119185c921128618a213f5bd825df3a354bd802f6361972713e65fe2890a8a6c

Analysis

max time kernel
440s
max time network
433s
platform
windows10-1703_x64
resource
win10-20220901-es
resource tags

arch:x64arch:x86image:win10-20220901-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
08/02/2023, 13:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

payload5.zip
Size

13.8MB
MD5

87e80bb294c14cbf60deda9992113859
SHA1

f4fce6ee5238e285e28be6f25f2689a10f93b2f5
SHA256

119185c921128618a213f5bd825df3a354bd802f6361972713e65fe2890a8a6c
SHA512

20a3f54f76b06a202d0f058f625fdb4a0ecc1456b9c3d8a470c6dabaef78cacebf523b64c8a41f7a151c0f6c6a6902e0bdfe378d3154045af01835148b3279ea
SSDEEP

393216:lK84AqkQMzYDEddNmhf92ZrkN0csbcUMpPdYq6MuNVB+t4OGrgi:Q84MHwEdP0ANkylbcHFYVSt43r7

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a.exe

Executes dropped EXE 1 IoCs

pid	Process
4892	a.exe

Loads dropped DLL 1 IoCs

pid	Process
4892	a.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000600000001ac1f-165.dat	themida
behavioral1/memory/4892-176-0x0000000004A10000-0x0000000006F20000-memory.dmp	themida
behavioral1/memory/4892-177-0x0000000004A10000-0x0000000006F20000-memory.dmp	themida
behavioral1/memory/4892-178-0x0000000004A10000-0x0000000006F20000-memory.dmp	themida
behavioral1/memory/4892-179-0x0000000004A10000-0x0000000006F20000-memory.dmp	themida
behavioral1/memory/4892-180-0x0000000004A10000-0x0000000006F20000-memory.dmp	themida
behavioral1/memory/4892-182-0x0000000004A10000-0x0000000006F20000-memory.dmp	themida
behavioral1/memory/4892-183-0x0000000004A10000-0x0000000006F20000-memory.dmp	themida
behavioral1/memory/4892-184-0x0000000004A10000-0x0000000006F20000-memory.dmp	themida
behavioral1/memory/4892-185-0x0000000004A10000-0x0000000006F20000-memory.dmp	themida
behavioral1/memory/4892-186-0x0000000004A10000-0x0000000006F20000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4892	a.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask = "No"	a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "No"	a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords = "No"	a.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4892	a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4300	7zG.exe
Token: 35	4300	7zG.exe
Token: SeSecurityPrivilege	4300	7zG.exe
Token: SeSecurityPrivilege	4300	7zG.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4300	7zG.exe
4892	a.exe
4892	a.exe
4892	a.exe
4892	a.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4892	a.exe
4892	a.exe
4892	a.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\payload5.zip
1⤵
PID:2852

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4852

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\payload5\" -spe -an -ai#7zMap27482:74:7zEvent11154
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4300

C:\Users\Admin\Desktop\payload5\a.exe
"C:\Users\Admin\Desktop\payload5\a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\payload5\LNCCZIJXMN.MgE

Filesize
13.8MB

MD5
e2019c979c97d42176f92f46c598b6dc

SHA1
5739fe323f68fd84afe31c7d65b1f3e3347efca2

SHA256
dcd9ed3211ca46b6182400f2d885e3e8e475dce38d3450890e009b5279f921d2

SHA512
8c710b93b4e1587abb014cdf49d6c72b0357286eeb2673f754666a51dbd1ba66a61d419f2a8a8e96af6a2bcb26a24892a51441f9a1af7d5c69345d05b2ca3878

Download Submit
C:\Users\Admin\Desktop\payload5\a.ahk

Filesize
196B

MD5
26e7415d38a6259e2c133786958c5bd3

SHA1
70b28c16b8d070f18f7643541d85f5c50569e1fd

SHA256
741f9d4fe88deec4a8b9362468d55f76244d77c1d8e962b1a987f88f4b7cc61e

SHA512
137c66136c361c85e1221d8b58c5cb6572ddada2fba227dffcbf67ec6bb98f44a80207a4e89526e5abd4445aeb9eb1cedfe1cf34f8d57677c872a24f3e533392

Download Submit
C:\Users\Admin\Desktop\payload5\a.exe

Filesize
889KB

MD5
03c469798bf1827d989f09f346ce95f7

SHA1
05e491bc1b8fbfbfdca24b565f2464137f30691e

SHA256
de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

SHA512
d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

Download Submit
C:\Users\Admin\Desktop\payload5\a.exe

Filesize
889KB

MD5
03c469798bf1827d989f09f346ce95f7

SHA1
05e491bc1b8fbfbfdca24b565f2464137f30691e

SHA256
de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

SHA512
d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

Download Submit
\Users\Admin\AppData\Local\Temp\c7ccc9b.dll

Filesize
8KB

MD5
d8f4ab8284f0fda871d6834e24bc6f37

SHA1
641948e44a1dcfd0ef68910768eb4b1ea6b49d10

SHA256
c09d0790e550694350b94ca6b077c54f983c135fab8990df5a75462804150912

SHA512
f65a916041846718306567d33273c3d0f41e0b26589cf6db46ec6c788ba0d87a708c94979d3bd0609142badca9e7129690b92169a07dcf7cd8c66698827d2fa0

Download Submit
memory/4892-121-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-122-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-123-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-124-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-125-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-126-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-127-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-128-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-129-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-130-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-132-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-133-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-131-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-134-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-135-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-137-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-136-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-138-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-139-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-141-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-140-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-142-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-143-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-144-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-145-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-147-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-146-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-148-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-149-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-150-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-151-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-152-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-153-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-154-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-155-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-156-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-157-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-158-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-159-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-160-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-161-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-163-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-164-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-166-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-167-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-169-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-168-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-170-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-172-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-171-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-173-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-174-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-175-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-176-0x0000000004A10000-0x0000000006F20000-memory.dmp

Filesize
37.1MB

Download
memory/4892-177-0x0000000004A10000-0x0000000006F20000-memory.dmp

Filesize
37.1MB

Download
memory/4892-178-0x0000000004A10000-0x0000000006F20000-memory.dmp

Filesize
37.1MB

Download
memory/4892-179-0x0000000004A10000-0x0000000006F20000-memory.dmp

Filesize
37.1MB

Download
memory/4892-180-0x0000000004A10000-0x0000000006F20000-memory.dmp

Filesize
37.1MB

Download
memory/4892-181-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-182-0x0000000004A10000-0x0000000006F20000-memory.dmp

Filesize
37.1MB

Download
memory/4892-183-0x0000000004A10000-0x0000000006F20000-memory.dmp

Filesize
37.1MB

Download
memory/4892-184-0x0000000004A10000-0x0000000006F20000-memory.dmp

Filesize
37.1MB

Download
memory/4892-185-0x0000000004A10000-0x0000000006F20000-memory.dmp

Filesize
37.1MB

Download
memory/4892-186-0x0000000004A10000-0x0000000006F20000-memory.dmp

Filesize
37.1MB

Download