5a108eb10751551eaf2fdafee5c9f05033d6d83c524dd20060a464d158cf1bfd

General

Target

d7eh4zQ01VMimnB34BJB.exe
Size

4.8MB
MD5

07b79a91bad1618cdf1828997ee09df3
SHA1

d3ac31c9540edbbbbb9b815287808f47bbbd0692
SHA256

5a108eb10751551eaf2fdafee5c9f05033d6d83c524dd20060a464d158cf1bfd
SHA512

d8ba6f8d1f2b6baadcf7eda5c0cf59db418ae8371ec37cb11266ef9d59b0bda152775b4f416ace72de7ab2c94bf311378efbda0ae30aa2f6caf58775a057e953
SSDEEP

98304:qr5z4M9qNOtHF33FJ6pO/FUSrAcD53U08RRI:eyM6OtH5FM42SsX0C

Score

8^/10

themida

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1484	iM0LnT2UbGypmvsEoT5xMFR0F2CX7NfIjuL.exe

Loads dropped DLL 3 IoCs

pid	Process
1128	d7eh4zQ01VMimnB34BJB.exe
1556	Process not Found
552	osk.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00070000000133ec-72.dat	themida
behavioral1/files/0x00070000000133ec-73.dat	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1128	d7eh4zQ01VMimnB34BJB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1380	taskkill.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	d7eh4zQ01VMimnB34BJB.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	d7eh4zQ01VMimnB34BJB.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	d7eh4zQ01VMimnB34BJB.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1128	d7eh4zQ01VMimnB34BJB.exe
1484	iM0LnT2UbGypmvsEoT5xMFR0F2CX7NfIjuL.exe
1484	iM0LnT2UbGypmvsEoT5xMFR0F2CX7NfIjuL.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1128	d7eh4zQ01VMimnB34BJB.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1380	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
552	osk.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe
552	osk.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 1484	1128	d7eh4zQ01VMimnB34BJB.exe	31
PID 1128 wrote to memory of 1484	1128	d7eh4zQ01VMimnB34BJB.exe	31
PID 1128 wrote to memory of 1484	1128	d7eh4zQ01VMimnB34BJB.exe	31
PID 1484 wrote to memory of 1536	1484	iM0LnT2UbGypmvsEoT5xMFR0F2CX7NfIjuL.exe	33
PID 1484 wrote to memory of 1536	1484	iM0LnT2UbGypmvsEoT5xMFR0F2CX7NfIjuL.exe	33
PID 1484 wrote to memory of 1536	1484	iM0LnT2UbGypmvsEoT5xMFR0F2CX7NfIjuL.exe	33
PID 1536 wrote to memory of 1380	1536	cmd.exe	34
PID 1536 wrote to memory of 1380	1536	cmd.exe	34
PID 1536 wrote to memory of 1380	1536	cmd.exe	34
PID 1484 wrote to memory of 764	1484	iM0LnT2UbGypmvsEoT5xMFR0F2CX7NfIjuL.exe	36
PID 1484 wrote to memory of 764	1484	iM0LnT2UbGypmvsEoT5xMFR0F2CX7NfIjuL.exe	36
PID 1484 wrote to memory of 764	1484	iM0LnT2UbGypmvsEoT5xMFR0F2CX7NfIjuL.exe	36
PID 764 wrote to memory of 1808	764	cmd.exe	37
PID 764 wrote to memory of 1808	764	cmd.exe	37
PID 764 wrote to memory of 1808	764	cmd.exe	37
PID 1804 wrote to memory of 552	1804	utilman.exe	39
PID 1804 wrote to memory of 552	1804	utilman.exe	39
PID 1804 wrote to memory of 552	1804	utilman.exe	39
PID 1484 wrote to memory of 552	1484	iM0LnT2UbGypmvsEoT5xMFR0F2CX7NfIjuL.exe	39

C:\Users\Admin\AppData\Local\Temp\d7eh4zQ01VMimnB34BJB.exe
"C:\Users\Admin\AppData\Local\Temp\d7eh4zQ01VMimnB34BJB.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\iM0LnT2UbGypmvsEoT5xMFR0F2CX7NfIjuL.exe
  "C:\Users\Admin\AppData\Local\Temp\iM0LnT2UbGypmvsEoT5xMFR0F2CX7NfIjuL.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /F /IM osk.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM osk.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c START osk.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Windows\system32\osk.exe
      osk.exe
      4⤵
      PID:1808

C:\Windows\system32\utilman.exe
utilman.exe /debug
1⤵
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\System32\osk.exe
  "C:\Windows\System32\osk.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d9wiKsobW0Mr.dll

Filesize
14.0MB

MD5
ad15f206c2545310e2a0d4b1627caa33

SHA1
8f1c225927f2d3c54d4a8269e917fc16b894cec8

SHA256
dc65e929f284fa51ba7adc8385435045ab3be4808f684cd2d6a1e499dab4b567

SHA512
5848c1f6f6d95cd3f0edb9e6959898500210c6138d8e2e6f0c9a2b470bb60526df4d383a67299ff2c179dab7cb8744e0b3aa9b6c73b748f6d6761b953a890aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\iM0LnT2UbGypmvsEoT5xMFR0F2CX7NfIjuL.exe

Filesize
18.8MB

MD5
e0afdd2b322bb0dfcc5f8b07ee5a9cc6

SHA1
89cc9cbd3adca25ddbf7b8565390c7442ca652e1

SHA256
e5840db0ffd87083a541acea7bce39bb51171f512b5be5de16a4d9467ba1ec1e

SHA512
daad0491a998a68cbc799f65c0f8e2d32a8b3b3184a4357a374ccb4dede5df631916fdea870973b84262b364995980041c7bb52cb566d17738f371932fccd8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iM0LnT2UbGypmvsEoT5xMFR0F2CX7NfIjuL.exe

Filesize
18.8MB

MD5
e0afdd2b322bb0dfcc5f8b07ee5a9cc6

SHA1
89cc9cbd3adca25ddbf7b8565390c7442ca652e1

SHA256
e5840db0ffd87083a541acea7bce39bb51171f512b5be5de16a4d9467ba1ec1e

SHA512
daad0491a998a68cbc799f65c0f8e2d32a8b3b3184a4357a374ccb4dede5df631916fdea870973b84262b364995980041c7bb52cb566d17738f371932fccd8dd

Download Submit
\Users\Admin\AppData\Local\Temp\d9wiKsobW0Mr.dll

Filesize
14.0MB

MD5
ad15f206c2545310e2a0d4b1627caa33

SHA1
8f1c225927f2d3c54d4a8269e917fc16b894cec8

SHA256
dc65e929f284fa51ba7adc8385435045ab3be4808f684cd2d6a1e499dab4b567

SHA512
5848c1f6f6d95cd3f0edb9e6959898500210c6138d8e2e6f0c9a2b470bb60526df4d383a67299ff2c179dab7cb8744e0b3aa9b6c73b748f6d6761b953a890aad

Download Submit
\Users\Admin\AppData\Local\Temp\iM0LnT2UbGypmvsEoT5xMFR0F2CX7NfIjuL.exe

Filesize
18.8MB

MD5
e0afdd2b322bb0dfcc5f8b07ee5a9cc6

SHA1
89cc9cbd3adca25ddbf7b8565390c7442ca652e1

SHA256
e5840db0ffd87083a541acea7bce39bb51171f512b5be5de16a4d9467ba1ec1e

SHA512
daad0491a998a68cbc799f65c0f8e2d32a8b3b3184a4357a374ccb4dede5df631916fdea870973b84262b364995980041c7bb52cb566d17738f371932fccd8dd

Download Submit
\Users\Admin\AppData\Local\Temp\iM0LnT2UbGypmvsEoT5xMFR0F2CX7NfIjuL.exe

Filesize
18.8MB

MD5
e0afdd2b322bb0dfcc5f8b07ee5a9cc6

SHA1
89cc9cbd3adca25ddbf7b8565390c7442ca652e1

SHA256
e5840db0ffd87083a541acea7bce39bb51171f512b5be5de16a4d9467ba1ec1e

SHA512
daad0491a998a68cbc799f65c0f8e2d32a8b3b3184a4357a374ccb4dede5df631916fdea870973b84262b364995980041c7bb52cb566d17738f371932fccd8dd

Download Submit
memory/1128-60-0x0000000140000000-0x0000000140800000-memory.dmp

Filesize
8.0MB

Download
memory/1128-54-0x0000000140000000-0x0000000140800000-memory.dmp

Filesize
8.0MB

Download
memory/1128-56-0x000007FEFC071000-0x000007FEFC073000-memory.dmp

Filesize
8KB

Download
memory/1128-55-0x0000000140000000-0x0000000140800000-memory.dmp

Filesize
8.0MB

Download
memory/1484-63-0x000000013F360000-0x000000014179A000-memory.dmp

Filesize
36.2MB

Download
memory/1484-74-0x000000013F360000-0x000000014179A000-memory.dmp

Filesize
36.2MB

Download

Analysis

Sharing