ccfd30e42f2dbb38fa3ad9528c74c6ecf6cc45ab167838200331ecf903230db1

General

Target

MOL.EXE.exe
Size

3.4MB
MD5

588cd06833601b361f843c87056fd5a9
SHA1

36fd19550588e46b7ae12639421e9768f6172f0a
SHA256

ccfd30e42f2dbb38fa3ad9528c74c6ecf6cc45ab167838200331ecf903230db1
SHA512

74ca11d07f98dcbae852fb94fd3fa5fb641a73917c6e85b1e2e0f49c5e8f604a14ea3deaf146ce23d4814f3daf2082d3c90d72d2759507d51cf45284f50fc979
SSDEEP

98304:cPMHpHh81TVkOjPdBx425wr7MARYza/PnrHT86b4GGsVJxz:cUrkTiOjPn76hCa/PrHlrVJxz

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

MOL.EXE.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MOL.EXE.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MOL.EXE.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MOL.EXE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MOL.EXE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MOL.EXE.exe

Themida packer 20 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3432-133-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-134-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-135-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-136-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-137-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-138-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-139-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-140-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-141-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-147-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-148-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-149-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-150-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-151-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-152-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-153-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-154-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-155-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-156-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida
behavioral2/memory/3432-157-0x00000000001C0000-0x00000000009A5000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MOL.EXE.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	MOL.EXE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JYEVXV = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Microsoft.exe\""	MOL.EXE.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

MOL.EXE.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MOL.EXE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MOL.EXE.exe

AutoIT Executable 19 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/3432-134-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe
behavioral2/memory/3432-135-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe
behavioral2/memory/3432-136-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe
behavioral2/memory/3432-137-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe
behavioral2/memory/3432-138-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe
behavioral2/memory/3432-139-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe
behavioral2/memory/3432-140-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe
behavioral2/memory/3432-141-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe
behavioral2/memory/3432-147-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe
behavioral2/memory/3432-148-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe
behavioral2/memory/3432-149-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe
behavioral2/memory/3432-150-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe
behavioral2/memory/3432-151-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe
behavioral2/memory/3432-152-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe
behavioral2/memory/3432-153-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe
behavioral2/memory/3432-154-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe
behavioral2/memory/3432-155-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe
behavioral2/memory/3432-156-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe
behavioral2/memory/3432-157-0x00000000001C0000-0x00000000009A5000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

MOL.EXE.exe

pid process

3432 MOL.EXE.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

MOL.EXE.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2 MOL.EXE.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	MOL.EXE.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MOL.EXE.exe

pid	process
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe
3432	MOL.EXE.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MOL.EXE.exe

pid process

3432 MOL.EXE.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

MOL.EXE.exe

description	pid	process	target process
PID 3432 wrote to memory of 4288	3432	MOL.EXE.exe	WSCript.exe
PID 3432 wrote to memory of 4288	3432	MOL.EXE.exe	WSCript.exe
PID 3432 wrote to memory of 4288	3432	MOL.EXE.exe	WSCript.exe

C:\Users\Admin\AppData\Local\Temp\MOL.EXE.exe
"C:\Users\Admin\AppData\Local\Temp\MOL.EXE.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\WSCript.exe
WSCript C:\Users\Admin\AppData\Local\Temp\JYEVXV.vbs
2⤵
PID:4288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JYEVXV.vbs
Filesize
834B

MD5
41cbe0d9975656e04c44d1925ddc4aa2

SHA1
6c98a427fe13daf8215c8963ca7357aa864a5746

SHA256
e0c484c3b99a84e3566e5b83c988c83379f88945af715ec852a7572ad744ccc2

SHA512
d98747ee673126be0fe34e0036855ca5238934c0dc61be6b03dbd87652f7c2ce34a881c91ac7a6fe192dfffbada177384405ae231950ad1610f81afe03a0a2d4

Download Submit
memory/3432-147-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-155-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-136-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-137-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-138-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-139-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-140-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-148-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-157-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-135-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-141-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-149-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-150-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-151-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-152-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-153-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-154-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-133-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-156-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download
memory/3432-134-0x00000000001C0000-0x00000000009A5000-memory.dmp

Filesize
7.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads