5ca073902855e78c2225d74c98ea68c4c7b0235c53150e3a6986b73934f19062

General

Target

2a9e7c533ef29c4c39ee61f7154d18c6.exe
Size

4.9MB
MD5

2a9e7c533ef29c4c39ee61f7154d18c6
SHA1

6d288064e15bf370ae49ca7b1bd4a906c403e821
SHA256

5ca073902855e78c2225d74c98ea68c4c7b0235c53150e3a6986b73934f19062
SHA512

987f4581405f99461634534b8cb35a20f37700bf5ce463e24a53ea3dec9740aeb7d0b2300943ae74ae857bcad0cc71f0cccdd580ac7249c1f51c8c002f85c75d
SSDEEP

98304:Z7mSREy3EB1ZucSijV6lMo5ikEwhqr7nANR:Z3R735cS8Evhqra

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2a9e7c533ef29c4c39ee61f7154d18c6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2a9e7c533ef29c4c39ee61f7154d18c6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2a9e7c533ef29c4c39ee61f7154d18c6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 1 IoCs

pid	Process
468	ntlhost.exe

Loads dropped DLL 1 IoCs

pid	Process
1484	2a9e7c533ef29c4c39ee61f7154d18c6.exe

Themida packer 35 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1484-54-0x0000000000B80000-0x00000000013E8000-memory.dmp	themida
behavioral1/memory/1484-55-0x0000000000B80000-0x00000000013E8000-memory.dmp	themida
behavioral1/memory/1484-56-0x0000000000B80000-0x00000000013E8000-memory.dmp	themida
behavioral1/memory/1484-57-0x0000000000B80000-0x00000000013E8000-memory.dmp	themida
behavioral1/memory/1484-58-0x0000000000B80000-0x00000000013E8000-memory.dmp	themida
behavioral1/memory/1484-59-0x0000000000B80000-0x00000000013E8000-memory.dmp	themida
behavioral1/memory/1484-61-0x0000000000B80000-0x00000000013E8000-memory.dmp	themida
behavioral1/memory/1484-62-0x0000000000B80000-0x00000000013E8000-memory.dmp	themida
behavioral1/memory/1484-60-0x0000000000B80000-0x00000000013E8000-memory.dmp	themida
behavioral1/memory/1484-63-0x0000000000B80000-0x00000000013E8000-memory.dmp	themida
behavioral1/files/0x00090000000136c2-65.dat	themida
behavioral1/files/0x00090000000136c2-67.dat	themida
behavioral1/memory/1484-68-0x0000000000B80000-0x00000000013E8000-memory.dmp	themida
behavioral1/memory/468-69-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-70-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-71-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-72-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-73-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-74-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-75-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-76-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-77-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-78-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-79-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-80-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-81-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-84-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-85-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-86-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-87-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-88-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-89-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-90-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-91-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida
behavioral1/memory/468-92-0x0000000000F50000-0x00000000017B8000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	2a9e7c533ef29c4c39ee61f7154d18c6.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2a9e7c533ef29c4c39ee61f7154d18c6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1484	2a9e7c533ef29c4c39ee61f7154d18c6.exe
468	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 468	1484	2a9e7c533ef29c4c39ee61f7154d18c6.exe	27
PID 1484 wrote to memory of 468	1484	2a9e7c533ef29c4c39ee61f7154d18c6.exe	27
PID 1484 wrote to memory of 468	1484	2a9e7c533ef29c4c39ee61f7154d18c6.exe	27

C:\Users\Admin\AppData\Local\Temp\2a9e7c533ef29c4c39ee61f7154d18c6.exe
"C:\Users\Admin\AppData\Local\Temp\2a9e7c533ef29c4c39ee61f7154d18c6.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
715.7MB

MD5
5123dfa5179ed6634977ea5ccf87fb83

SHA1
0f73b995daaf7594cc9abd4b7cd9c0600959f1de

SHA256
960db9480de1d4f075c6bf6c4c9deae78c7b9794c5bb1c6ad6f72d73f6fb7432

SHA512
5f392c0f49613c8ec339b88245406d8a2f28af7c21f677a3d77b0edc98943b659ca73541bd51614c38bf8da65bf30341dd1c8bb814bf1baf59718883f6906a52

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
715.1MB

MD5
48f8bd69775623a53053519139f700d8

SHA1
c3910a59eda53567c6bdc5060cf1079440686521

SHA256
97df32c7969ca00012d76217f12d4422febe3b9c744a14598bfb06bfeaf6c7c0

SHA512
d949966ac8edd4cebd35cb08aac16cf93c981d37fe508bebc91dc2681cf77717251b994b6ebafcd97842f20033a47ba21d869aa4260a3c100465ed636ae104e2

Download Submit
memory/468-80-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-85-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-92-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-91-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-90-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-89-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-88-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-87-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-86-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-76-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-84-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-69-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-70-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-71-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-72-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-73-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-81-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-75-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-74-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-77-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-78-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/468-79-0x0000000000F50000-0x00000000017B8000-memory.dmp

Filesize
8.4MB

Download
memory/1484-54-0x0000000000B80000-0x00000000013E8000-memory.dmp

Filesize
8.4MB

Download
memory/1484-57-0x0000000000B80000-0x00000000013E8000-memory.dmp

Filesize
8.4MB

Download
memory/1484-68-0x0000000000B80000-0x00000000013E8000-memory.dmp

Filesize
8.4MB

Download
memory/1484-55-0x0000000000B80000-0x00000000013E8000-memory.dmp

Filesize
8.4MB

Download
memory/1484-56-0x0000000000B80000-0x00000000013E8000-memory.dmp

Filesize
8.4MB

Download
memory/1484-63-0x0000000000B80000-0x00000000013E8000-memory.dmp

Filesize
8.4MB

Download
memory/1484-60-0x0000000000B80000-0x00000000013E8000-memory.dmp

Filesize
8.4MB

Download
memory/1484-62-0x0000000000B80000-0x00000000013E8000-memory.dmp

Filesize
8.4MB

Download
memory/1484-61-0x0000000000B80000-0x00000000013E8000-memory.dmp

Filesize
8.4MB

Download
memory/1484-59-0x0000000000B80000-0x00000000013E8000-memory.dmp

Filesize
8.4MB

Download
memory/1484-58-0x0000000000B80000-0x00000000013E8000-memory.dmp

Filesize
8.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads