577dbd64daab087699592a9a7b63a5547c7c4595cf8162a818ed40c60d6b3721

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xvtOZIuNfu.exe
Size

5.2MB
MD5

87262f73867c2aae6cad297fa858455a
SHA1

ca9648a43e2c36b8a660483e0fc10164a4108f98
SHA256

577dbd64daab087699592a9a7b63a5547c7c4595cf8162a818ed40c60d6b3721
SHA512

48d04479f7459dfa6fd6b2213e8fbaa7e7db6dbf6b9fd1fe76696068f6fae32aa2c59b7d8efc934b976790c77dba1ab040d02770c2bf218b804e0736557c1ae2
SSDEEP

98304:vQN7vXi5fVFmqmecgwRZpux5fa00X05ncifxsOxald4EsqCYxoI:vQVy5vmqmlxNux1B/cRR/4v8X

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

xvtOZIuNfu.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ xvtOZIuNfu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	xvtOZIuNfu.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xvtOZIuNfu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	xvtOZIuNfu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	xvtOZIuNfu.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3672-133-0x00007FF651690000-0x00007FF6523C6000-memory.dmp	themida
behavioral2/memory/3672-134-0x00007FF651690000-0x00007FF6523C6000-memory.dmp	themida
behavioral2/memory/3672-135-0x00007FF651690000-0x00007FF6523C6000-memory.dmp	themida
behavioral2/memory/3672-136-0x00007FF651690000-0x00007FF6523C6000-memory.dmp	themida
behavioral2/memory/3672-137-0x00007FF651690000-0x00007FF6523C6000-memory.dmp	themida
behavioral2/memory/3672-138-0x00007FF651690000-0x00007FF6523C6000-memory.dmp	themida
behavioral2/memory/3672-139-0x00007FF651690000-0x00007FF6523C6000-memory.dmp	themida
behavioral2/memory/3672-140-0x00007FF651690000-0x00007FF6523C6000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

xvtOZIuNfu.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xvtOZIuNfu.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

xvtOZIuNfu.exe

pid process

3672 xvtOZIuNfu.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1104 3672 WerFault.exe xvtOZIuNfu.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

1948 vlc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

1948 vlc.exe
Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

vlc.exe

pid process

1948 vlc.exe
1948 vlc.exe
1948 vlc.exe
1948 vlc.exe
1948 vlc.exe
1948 vlc.exe
1948 vlc.exe
1948 vlc.exe
1948 vlc.exe
1948 vlc.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

vlc.exe

pid process

1948 vlc.exe
1948 vlc.exe
1948 vlc.exe
1948 vlc.exe
1948 vlc.exe
1948 vlc.exe
1948 vlc.exe
1948 vlc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

1948 vlc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xvtOZIuNfu.exe

pid	process
3672	xvtOZIuNfu.exe

pid	pid_target	process	target process
1104	3672	WerFault.exe	xvtOZIuNfu.exe

pid	process
1948	vlc.exe

pid	process
1948	vlc.exe

pid	process
1948	vlc.exe
1948	vlc.exe
1948	vlc.exe
1948	vlc.exe
1948	vlc.exe
1948	vlc.exe
1948	vlc.exe
1948	vlc.exe
1948	vlc.exe
1948	vlc.exe

pid	process
1948	vlc.exe
1948	vlc.exe
1948	vlc.exe
1948	vlc.exe
1948	vlc.exe
1948	vlc.exe
1948	vlc.exe
1948	vlc.exe

pid	process
1948	vlc.exe

C:\Users\Admin\AppData\Local\Temp\xvtOZIuNfu.exe
"C:\Users\Admin\AppData\Local\Temp\xvtOZIuNfu.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3672

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3672 -s 460
2⤵
- Program crash
PID:1104

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 360 -p 3672 -ip 3672
1⤵
PID:4660

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SearchUpdate.MTS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1948-176-0x00007FFC45110000-0x00007FFC45121000-memory.dmp

Filesize
68KB

Download
memory/1948-168-0x00007FFC45310000-0x00007FFC45377000-memory.dmp

Filesize
412KB

Download
memory/1948-148-0x00007FFC470D0000-0x00007FFC47384000-memory.dmp

Filesize
2.7MB

Download
memory/1948-149-0x00007FFC48460000-0x00007FFC48478000-memory.dmp

Filesize
96KB

Download
memory/1948-151-0x00007FFC468D0000-0x00007FFC468E1000-memory.dmp

Filesize
68KB

Download
memory/1948-146-0x00007FF7DA6A0000-0x00007FF7DA798000-memory.dmp

Filesize
992KB

Download
memory/1948-200-0x00007FFC44640000-0x00007FFC44651000-memory.dmp

Filesize
68KB

Download
memory/1948-202-0x00007FFC44600000-0x00007FFC44611000-memory.dmp

Filesize
68KB

Download
memory/1948-150-0x00007FFC468F0000-0x00007FFC46907000-memory.dmp

Filesize
92KB

Download
memory/1948-152-0x00007FFC468B0000-0x00007FFC468C7000-memory.dmp

Filesize
92KB

Download
memory/1948-153-0x00007FFC46890000-0x00007FFC468A1000-memory.dmp

Filesize
68KB

Download
memory/1948-154-0x00007FFC46870000-0x00007FFC4688D000-memory.dmp

Filesize
116KB

Download
memory/1948-155-0x00007FFC46850000-0x00007FFC46861000-memory.dmp

Filesize
68KB

Download
memory/1948-175-0x00007FFC45130000-0x00007FFC45153000-memory.dmp

Filesize
140KB

Download
memory/1948-157-0x000001FD28970000-0x000001FD29A1B000-memory.dmp

Filesize
16.7MB

Download
memory/1948-158-0x00007FFC45240000-0x00007FFC4527F000-memory.dmp

Filesize
252KB

Download
memory/1948-159-0x00007FFC45550000-0x00007FFC45571000-memory.dmp

Filesize
132KB

Download
memory/1948-160-0x00007FFC46630000-0x00007FFC46648000-memory.dmp

Filesize
96KB

Download
memory/1948-161-0x00007FFC45530000-0x00007FFC45541000-memory.dmp

Filesize
68KB

Download
memory/1948-162-0x00007FFC45510000-0x00007FFC45521000-memory.dmp

Filesize
68KB

Download
memory/1948-163-0x00007FFC454F0000-0x00007FFC45501000-memory.dmp

Filesize
68KB

Download
memory/1948-164-0x00007FFC454D0000-0x00007FFC454EB000-memory.dmp

Filesize
108KB

Download
memory/1948-165-0x00007FFC454B0000-0x00007FFC454C1000-memory.dmp

Filesize
68KB

Download
memory/1948-166-0x00007FFC45490000-0x00007FFC454A8000-memory.dmp

Filesize
96KB

Download
memory/1948-167-0x00007FFC45460000-0x00007FFC45490000-memory.dmp

Filesize
192KB

Download
memory/1948-177-0x00007FFC453B0000-0x00007FFC453C2000-memory.dmp

Filesize
72KB

Download
memory/1948-169-0x00007FFC453F0000-0x00007FFC4545F000-memory.dmp

Filesize
444KB

Download
memory/1948-170-0x00007FFC453D0000-0x00007FFC453E1000-memory.dmp

Filesize
68KB

Download
memory/1948-171-0x00007FFC452B0000-0x00007FFC45306000-memory.dmp

Filesize
344KB

Download
memory/1948-172-0x00007FFC45380000-0x00007FFC453A8000-memory.dmp

Filesize
160KB

Download
memory/1948-173-0x00007FFC45280000-0x00007FFC452A4000-memory.dmp

Filesize
144KB

Download
memory/1948-174-0x00007FFC45160000-0x00007FFC45177000-memory.dmp

Filesize
92KB

Download
memory/1948-201-0x00007FFC44620000-0x00007FFC44631000-memory.dmp

Filesize
68KB

Download
memory/1948-156-0x00007FFC46650000-0x00007FFC46850000-memory.dmp

Filesize
2.0MB

Download
memory/1948-147-0x00007FFC47390000-0x00007FFC473C4000-memory.dmp

Filesize
208KB

Download
memory/1948-178-0x00007FFC45210000-0x00007FFC45231000-memory.dmp

Filesize
132KB

Download
memory/1948-179-0x00007FFC451F0000-0x00007FFC45203000-memory.dmp

Filesize
76KB

Download
memory/1948-180-0x00007FFC451D0000-0x00007FFC451E2000-memory.dmp

Filesize
72KB

Download
memory/1948-181-0x00007FFC44FD0000-0x00007FFC4510B000-memory.dmp

Filesize
1.2MB

Download
memory/1948-182-0x00007FFC451A0000-0x00007FFC451CC000-memory.dmp

Filesize
176KB

Download
memory/1948-183-0x00007FFC44E10000-0x00007FFC44FC2000-memory.dmp

Filesize
1.7MB

Download
memory/1948-184-0x00007FFC44AB0000-0x00007FFC44B0C000-memory.dmp

Filesize
368KB

Download
memory/1948-185-0x00007FFC45180000-0x00007FFC45191000-memory.dmp

Filesize
68KB

Download
memory/1948-186-0x00007FFC44D70000-0x00007FFC44E07000-memory.dmp

Filesize
604KB

Download
memory/1948-187-0x00007FFC44D50000-0x00007FFC44D62000-memory.dmp

Filesize
72KB

Download
memory/1948-188-0x00007FFC44B10000-0x00007FFC44D41000-memory.dmp

Filesize
2.2MB

Download
memory/1948-189-0x00007FFC44990000-0x00007FFC44AA2000-memory.dmp

Filesize
1.1MB

Download
memory/1948-190-0x00007FFC44950000-0x00007FFC44985000-memory.dmp

Filesize
212KB

Download
memory/1948-191-0x00007FFC44920000-0x00007FFC44945000-memory.dmp

Filesize
148KB

Download
memory/1948-192-0x00007FFC44900000-0x00007FFC44911000-memory.dmp

Filesize
68KB

Download
memory/1948-194-0x00007FFC44870000-0x00007FFC44881000-memory.dmp

Filesize
68KB

Download
memory/1948-193-0x00007FFC44890000-0x00007FFC448F1000-memory.dmp

Filesize
388KB

Download
memory/1948-195-0x00007FFC44850000-0x00007FFC44862000-memory.dmp

Filesize
72KB

Download
memory/1948-196-0x00007FFC44830000-0x00007FFC44843000-memory.dmp

Filesize
76KB

Download
memory/1948-197-0x00007FFC44790000-0x00007FFC4482F000-memory.dmp

Filesize
636KB

Download
memory/1948-198-0x00007FFC44770000-0x00007FFC44781000-memory.dmp

Filesize
68KB

Download
memory/1948-199-0x00007FFC44660000-0x00007FFC44762000-memory.dmp

Filesize
1.0MB

Download
memory/3672-133-0x00007FF651690000-0x00007FF6523C6000-memory.dmp

Filesize
13.2MB

Download
memory/3672-135-0x00007FF651690000-0x00007FF6523C6000-memory.dmp

Filesize
13.2MB

Download
memory/3672-134-0x00007FF651690000-0x00007FF6523C6000-memory.dmp

Filesize
13.2MB

Download
memory/3672-136-0x00007FF651690000-0x00007FF6523C6000-memory.dmp

Filesize
13.2MB

Download
memory/3672-137-0x00007FF651690000-0x00007FF6523C6000-memory.dmp

Filesize
13.2MB

Download
memory/3672-138-0x00007FF651690000-0x00007FF6523C6000-memory.dmp

Filesize
13.2MB

Download
memory/3672-139-0x00007FF651690000-0x00007FF6523C6000-memory.dmp

Filesize
13.2MB

Download
memory/3672-140-0x00007FF651690000-0x00007FF6523C6000-memory.dmp

Filesize
13.2MB

Download