Overview

overview

9

Static

static

7

tmp.exe

windows7-x64

9

tmp.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    51s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    12-01-2023 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    3.7MB

  • MD5

    92869e94c71833c72b431746f234df5d

  • SHA1

    ba100de55cb7b04a6e39e391942b28a31bd3bd00

  • SHA256

    67cfdfdb26f8a2ad408fa8e56b8871bbf4657657ef0c263856edaf129378df18

  • SHA512

    12add3273ca7e14763f46f90b94c90f7be524d117b657784b6a87f928615a251193de1401be42bdd06c4af3192ce270d8ec766aaf9cbc9e9733e2c371d059f80

  • SSDEEP

    98304:1C6bC1J7itJ72IsqMjUB/ynP24vUvO1ReneFnZ2+n+WOYtGQk:xkAKPRgo9cQk

Score
9/10
discoveryevasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Themida packer 10 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    PID:1076
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /CREATE /TN "Windows\IntelComputingTooIklt\IntelPaint2.9.1.0." /TR "C:\ProgramData\MsiBoost\WindowsPaint-Ver2.9.1.0.exe" /SC MINUTE
      2⤵
      • Creates scheduled task(s)
      PID:1672
    • C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\MsiBoost" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
      2⤵
      • Modifies file permissions
      PID:1792
    • C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\MsiBoost" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
      2⤵
      • Modifies file permissions
      PID:996
    • C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\MsiBoost" /inheritance:e /deny "admin:(R,REA,RA,RD)"
      2⤵
      • Modifies file permissions
      PID:904
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {72FF6399-B648-47F4-BEA4-6F9A6C0A67B9} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:660
    • C:\ProgramData\MsiBoost\WindowsPaint-Ver2.9.1.0.exe
      C:\ProgramData\MsiBoost\WindowsPaint-Ver2.9.1.0.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      PID:1556

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\MsiBoost\WindowsPaint-Ver2.9.1.0.exe
    Filesize

    820.2MB

    MD5

    0faa333b2a10bcaccd40813329db9fc5

    SHA1

    d23e3079412b2bf6b572bd3086a0c9ebe73a96d9

    SHA256

    5d20d250adede149865315f5aa5d3c9f97898152635e645ea6022685691e6f83

    SHA512

    c7cfa4b7771006a2188d4f6d470f1fbac39887e8f15f1137f250f73c26d999127f558a0080a780c86e1e3739738bc125720daa665f675e9e3b794a2ce747369f

    Download Submit

  • C:\ProgramData\MsiBoost\WindowsPaint-Ver2.9.1.0.exe
    Filesize

    726.2MB

    MD5

    2179d3c41ad2a170abc90118b50cb984

    SHA1

    4051a76d2072e8585e6f16e21802495450ab360c

    SHA256

    e9f7b265e2dae9debc8b3eff7bccb1d36a23cdc027394053038947980fca1c6f

    SHA512

    4c6f1c63d5017c9d62b6f9a3f03ee5a0c15cc832ee43f1826da694be8e64005d5acf3caf321b3b28bba81596ffa3eec8de386feb9136a870f0bcab20237309f2

    Download Submit

  • memory/1076-64-0x0000000001030000-0x00000000013E0000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1076-55-0x0000000001030000-0x00000000013E0000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1076-56-0x0000000001030000-0x00000000013E0000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1076-57-0x0000000001030000-0x00000000013E0000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1076-54-0x0000000076681000-0x0000000076683000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1076-59-0x0000000001030000-0x00000000013E0000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1556-68-0x0000000000F70000-0x0000000001320000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1556-69-0x0000000000F70000-0x0000000001320000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1556-70-0x0000000000F70000-0x0000000001320000-memory.dmp

    Filesize

    3.7MB

    Download