40c9698c41f7575d5c05a059f73067072dffb2001454cc8571de6ec4d7a6aad9

Analysis

max time kernel
57s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2023, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
Size

3.4MB
MD5

780e2eb727a2a278795471059f4d6b33
SHA1

2911c5de51eaf1ae82e96fc26c1505cbfa7f0641
SHA256

d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824
SHA512

bf1748e47377290b9356d6ac5f42cfdc974117cc21e901d5443f71348930af37d6eaf3d8363464297454560396ea1d87cc5804b415d1fb8db01a5859ff3026ed
SSDEEP

98304:OWYHz9DAMmWXxVkYIs0xQIk5Zq7IvQEJ/lnvf0xSOS:KHz9MP1s0LkTqUvbhNvfdp

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe

Themida packer 24 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/1388-133-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-134-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-135-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-136-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-137-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-138-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-139-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-140-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-141-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-142-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-144-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-147-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-148-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-149-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-150-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-151-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-152-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-153-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-154-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-155-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-156-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-157-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-158-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida
behavioral2/memory/1388-159-0x00000000002A0000-0x0000000000A89000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GOLVTL = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\taskmgr.exe\""	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe

AutoIT Executable 22 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1388-135-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-136-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-137-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-138-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-139-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-140-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-141-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-142-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-144-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-147-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-148-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-149-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-150-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-151-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-152-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-153-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-154-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-155-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-156-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-157-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-158-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe
behavioral2/memory/1388-159-0x00000000002A0000-0x0000000000A89000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 4732	1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe	84
PID 1388 wrote to memory of 4732	1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe	84
PID 1388 wrote to memory of 4732	1388	d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe	84

C:\Users\Admin\AppData\Local\Temp\d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe
"C:\Users\Admin\AppData\Local\Temp\d5a0c28c1b0198033e57c75f95c921244071ce7e2eebec74e66f384627900824.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\WSCript.exe
  WSCript C:\Users\Admin\AppData\Local\Temp\GOLVTL.vbs
  2⤵
  PID:4732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GOLVTL.vbs

Filesize
948B

MD5
a8979a46bea01e4f49ae88e0d729dcf1

SHA1
0979caed1b16b7bc10715edada511b8bfb95ec4d

SHA256
8af86d6e622edfc16d1aa189ba5792cfe1d9f62b7e8420be6d423a72774e5499

SHA512
82c6f66cfec913995dddde7b81d2b065e02f5c8a1d7bfa947d38949c0efd6a74a149b0f31e4899821332c7e6c4ea23fa78caacae17b765202b946f86cf1d5c8b

Download Submit
memory/1388-147-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-140-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-136-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-137-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-138-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-139-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-133-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-141-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-142-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-144-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-135-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-134-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-152-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-149-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-150-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-151-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-148-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-153-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-154-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-155-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-156-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-157-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-158-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download
memory/1388-159-0x00000000002A0000-0x0000000000A89000-memory.dmp

Filesize
7.9MB

Download