45407220b71e139d1e851741eb586d7424ce7ec726e39a125669fa23f4c6598f

Resubmissions

01/03/2023, 14:05

230301-rd11vaga4y 9

01/03/2023, 13:50

230301-q5qhrafh9t 9

01/03/2023, 13:47

230301-q3kjqafh8v 9

01/03/2023, 13:40

230301-qy1p5sgd36 9

Analysis

max time kernel
95s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2023, 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cartridge.exe
Size

4.6MB
MD5

01c0ffbf4899dd9659ab3d69bd071a3a
SHA1

fef363e5680db20ffe13eac15092a0deb98492ec
SHA256

45407220b71e139d1e851741eb586d7424ce7ec726e39a125669fa23f4c6598f
SHA512

cc20a5e56063dfabd6b52aa24e51530da04a10a9f3a7ab0e327314f83f7d38754aed208632446dc222b1af0cabf20990ecfa1a0c635e7f6f7aeecb1a1d828d98
SSDEEP

98304:XJm36qQN6mR38bMHjx7nggGRVewGPYnJLFiwKZ0NQsdUxNYJId:ZmKq1mFjkr+R8JLF8qdamId

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cartridge.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cartridge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cartridge.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/3864-133-0x00007FF705530000-0x00007FF70604B000-memory.dmp	themida
behavioral2/memory/3864-134-0x00007FF705530000-0x00007FF70604B000-memory.dmp	themida
behavioral2/memory/3864-135-0x00007FF705530000-0x00007FF70604B000-memory.dmp	themida
behavioral2/memory/3864-136-0x00007FF705530000-0x00007FF70604B000-memory.dmp	themida
behavioral2/memory/3864-137-0x00007FF705530000-0x00007FF70604B000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cartridge.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3864	cartridge.exe

C:\Users\Admin\AppData\Local\Temp\cartridge.exe
C:\Users\Admin\AppData\Local\Temp\cartridge.exe -a c:\Windows\System32\Drivers\etc\hosts
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3864-133-0x00007FF705530000-0x00007FF70604B000-memory.dmp

Filesize
11.1MB

Download
memory/3864-134-0x00007FF705530000-0x00007FF70604B000-memory.dmp

Filesize
11.1MB

Download
memory/3864-135-0x00007FF705530000-0x00007FF70604B000-memory.dmp

Filesize
11.1MB

Download
memory/3864-136-0x00007FF705530000-0x00007FF70604B000-memory.dmp

Filesize
11.1MB

Download
memory/3864-137-0x00007FF705530000-0x00007FF70604B000-memory.dmp

Filesize
11.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads