90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55

General

Target

90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe
Size

11.3MB
MD5

887e53dc57a745f38ca65b7903b7cdf2
SHA1

740f0342071b35ba9294eeede68b12e0813f4ae8
SHA256

90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55
SHA512

fac046f58092142aa4724c83f809b8b982e3148e62a12d75691538f2fba8a02723de02c459e1de644ea67ed31fc3d1316b12f60a78deae2a3a133e758a0cdf78
SSDEEP

196608:TkcPGIv5ZalP62EZfQwqOGYb49X+uGTA9EiR:gMDvalPbExQYw9X+ugt

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WindowsPaint-Ver7.1.9.8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe

Executes dropped EXE 1 IoCs

pid	Process
4444	WindowsPaint-Ver7.1.9.8.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WindowsPaint-Ver7.1.9.8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WindowsPaint-Ver7.1.9.8.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2004	icacls.exe
2080	icacls.exe
1980	icacls.exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/3516-116-0x00007FF74EA00000-0x00007FF74F561800-memory.dmp	themida
behavioral1/memory/3516-117-0x00007FF74EA00000-0x00007FF74F561800-memory.dmp	themida
behavioral1/memory/3516-118-0x00007FF74EA00000-0x00007FF74F561800-memory.dmp	themida
behavioral1/memory/3516-120-0x00007FF74EA00000-0x00007FF74F561800-memory.dmp	themida
behavioral1/files/0x000700000001ac1e-124.dat	themida
behavioral1/memory/3516-125-0x00007FF74EA00000-0x00007FF74F561800-memory.dmp	themida
behavioral1/files/0x000700000001ac1e-126.dat	themida
behavioral1/memory/4444-127-0x00007FF76A290000-0x00007FF76ADF1800-memory.dmp	themida
behavioral1/memory/4444-128-0x00007FF76A290000-0x00007FF76ADF1800-memory.dmp	themida
behavioral1/memory/4444-129-0x00007FF76A290000-0x00007FF76ADF1800-memory.dmp	themida
behavioral1/memory/4444-130-0x00007FF76A290000-0x00007FF76ADF1800-memory.dmp	themida
behavioral1/memory/4444-131-0x00007FF76A290000-0x00007FF76ADF1800-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsPaint-Ver7.1.9.8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3516	90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe
3516	90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe
4444	WindowsPaint-Ver7.1.9.8.exe
4444	WindowsPaint-Ver7.1.9.8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3516	90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe
3516	90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe
4444	WindowsPaint-Ver7.1.9.8.exe
4444	WindowsPaint-Ver7.1.9.8.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 4612	3516	90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe	67
PID 3516 wrote to memory of 4612	3516	90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe	67
PID 3516 wrote to memory of 2004	3516	90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe	69
PID 3516 wrote to memory of 2004	3516	90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe	69
PID 3516 wrote to memory of 2080	3516	90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe	71
PID 3516 wrote to memory of 2080	3516	90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe	71
PID 3516 wrote to memory of 1980	3516	90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe	73
PID 3516 wrote to memory of 1980	3516	90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe	73

C:\Users\Admin\AppData\Local\Temp\90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe
"C:\Users\Admin\AppData\Local\Temp\90a8ef4d217da5abca1b42622c79c61d6007783c5e5bfaf6c4b3ce8d3bb3fa55.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /CREATE /TN "Windows\IntelComputingTooIklt\IntelPaint7.1.9.8." /TR "C:\ProgramData\MslBooster\WindowsPaint-Ver7.1.9.8.exe" /SC MINUTE
  2⤵
  - Creates scheduled task(s)
  PID:4612
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\ProgramData\MslBooster" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
  2⤵
  - Modifies file permissions
  PID:2004
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\ProgramData\MslBooster" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
  2⤵
  - Modifies file permissions
  PID:2080
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\ProgramData\MslBooster" /inheritance:e /deny "admin:(R,REA,RA,RD)"
  2⤵
  - Modifies file permissions
  PID:1980

C:\ProgramData\MslBooster\WindowsPaint-Ver7.1.9.8.exe
C:\ProgramData\MslBooster\WindowsPaint-Ver7.1.9.8.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MslBooster\WindowsPaint-Ver7.1.9.8.exe

Filesize
1109.0MB

MD5
459aa5be5d1d459c7ce098d39f73454d

SHA1
faeda0f99b9eb19524eced0143609c0d8d698ade

SHA256
44a67f2c20ee790b209e98b2dab53ecc7e0faa304603a73ceab098d5bf0092b5

SHA512
553dbcd79de837f042c48123d14eda94a36d1bb0d3773438043a078ca3d6f05a0d3cb278c65d0cff94e5471779872c82d8a35ebbe30dd2a895a6c71ab2449771

Download Submit
C:\ProgramData\MslBooster\WindowsPaint-Ver7.1.9.8.exe

Filesize
962.6MB

MD5
d0a1ff58450b027fe4e17e7f8e58b573

SHA1
3055133a630288d15b227d5d71ae7615fdd1f772

SHA256
e8bfd32790cfc83e17860fb8160d96e8625d5f5bafd331b03f3714051b87aaaf

SHA512
9b9d5a43f120ec78192794cc807d7da096a1a4c5edb611a2e94c0f1b79d09238a66bc568b98cf81c65ff1b872c5743436aa9f585e931911b74aa06d866fef5f7

Download Submit
memory/1980-123-0x0000000000000000-mapping.dmp

Download
memory/2004-121-0x0000000000000000-mapping.dmp

Download
memory/2080-122-0x0000000000000000-mapping.dmp

Download
memory/3516-120-0x00007FF74EA00000-0x00007FF74F561800-memory.dmp

Filesize
11.4MB

Download
memory/3516-116-0x00007FF74EA00000-0x00007FF74F561800-memory.dmp

Filesize
11.4MB

Download
memory/3516-118-0x00007FF74EA00000-0x00007FF74F561800-memory.dmp

Filesize
11.4MB

Download
memory/3516-125-0x00007FF74EA00000-0x00007FF74F561800-memory.dmp

Filesize
11.4MB

Download
memory/3516-117-0x00007FF74EA00000-0x00007FF74F561800-memory.dmp

Filesize
11.4MB

Download
memory/4444-127-0x00007FF76A290000-0x00007FF76ADF1800-memory.dmp

Filesize
11.4MB

Download
memory/4444-128-0x00007FF76A290000-0x00007FF76ADF1800-memory.dmp

Filesize
11.4MB

Download
memory/4444-129-0x00007FF76A290000-0x00007FF76ADF1800-memory.dmp

Filesize
11.4MB

Download
memory/4444-130-0x00007FF76A290000-0x00007FF76ADF1800-memory.dmp

Filesize
11.4MB

Download
memory/4444-131-0x00007FF76A290000-0x00007FF76ADF1800-memory.dmp

Filesize
11.4MB

Download
memory/4612-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads