0d49ed0ef687b35e0f3a806dc9f20dd9cef84ea06a197319ee8c4a1b5a04aad4

General

Target

información de reserva.vbs
Size

4.7MB
MD5

7682d10c7d8f06b663b1d0f16067adf4
SHA1

408ba3988f038083f382b89a0fb0889a6ccf0658
SHA256

0d49ed0ef687b35e0f3a806dc9f20dd9cef84ea06a197319ee8c4a1b5a04aad4
SHA512

8119e6a7fb71fde2b2ebbcd143ad08ea3fb53b8a3cce767cf487d685ec88673ed20bbfad5b8449ab7370e9a5f7043ba060c42abb126bb51da28d416f335faead
SSDEEP

49152:3HSMXYsIodMO+PJUL7TtMO8UF1hppr71baDhxSw35Aac2HMGwnQzpfGWP:m

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

yacd61c618add255ee0ac0ee56940.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ yacd61c618add255ee0ac0ee56940.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	yacd61c618add255ee0ac0ee56940.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

yacd61c618add255ee0ac0ee56940.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	yacd61c618add255ee0ac0ee56940.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	yacd61c618add255ee0ac0ee56940.exe

Executes dropped EXE 1 IoCs

Processes:

yacd61c618add255ee0ac0ee56940.exe

pid process

1208 yacd61c618add255ee0ac0ee56940.exe

Themida packer 26 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\yacd61c618add255ee0ac0ee56940.exe	themida
C:\Users\Admin\AppData\Local\Temp\yacd61c618add255ee0ac0ee56940.exe	themida
behavioral1/memory/1208-59-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-60-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-61-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-62-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-63-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-64-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-65-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-66-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-67-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-71-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-72-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-73-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-74-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-75-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-76-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-77-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-78-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-79-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-80-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-81-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-82-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-83-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-84-0x0000000000960000-0x00000000011A9000-memory.dmp	themida
behavioral1/memory/1208-85-0x0000000000960000-0x00000000011A9000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

yacd61c618add255ee0ac0ee56940.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run	yacd61c618add255ee0ac0ee56940.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\GXOWIS = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\EGDE.exe\""	yacd61c618add255ee0ac0ee56940.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

yacd61c618add255ee0ac0ee56940.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yacd61c618add255ee0ac0ee56940.exe

AutoIT Executable 23 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1208-60-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-61-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-62-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-63-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-64-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-65-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-66-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-67-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-71-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-72-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-73-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-74-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-75-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-76-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-77-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-78-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-79-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-80-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-81-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-82-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-83-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-84-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe
behavioral1/memory/1208-85-0x0000000000960000-0x00000000011A9000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

yacd61c618add255ee0ac0ee56940.exe

pid process

1208 yacd61c618add255ee0ac0ee56940.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

Processes:

yacd61c618add255ee0ac0ee56940.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	yacd61c618add255ee0ac0ee56940.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

yacd61c618add255ee0ac0ee56940.exe

pid	process
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe
1208	yacd61c618add255ee0ac0ee56940.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

yacd61c618add255ee0ac0ee56940.exe

pid process

1208 yacd61c618add255ee0ac0ee56940.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

WScript.exeyacd61c618add255ee0ac0ee56940.exe

description	pid	process	target process
PID 1496 wrote to memory of 1960	1496	WScript.exe	certutil.exe
PID 1496 wrote to memory of 1960	1496	WScript.exe	certutil.exe
PID 1496 wrote to memory of 1960	1496	WScript.exe	certutil.exe
PID 1496 wrote to memory of 1208	1496	WScript.exe	yacd61c618add255ee0ac0ee56940.exe
PID 1496 wrote to memory of 1208	1496	WScript.exe	yacd61c618add255ee0ac0ee56940.exe
PID 1496 wrote to memory of 1208	1496	WScript.exe	yacd61c618add255ee0ac0ee56940.exe
PID 1496 wrote to memory of 1208	1496	WScript.exe	yacd61c618add255ee0ac0ee56940.exe
PID 1208 wrote to memory of 1104	1208	yacd61c618add255ee0ac0ee56940.exe	WSCript.exe
PID 1208 wrote to memory of 1104	1208	yacd61c618add255ee0ac0ee56940.exe	WSCript.exe
PID 1208 wrote to memory of 1104	1208	yacd61c618add255ee0ac0ee56940.exe	WSCript.exe
PID 1208 wrote to memory of 1104	1208	yacd61c618add255ee0ac0ee56940.exe	WSCript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\información de reserva.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\System32\certutil.exe
"C:\Windows\System32\certutil.exe" -decode C:\Users\Admin\AppData\Local\Temp\Sb32e6a52a22741d15c746c4261 C:\Users\Admin\AppData\Local\Temp\yacd61c618add255ee0ac0ee56940.exe
2⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\yacd61c618add255ee0ac0ee56940.exe
"C:\Users\Admin\AppData\Local\Temp\yacd61c618add255ee0ac0ee56940.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\WSCript.exe
WSCript C:\Users\Admin\AppData\Local\Temp\GXOWIS.vbs
3⤵
PID:1104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GXOWIS.vbs
Filesize
878B

MD5
3d99251020982702f00048a7f1166865

SHA1
e5ead989881790467c96a092e93b014c4afa6811

SHA256
4c5675319ec4ac23afda439fa1eb9883b8573d53d567ba1d1c343cd5502fd005

SHA512
13fcc886709d3d3f2f2b93e54f45ffff98d6fdf899a7ef5d86e4e110e8db00271a36e658497716a9162f302c6a88620d0aed3f2fa655d1c4b40055695293f04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sb32e6a52a22741d15c746c4261
Filesize
4.7MB

MD5
8102c205028e4898c08bdfc4b9c0b352

SHA1
3bc5e9064f978924e2eacfa14440a825c80388ef

SHA256
a42e3a28241c1cf88249dc997a5d3e9c28e5fbc91ebf59b058e029534162c846

SHA512
841f5baa6e1eaeaddff817266853161cfb9dafe77c8242b25fc8f8109ba2ca28667c561759f3a0c40f1945befd2668e2b93aefcfc4ab8c094124f6e619b58d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yacd61c618add255ee0ac0ee56940.exe
Filesize
3.5MB

MD5
83a302a7711d3e65a1e4c58b4b023399

SHA1
d31bdb7dc1dc10f4085cfb1bf193c6c319037a35

SHA256
a89b834a1644e35ed3c9bd3cf3c9fa81929aeb3d7e47c5ac8f50b4cdf02eaf63

SHA512
ff96d153f623e0beda3ba5ca1feb3dcacbf03a1de686dc48231d8e4d2907e7384974e1bfe09e2a2e1f970322e63d913e220499380e9b8dfd5897d066577caa7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yacd61c618add255ee0ac0ee56940.exe
Filesize
3.5MB

MD5
83a302a7711d3e65a1e4c58b4b023399

SHA1
d31bdb7dc1dc10f4085cfb1bf193c6c319037a35

SHA256
a89b834a1644e35ed3c9bd3cf3c9fa81929aeb3d7e47c5ac8f50b4cdf02eaf63

SHA512
ff96d153f623e0beda3ba5ca1feb3dcacbf03a1de686dc48231d8e4d2907e7384974e1bfe09e2a2e1f970322e63d913e220499380e9b8dfd5897d066577caa7a

Download Submit
memory/1208-72-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-73-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-62-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-63-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-64-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-65-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-66-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-67-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-60-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-71-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-59-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-61-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-74-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-75-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-76-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-77-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-78-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-79-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-80-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-81-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-82-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-83-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-84-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download
memory/1208-85-0x0000000000960000-0x00000000011A9000-memory.dmp

Filesize
8.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads