dcd5b76de9828767e8acbfcf3be792fbd1b777651ca2e802294989bae7ddf1d9

Resubmissions

14/05/2023, 21:59

230514-1v4bzaga2y 9

14/05/2023, 20:19

230514-y38wbafg2z 9

Analysis

max time kernel
151s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2023, 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InvChanger/injector_imgui.exe
Size

3.4MB
MD5

00b703e2dd4b6080d4dcec7cab4373d6
SHA1

78a9621f44be60150f784b68c2e4367af07a3d1a
SHA256

2a673052ee30c8193ff3e03be32f980452e63695211080ab0513d84106db443c
SHA512

f0164eabdaed93be1218e5b68bfe86a025c0498585bc0d3b5057b8ebd58935330e338be06cfd6965863b0af9cc86298d935fe2f0ce3ed5bf3e576c812cde4d9f
SSDEEP

98304:Jt4igwu/cqS8jQ+zRwLjwqzMznCYG0U78p:JicqS4Q+Vw3VGG0a8p

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	injector_imgui.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	injector_imgui.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	injector_imgui.exe

Themida packer 20 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral4/memory/3764-133-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-134-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-136-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-137-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-138-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-152-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-153-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-154-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-155-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-156-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-157-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-158-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-159-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-160-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-161-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-162-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-163-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-164-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-165-0x0000000000D80000-0x000000000159B000-memory.dmp	themida
behavioral4/memory/3764-166-0x0000000000D80000-0x000000000159B000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	injector_imgui.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe
3764	injector_imgui.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3764	injector_imgui.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3764	injector_imgui.exe

C:\Users\Admin\AppData\Local\Temp\InvChanger\injector_imgui.exe
"C:\Users\Admin\AppData\Local\Temp\InvChanger\injector_imgui.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\3BE49DB41453FA8CD85E7B49F6C27A127813995F08346D443579AD1A3E8BBDD000[1].blob

Filesize
1.6MB

MD5
1783ed29e40fb68b6854166f0cb5e3a2

SHA1
2b39cf51e4dc37dda5b261d8be6685f79a8a62ce

SHA256
a8d9cb62596c85e3c48d259f941123cee62a3e7fa39f8aae3bfa88f671bad48f

SHA512
5db332e607a003f2aae739ee256fac927a5c3ea30593aa6cd605dff9fef6586ce62c8fa3c2384ddb5cf9bfcadec73866a840bb3375597bea39588d8faa7ee46d

Download Submit
memory/3764-156-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-136-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-137-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-138-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-134-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-152-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-153-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-154-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-133-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-155-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-159-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-158-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-157-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-160-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-161-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-162-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-163-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-164-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-165-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download
memory/3764-166-0x0000000000D80000-0x000000000159B000-memory.dmp

Filesize
8.1MB

Download