cd5d681f249663dde55b694693ead4e63ff1d626e5db57975aeaa41e65205c37

General

Target

TwentyApp.exe
Size

3.3MB
MD5

5e2b1df5effbe5123eeff6752af2ca59
SHA1

2e1597b42c40155aa4f56ed708ea4aeb2a5d8698
SHA256

cd5d681f249663dde55b694693ead4e63ff1d626e5db57975aeaa41e65205c37
SHA512

e1ce42dbea6940dbf883ba32f4e934dce2803606a3109369ddfc9cf47e89d82f4f6fcb1854a0745a0e4cb0ad1e095627f35c03a06fa5f42693638039b58698c2
SSDEEP

98304:mZgO4UAJkCxZt3e0Y6qRlp5CNMqMDstLS7cqjAny:mZg3JlB3gXRlpkMqUM6cqjo

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

TwentyApp.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TwentyApp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TwentyApp.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TwentyApp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TwentyApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TwentyApp.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1388-57-0x00000000001C0000-0x0000000000A86000-memory.dmp	themida
behavioral1/memory/1388-58-0x00000000001C0000-0x0000000000A86000-memory.dmp	themida
behavioral1/memory/1388-90-0x00000000001C0000-0x0000000000A86000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

TwentyApp.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TwentyApp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TwentyApp.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

TwentyApp.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	TwentyApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	TwentyApp.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1916 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

648 powershell.exe
552 powershell.exe

pid	process
1916	NOTEPAD.EXE

pid	process
648	powershell.exe
552	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

TwentyApp.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	1388	TwentyApp.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeShutdownPrivilege	1900	powercfg.exe
Token: SeShutdownPrivilege	2000	powercfg.exe
Token: SeShutdownPrivilege	1568	powercfg.exe
Token: SeShutdownPrivilege	2020	powercfg.exe
Token: SeShutdownPrivilege	1792	powercfg.exe
Token: SeShutdownPrivilege	1092	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TwentyApp.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1388 wrote to memory of 1772	1388	TwentyApp.exe	cmd.exe
PID 1388 wrote to memory of 1772	1388	TwentyApp.exe	cmd.exe
PID 1388 wrote to memory of 1772	1388	TwentyApp.exe	cmd.exe
PID 1388 wrote to memory of 1772	1388	TwentyApp.exe	cmd.exe
PID 1772 wrote to memory of 648	1772	cmd.exe	powershell.exe
PID 1772 wrote to memory of 648	1772	cmd.exe	powershell.exe
PID 1772 wrote to memory of 648	1772	cmd.exe	powershell.exe
PID 1772 wrote to memory of 648	1772	cmd.exe	powershell.exe
PID 1388 wrote to memory of 944	1388	TwentyApp.exe	cmd.exe
PID 1388 wrote to memory of 944	1388	TwentyApp.exe	cmd.exe
PID 1388 wrote to memory of 944	1388	TwentyApp.exe	cmd.exe
PID 1388 wrote to memory of 944	1388	TwentyApp.exe	cmd.exe
PID 944 wrote to memory of 552	944	cmd.exe	powershell.exe
PID 944 wrote to memory of 552	944	cmd.exe	powershell.exe
PID 944 wrote to memory of 552	944	cmd.exe	powershell.exe
PID 944 wrote to memory of 552	944	cmd.exe	powershell.exe
PID 944 wrote to memory of 1816	944	cmd.exe	cmd.exe
PID 944 wrote to memory of 1816	944	cmd.exe	cmd.exe
PID 944 wrote to memory of 1816	944	cmd.exe	cmd.exe
PID 944 wrote to memory of 1816	944	cmd.exe	cmd.exe
PID 1816 wrote to memory of 1900	1816	cmd.exe	powercfg.exe
PID 1816 wrote to memory of 1900	1816	cmd.exe	powercfg.exe
PID 1816 wrote to memory of 1900	1816	cmd.exe	powercfg.exe
PID 1816 wrote to memory of 1900	1816	cmd.exe	powercfg.exe
PID 944 wrote to memory of 1712	944	cmd.exe	cmd.exe
PID 944 wrote to memory of 1712	944	cmd.exe	cmd.exe
PID 944 wrote to memory of 1712	944	cmd.exe	cmd.exe
PID 944 wrote to memory of 1712	944	cmd.exe	cmd.exe
PID 1712 wrote to memory of 1756	1712	cmd.exe	cmd.exe
PID 1712 wrote to memory of 1756	1712	cmd.exe	cmd.exe
PID 1712 wrote to memory of 1756	1712	cmd.exe	cmd.exe
PID 1712 wrote to memory of 1756	1712	cmd.exe	cmd.exe
PID 1712 wrote to memory of 1908	1712	cmd.exe	findstr.exe
PID 1712 wrote to memory of 1908	1712	cmd.exe	findstr.exe
PID 1712 wrote to memory of 1908	1712	cmd.exe	findstr.exe
PID 1712 wrote to memory of 1908	1712	cmd.exe	findstr.exe
PID 944 wrote to memory of 2000	944	cmd.exe	powercfg.exe
PID 944 wrote to memory of 2000	944	cmd.exe	powercfg.exe
PID 944 wrote to memory of 2000	944	cmd.exe	powercfg.exe
PID 944 wrote to memory of 2000	944	cmd.exe	powercfg.exe
PID 944 wrote to memory of 1612	944	cmd.exe	cmd.exe
PID 944 wrote to memory of 1612	944	cmd.exe	cmd.exe
PID 944 wrote to memory of 1612	944	cmd.exe	cmd.exe
PID 944 wrote to memory of 1612	944	cmd.exe	cmd.exe
PID 1612 wrote to memory of 1568	1612	cmd.exe	powercfg.exe
PID 1612 wrote to memory of 1568	1612	cmd.exe	powercfg.exe
PID 1612 wrote to memory of 1568	1612	cmd.exe	powercfg.exe
PID 1612 wrote to memory of 1568	1612	cmd.exe	powercfg.exe
PID 944 wrote to memory of 2020	944	cmd.exe	powercfg.exe
PID 944 wrote to memory of 2020	944	cmd.exe	powercfg.exe
PID 944 wrote to memory of 2020	944	cmd.exe	powercfg.exe
PID 944 wrote to memory of 2020	944	cmd.exe	powercfg.exe
PID 944 wrote to memory of 1792	944	cmd.exe	powercfg.exe
PID 944 wrote to memory of 1792	944	cmd.exe	powercfg.exe
PID 944 wrote to memory of 1792	944	cmd.exe	powercfg.exe
PID 944 wrote to memory of 1792	944	cmd.exe	powercfg.exe
PID 944 wrote to memory of 1092	944	cmd.exe	powercfg.exe
PID 944 wrote to memory of 1092	944	cmd.exe	powercfg.exe
PID 944 wrote to memory of 1092	944	cmd.exe	powercfg.exe
PID 944 wrote to memory of 1092	944	cmd.exe	powercfg.exe
PID 1388 wrote to memory of 1916	1388	TwentyApp.exe	NOTEPAD.EXE
PID 1388 wrote to memory of 1916	1388	TwentyApp.exe	NOTEPAD.EXE
PID 1388 wrote to memory of 1916	1388	TwentyApp.exe	NOTEPAD.EXE
PID 1388 wrote to memory of 1916	1388	TwentyApp.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\TwentyApp.exe
"C:\Users\Admin\AppData\Local\Temp\TwentyApp.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C PowerShell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempTest.ps1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempTest.ps1"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\\tempFile.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1012060155208282172/1075934313662644224/BitsumHighestPerformance.pow' -OutFile 'C:\Users\Admin\AppData\Local\Temp\powerplan.pow'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powercfg import C:\Users\Admin\AppData\Local\Temp\powerplan.pow
3⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\powercfg.exe
powercfg import C:\Users\Admin\AppData\Local\Temp\powerplan.pow
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo | findstr /C:"GUID:"
3⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "
4⤵
PID:1756

C:\Windows\SysWOW64\findstr.exe
findstr /C:"GUID:"
4⤵
PID:1908

C:\Windows\SysWOW64\powercfg.exe
powercfg setactive =
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powercfg /l
3⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\powercfg.exe
powercfg /l
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\SysWOW64\powercfg.exe
powercfg /delete 381b4222-f694-41f0-9685-ff5bb260df2e
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\powercfg.exe
powercfg /delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\SysWOW64\powercfg.exe
powercfg /delete a1841308-3541-4fab-bc81-f71556f20b4a
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\gracias.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:1916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gracias.txt
Filesize
197B

MD5
f09d5847eccbfdd8a2a04df5ce0470aa

SHA1
e59cb73b953f47ecf57551e640d5a10db5e244b9

SHA256
66bdeebf85948d9e558a4a28d91bd9fc5a8d146a3f9ec17f913955788db2e61b

SHA512
4165aa01640d5660d3def9b287bfde30a534341c217d5b8adb754bb2e10ee017ae14fbb73e5e43025dde987ad18cf4b893529d279be0820be759d70c8fe3407f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempFile.bat
Filesize
898B

MD5
f2976acd4e0dfcbff62b3994ad0182a6

SHA1
4b0f299d9e000a8629d7b4089f3460ef7458bbc0

SHA256
b7ea575b6660463b4a60b495d66e4ccd9d25cca60dab20eaecb424f2ab4d72f2

SHA512
b5369670e5b9abc350c958475745e5cd9bc45fe3355630945368b5a0fca6e264ba58c076271807998ea487c9cf50489fa87c710286ef9e95b6c49a9d0a453126

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempFile.bat
Filesize
898B

MD5
f2976acd4e0dfcbff62b3994ad0182a6

SHA1
4b0f299d9e000a8629d7b4089f3460ef7458bbc0

SHA256
b7ea575b6660463b4a60b495d66e4ccd9d25cca60dab20eaecb424f2ab4d72f2

SHA512
b5369670e5b9abc350c958475745e5cd9bc45fe3355630945368b5a0fca6e264ba58c076271807998ea487c9cf50489fa87c710286ef9e95b6c49a9d0a453126

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4BT37GG89ABXJOTX39DQ.temp
Filesize
7KB

MD5
31ed514d26db9d44b35ddbfa2b2b580f

SHA1
10469b62f56c313c074f1fe3889ac8914327040c

SHA256
90dc127f2969433bea0ac57e0fbe835e47cc397f37bcbf36cfa3cee8ec6dfbb8

SHA512
3ca4de31fbe66a899e45d696394852aaf0888a7bc16617fbfa12917de0e2ff85dabe07fa0cc0202fb0673c65f582b2595b4875a64c0edf7923ad58af53cfb716

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
31ed514d26db9d44b35ddbfa2b2b580f

SHA1
10469b62f56c313c074f1fe3889ac8914327040c

SHA256
90dc127f2969433bea0ac57e0fbe835e47cc397f37bcbf36cfa3cee8ec6dfbb8

SHA512
3ca4de31fbe66a899e45d696394852aaf0888a7bc16617fbfa12917de0e2ff85dabe07fa0cc0202fb0673c65f582b2595b4875a64c0edf7923ad58af53cfb716

Download Submit
memory/648-69-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/1388-57-0x00000000001C0000-0x0000000000A86000-memory.dmp

Filesize
8.8MB

Download
memory/1388-58-0x00000000001C0000-0x0000000000A86000-memory.dmp

Filesize
8.8MB

Download
memory/1388-59-0x0000000005170000-0x00000000051B0000-memory.dmp

Filesize
256KB

Download
memory/1388-60-0x0000000005170000-0x00000000051B0000-memory.dmp

Filesize
256KB

Download
memory/1388-62-0x00000000001C0000-0x0000000000A86000-memory.dmp

Filesize
8.8MB

Download
memory/1388-90-0x00000000001C0000-0x0000000000A86000-memory.dmp

Filesize
8.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads