936a570175d4a33799e0fdee41eb72f3

SHA1
585bc47521ed509048495bfd0d96ae127c441506

SHA256
692e49606ef744af163c69bdb27042d4edd649d814916d6a0f0489237be20ddc

SHA512
048741efd5eb60402299efbfe525d5b78cbbc5f16d142b222debace83968821b3598f83883a5f408c0496c6e2fbf74b5bb13c12542595626abc2563be666e529

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bgixwfbsvurxpour up fn.exe

Filesize
3.6MB

MD5
936a570175d4a33799e0fdee41eb72f3

SHA1
585bc47521ed509048495bfd0d96ae127c441506

SHA256
692e49606ef744af163c69bdb27042d4edd649d814916d6a0f0489237be20ddc

SHA512
048741efd5eb60402299efbfe525d5b78cbbc5f16d142b222debace83968821b3598f83883a5f408c0496c6e2fbf74b5bb13c12542595626abc2563be666e529

Download Submit
\Users\Admin\AppData\Local\Temp\Bgixwfbsvurxpour up fn.exe

Filesize
3.6MB

MD5
936a570175d4a33799e0fdee41eb72f3

SHA1
585bc47521ed509048495bfd0d96ae127c441506

SHA256
692e49606ef744af163c69bdb27042d4edd649d814916d6a0f0489237be20ddc

SHA512
048741efd5eb60402299efbfe525d5b78cbbc5f16d142b222debace83968821b3598f83883a5f408c0496c6e2fbf74b5bb13c12542595626abc2563be666e529

Download Submit
\Users\Admin\AppData\Local\Temp\Bgixwfbsvurxpour up fn.exe

Filesize
3.6MB

MD5
936a570175d4a33799e0fdee41eb72f3

SHA1
585bc47521ed509048495bfd0d96ae127c441506

SHA256
692e49606ef744af163c69bdb27042d4edd649d814916d6a0f0489237be20ddc

SHA512
048741efd5eb60402299efbfe525d5b78cbbc5f16d142b222debace83968821b3598f83883a5f408c0496c6e2fbf74b5bb13c12542595626abc2563be666e529

Download Submit
\Users\Admin\AppData\Local\Temp\Bgixwfbsvurxpour up fn.exe

Filesize
3.6MB

MD5
936a570175d4a33799e0fdee41eb72f3

SHA1
585bc47521ed509048495bfd0d96ae127c441506

SHA256
692e49606ef744af163c69bdb27042d4edd649d814916d6a0f0489237be20ddc

SHA512
048741efd5eb60402299efbfe525d5b78cbbc5f16d142b222debace83968821b3598f83883a5f408c0496c6e2fbf74b5bb13c12542595626abc2563be666e529

Download Submit
\Users\Admin\AppData\Local\Temp\Bgixwfbsvurxpour up fn.exe

Filesize
3.6MB

MD5
936a570175d4a33799e0fdee41eb72f3

SHA1
585bc47521ed509048495bfd0d96ae127c441506

SHA256
692e49606ef744af163c69bdb27042d4edd649d814916d6a0f0489237be20ddc

SHA512
048741efd5eb60402299efbfe525d5b78cbbc5f16d142b222debace83968821b3598f83883a5f408c0496c6e2fbf74b5bb13c12542595626abc2563be666e529

Download Submit
\Users\Admin\AppData\Local\Temp\Bgixwfbsvurxpour up fn.exe

Filesize
3.6MB

MD5
936a570175d4a33799e0fdee41eb72f3

SHA1
585bc47521ed509048495bfd0d96ae127c441506

SHA256
692e49606ef744af163c69bdb27042d4edd649d814916d6a0f0489237be20ddc

SHA512
048741efd5eb60402299efbfe525d5b78cbbc5f16d142b222debace83968821b3598f83883a5f408c0496c6e2fbf74b5bb13c12542595626abc2563be666e529

Download Submit
memory/592-74-0x000000013F970000-0x0000000140317000-memory.dmp

Filesize
9.7MB

Download
memory/592-71-0x000000013F970000-0x0000000140317000-memory.dmp

Filesize
9.7MB

Download
memory/592-80-0x0000000076F70000-0x0000000077119000-memory.dmp

Filesize
1.7MB

Download
memory/592-68-0x000000013F970000-0x0000000140317000-memory.dmp

Filesize
9.7MB

Download
memory/592-91-0x000000013F970000-0x0000000140317000-memory.dmp

Filesize
9.7MB

Download
memory/592-69-0x000000013F970000-0x0000000140317000-memory.dmp

Filesize
9.7MB

Download
memory/864-72-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/864-88-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/864-87-0x00000000005D0000-0x0000000000666000-memory.dmp

Filesize
600KB

Download
memory/864-70-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/864-86-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/864-76-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/864-77-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/864-75-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/864-82-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/892-58-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/892-59-0x000000006E4D0000-0x000000006EA7B000-memory.dmp

Filesize
5.7MB

Download
memory/892-60-0x000000006E4D0000-0x000000006EA7B000-memory.dmp

Filesize
5.7MB

Download
memory/892-61-0x000000006E4D0000-0x000000006EA7B000-memory.dmp

Filesize
5.7MB

Download
memory/1752-67-0x0000000007D30000-0x00000000086D7000-memory.dmp

Filesize
9.7MB

Download
memory/1752-54-0x0000000000B90000-0x00000000010B8000-memory.dmp

Filesize
5.2MB

Download
memory/1752-56-0x0000000006760000-0x00000000067F2000-memory.dmp

Filesize
584KB

Download
memory/1752-55-0x0000000004DC0000-0x00000000052E6000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads