Overview

overview

9

Static

static

7

Chanceware...ed.exe

windows7-x64

9

Chanceware...ed.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    100s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    06-05-2023 19:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ChancewareLoader_protected.exe

  • Size

    3.5MB

  • MD5

    2fd02a613b3b0f443d17b1bb7e08a9ed

  • SHA1

    ebf9e2f97d84cc64e92eddc7cfdf27ecacfff0e6

  • SHA256

    a000d3f43e0cc949731179ea43999103f1f582e6b56d677891f7c2126d5b0ffd

  • SHA512

    69508eb88195ca17981dbe8842589e9d79ec467110d87502af51107a0bfe85d0c9f7ec2c6a990ef41f96c9c68a151b0404eebb68245b7ec0373a368391d8b0df

  • SSDEEP

    49152:jm34svMV6WtqWNT0ygjoHMOT7jEuYKMbMNstqdsliIWu9DMsneS8ij9R7dGLT+Ao:KvgTscH37Q/KMbEyHzneLijnkTf84G0I

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 8 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ChancewareLoader_protected.exe
    "C:\Users\Admin\AppData\Local\Temp\ChancewareLoader_protected.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ChancewareLoader_protected.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ChancewareLoader_protected.exe" MD5
        3⤵
          PID:1480
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:556
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:1040

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1748-54-0x000000013FA30000-0x00000001403AE000-memory.dmp

          Filesize

          9.5MB

          Download

        • memory/1748-55-0x000000013FA30000-0x00000001403AE000-memory.dmp

          Filesize

          9.5MB

          Download

        • memory/1748-57-0x000000013FA30000-0x00000001403AE000-memory.dmp

          Filesize

          9.5MB

          Download

        • memory/1748-56-0x000000013FA30000-0x00000001403AE000-memory.dmp

          Filesize

          9.5MB

          Download

        • memory/1748-58-0x000000013FA30000-0x00000001403AE000-memory.dmp

          Filesize

          9.5MB

          Download

        • memory/1748-59-0x000000013FA30000-0x00000001403AE000-memory.dmp

          Filesize

          9.5MB

          Download

        • memory/1748-63-0x000000013FA30000-0x00000001403AE000-memory.dmp

          Filesize

          9.5MB

          Download

        • memory/1748-66-0x000000013FA30000-0x00000001403AE000-memory.dmp

          Filesize

          9.5MB

          Download