ea25a8909d0bd9438586d97aa8919fc90ad8cef0043ea13fec603c780e0427e1

Analysis

max time kernel
52s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2023 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader_.exe
Size

8.8MB
MD5

f5b49bd5b215416c31650c1bf1047e33
SHA1

3e8468db67c3b41eeab8017018670ae57afe702d
SHA256

ea25a8909d0bd9438586d97aa8919fc90ad8cef0043ea13fec603c780e0427e1
SHA512

2a9c5682794eb761a7a7b8d78db8a2dc39b94b2a0779f3ed250101deecfca9ef27257bf1d9a7de2aff13abba995da2fc95a623481e23cb631449434fcce558a2
SSDEEP

196608:3lViYdgxP1MTFmMUwMqhmrOGSF2yCVbXyqsz5p5:3riYexPQUwMqhmrlS0pynz5p5

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Loader_.exeZGnxxztzZE.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader_.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ZGnxxztzZE.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loader_.exeZGnxxztzZE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ZGnxxztzZE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ZGnxxztzZE.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loader_.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Loader_.exe

Executes dropped EXE 1 IoCs

Processes:

ZGnxxztzZE.exe

pid process

4316 ZGnxxztzZE.exe
Loads dropped DLL 6 IoCs

Processes:

Loader_.exeZGnxxztzZE.exe

pid process

1728 Loader_.exe
1728 Loader_.exe
4316 ZGnxxztzZE.exe
4316 ZGnxxztzZE.exe
4316 ZGnxxztzZE.exe
3212

pid	process
4316	ZGnxxztzZE.exe

pid	process
1728	Loader_.exe
1728	Loader_.exe
4316	ZGnxxztzZE.exe
4316	ZGnxxztzZE.exe
4316	ZGnxxztzZE.exe
3212

Themida packer 22 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1728-133-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp	themida
behavioral2/memory/1728-138-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp	themida
behavioral2/memory/1728-139-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp	themida
behavioral2/memory/1728-140-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp	themida
behavioral2/memory/1728-145-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp	themida
behavioral2/memory/1728-146-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp	themida
behavioral2/memory/1728-147-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp	themida
behavioral2/memory/1728-148-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp	themida
behavioral2/memory/1728-161-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp	themida
behavioral2/memory/1728-166-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\ZGnxxztzZE.exe	themida
C:\Users\Admin\AppData\Local\Temp\ZGnxxztzZE.exe	themida
C:\Users\Admin\AppData\Local\Temp\ZGnxxztzZE.exe	themida
behavioral2/memory/1728-190-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp	themida
behavioral2/memory/4316-193-0x00007FF6AE620000-0x00007FF6AFEE0000-memory.dmp	themida
behavioral2/memory/4316-194-0x00007FF6AE620000-0x00007FF6AFEE0000-memory.dmp	themida
behavioral2/memory/4316-195-0x00007FF6AE620000-0x00007FF6AFEE0000-memory.dmp	themida
behavioral2/memory/4316-196-0x00007FF6AE620000-0x00007FF6AFEE0000-memory.dmp	themida
behavioral2/memory/4316-199-0x00007FF6AE620000-0x00007FF6AFEE0000-memory.dmp	themida
behavioral2/memory/4316-200-0x00007FF6AE620000-0x00007FF6AFEE0000-memory.dmp	themida
behavioral2/memory/4316-202-0x00007FF6AE620000-0x00007FF6AFEE0000-memory.dmp	themida
behavioral2/memory/4316-214-0x00007FF6AE620000-0x00007FF6AFEE0000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Loader_.exeZGnxxztzZE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader_.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ZGnxxztzZE.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Loader_.exeZGnxxztzZE.exe

pid process

1728 Loader_.exe
4316 ZGnxxztzZE.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4752 4316 WerFault.exe ZGnxxztzZE.exe

pid	process
1728	Loader_.exe
4316	ZGnxxztzZE.exe

pid	pid_target	process	target process
4752	4316	WerFault.exe	ZGnxxztzZE.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

powershell.exeLoader_.exe

pid	process
4844	powershell.exe
4844	powershell.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe
1728	Loader_.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4844 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ZGnxxztzZE.exe

pid process

4316 ZGnxxztzZE.exe
4316 ZGnxxztzZE.exe

description	pid	process
Token: SeDebugPrivilege	4844	powershell.exe

pid	process
4316	ZGnxxztzZE.exe
4316	ZGnxxztzZE.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Loader_.exe

description	pid	process	target process
PID 1728 wrote to memory of 4844	1728	Loader_.exe	powershell.exe
PID 1728 wrote to memory of 4844	1728	Loader_.exe	powershell.exe
PID 1728 wrote to memory of 4316	1728	Loader_.exe	ZGnxxztzZE.exe
PID 1728 wrote to memory of 4316	1728	Loader_.exe	ZGnxxztzZE.exe

C:\Users\Admin\AppData\Local\Temp\Loader_.exe
"C:\Users\Admin\AppData\Local\Temp\Loader_.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /C Get-Service -Name WpnUserService* | Restart-Service -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Users\Admin\AppData\Local\Temp\ZGnxxztzZE.exe
"C:\Users\Admin\AppData\Local\Temp\ZGnxxztzZE.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4316 -s 524
3⤵
- Program crash
PID:4752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 4316 -ip 4316
1⤵
PID:4124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZBeqNjgcTY.dll
Filesize
49KB

MD5
ac3da38df3e1fbf4977da44c2f8aa9ae

SHA1
3c1d0cceede7849123ddbc742be6e0be1b48970e

SHA256
dd6e17839dd51b459c05318304acb52f8751db8d5a67679a3c8b5139f8db98e5

SHA512
dda5a05a0497ea12e0899716456d97b224f1c6dfe010ee7873bcdf764f49f6783b6189391ed3defbcc3da47e4e85e830981b15d2f0b3c51ae5bef15b3604e175

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZBeqNjgcTY.dll
Filesize
49KB

MD5
ac3da38df3e1fbf4977da44c2f8aa9ae

SHA1
3c1d0cceede7849123ddbc742be6e0be1b48970e

SHA256
dd6e17839dd51b459c05318304acb52f8751db8d5a67679a3c8b5139f8db98e5

SHA512
dda5a05a0497ea12e0899716456d97b224f1c6dfe010ee7873bcdf764f49f6783b6189391ed3defbcc3da47e4e85e830981b15d2f0b3c51ae5bef15b3604e175

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZBeqNjgcTY.dll
Filesize
49KB

MD5
ac3da38df3e1fbf4977da44c2f8aa9ae

SHA1
3c1d0cceede7849123ddbc742be6e0be1b48970e

SHA256
dd6e17839dd51b459c05318304acb52f8751db8d5a67679a3c8b5139f8db98e5

SHA512
dda5a05a0497ea12e0899716456d97b224f1c6dfe010ee7873bcdf764f49f6783b6189391ed3defbcc3da47e4e85e830981b15d2f0b3c51ae5bef15b3604e175

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZGnxxztzZE.exe
Filesize
9.1MB

MD5
bc64377f6e6baddd1ab77567d7e78e7a

SHA1
ac1e44960dce84122d932bdbedbd78dec049ff8a

SHA256
1a2683a179e606bfdd2b62c20bbc69cb1af33bba7827a13c5bfa2440a3d239a6

SHA512
01219fa64ee72d484b89c414e6ff63a0e65fe431268fdf1f9fc28ee325710f3d72a65c743569552cd0a91bd0d6373aa71ee674f7443091b76d134341088f55ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZGnxxztzZE.exe
Filesize
9.1MB

MD5
bc64377f6e6baddd1ab77567d7e78e7a

SHA1
ac1e44960dce84122d932bdbedbd78dec049ff8a

SHA256
1a2683a179e606bfdd2b62c20bbc69cb1af33bba7827a13c5bfa2440a3d239a6

SHA512
01219fa64ee72d484b89c414e6ff63a0e65fe431268fdf1f9fc28ee325710f3d72a65c743569552cd0a91bd0d6373aa71ee674f7443091b76d134341088f55ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZGnxxztzZE.exe
Filesize
9.1MB

MD5
bc64377f6e6baddd1ab77567d7e78e7a

SHA1
ac1e44960dce84122d932bdbedbd78dec049ff8a

SHA256
1a2683a179e606bfdd2b62c20bbc69cb1af33bba7827a13c5bfa2440a3d239a6

SHA512
01219fa64ee72d484b89c414e6ff63a0e65fe431268fdf1f9fc28ee325710f3d72a65c743569552cd0a91bd0d6373aa71ee674f7443091b76d134341088f55ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gdel5bdi.chr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3d11.dll
Filesize
2.4MB

MD5
b284ae0d37cc7d47fc149bf93ef6a5bf

SHA1
3952b84377b0a1d267daae711ee47581749cb2a3

SHA256
0d1fe975cc83acc64a5c2341fbed3700a10509fa3df64535bc50adddd95b7f8b

SHA512
b3982d34808264907520602a5a7798c20b035e78152731856b2c3e0b83086a9b744377e2a2014a3ed91fcb9478468986360fcd62df98a544c9f8a856829ffc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3d11.dll
Filesize
2.4MB

MD5
b284ae0d37cc7d47fc149bf93ef6a5bf

SHA1
3952b84377b0a1d267daae711ee47581749cb2a3

SHA256
0d1fe975cc83acc64a5c2341fbed3700a10509fa3df64535bc50adddd95b7f8b

SHA512
b3982d34808264907520602a5a7798c20b035e78152731856b2c3e0b83086a9b744377e2a2014a3ed91fcb9478468986360fcd62df98a544c9f8a856829ffc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3d11.dll
Filesize
2.4MB

MD5
b284ae0d37cc7d47fc149bf93ef6a5bf

SHA1
3952b84377b0a1d267daae711ee47581749cb2a3

SHA256
0d1fe975cc83acc64a5c2341fbed3700a10509fa3df64535bc50adddd95b7f8b

SHA512
b3982d34808264907520602a5a7798c20b035e78152731856b2c3e0b83086a9b744377e2a2014a3ed91fcb9478468986360fcd62df98a544c9f8a856829ffc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll
Filesize
4.1MB

MD5
222d020bd33c90170a8296adc1b7036a

SHA1
612e6f443d927330b9b8ac13cc4a2a6b959cee48

SHA256
4432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3

SHA512
ad8c7ce7f6f353da5e2cf816e1a69f1ec14011612e8041e4f9bb6ebed3e0fa4e4ebc069155a0c66e23811467012c201893b9b3b7a947d089ce2c749d5e8910c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll
Filesize
4.1MB

MD5
222d020bd33c90170a8296adc1b7036a

SHA1
612e6f443d927330b9b8ac13cc4a2a6b959cee48

SHA256
4432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3

SHA512
ad8c7ce7f6f353da5e2cf816e1a69f1ec14011612e8041e4f9bb6ebed3e0fa4e4ebc069155a0c66e23811467012c201893b9b3b7a947d089ce2c749d5e8910c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll
Filesize
4.1MB

MD5
222d020bd33c90170a8296adc1b7036a

SHA1
612e6f443d927330b9b8ac13cc4a2a6b959cee48

SHA256
4432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3

SHA512
ad8c7ce7f6f353da5e2cf816e1a69f1ec14011612e8041e4f9bb6ebed3e0fa4e4ebc069155a0c66e23811467012c201893b9b3b7a947d089ce2c749d5e8910c6

Download Submit
memory/1728-145-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp

Filesize
24.1MB

Download
memory/1728-161-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp

Filesize
24.1MB

Download
memory/1728-166-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp

Filesize
24.1MB

Download
memory/1728-138-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp

Filesize
24.1MB

Download
memory/1728-139-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp

Filesize
24.1MB

Download
memory/1728-148-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp

Filesize
24.1MB

Download
memory/1728-190-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp

Filesize
24.1MB

Download
memory/1728-147-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp

Filesize
24.1MB

Download
memory/1728-146-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp

Filesize
24.1MB

Download
memory/1728-140-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp

Filesize
24.1MB

Download
memory/1728-133-0x00007FF71AF20000-0x00007FF71C730000-memory.dmp

Filesize
24.1MB

Download
memory/4316-196-0x00007FF6AE620000-0x00007FF6AFEE0000-memory.dmp

Filesize
24.8MB

Download
memory/4316-209-0x00007FFE86870000-0x00007FFE86880000-memory.dmp

Filesize
64KB

Download
memory/4316-195-0x00007FF6AE620000-0x00007FF6AFEE0000-memory.dmp

Filesize
24.8MB

Download
memory/4316-194-0x00007FF6AE620000-0x00007FF6AFEE0000-memory.dmp

Filesize
24.8MB

Download
memory/4316-199-0x00007FF6AE620000-0x00007FF6AFEE0000-memory.dmp

Filesize
24.8MB

Download
memory/4316-200-0x00007FF6AE620000-0x00007FF6AFEE0000-memory.dmp

Filesize
24.8MB

Download
memory/4316-202-0x00007FF6AE620000-0x00007FF6AFEE0000-memory.dmp

Filesize
24.8MB

Download
memory/4316-214-0x00007FF6AE620000-0x00007FF6AFEE0000-memory.dmp

Filesize
24.8MB

Download
memory/4316-193-0x00007FF6AE620000-0x00007FF6AFEE0000-memory.dmp

Filesize
24.8MB

Download
memory/4316-208-0x00007FFE86870000-0x00007FFE86880000-memory.dmp

Filesize
64KB

Download
memory/4316-211-0x000001E07EE90000-0x000001E07EE91000-memory.dmp

Filesize
4KB

Download
memory/4844-159-0x0000021DAAC30000-0x0000021DAAC52000-memory.dmp

Filesize
136KB

Download
memory/4844-149-0x0000021DAA960000-0x0000021DAA970000-memory.dmp

Filesize
64KB

Download
memory/4844-160-0x0000021DAA960000-0x0000021DAA970000-memory.dmp

Filesize
64KB

Download