86d04cd48601528014a0781d1d491e033f88c7ef30d016103d5a8c4c04b07d3f | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

7

HoYoKProtect.dll

windows10-2004-x64

9

injector.exe

windows10-2004-x64

Sharing

General

Target

Release-x64 (1).zip
Size

22.1MB
Sample

230615-pn2zsagg6v
MD5

02308f5d3fd4d0dca0b1b84409124693
SHA1

35f50b2cb9fe936037c8ddf9533d25598e1568ad
SHA256

86d04cd48601528014a0781d1d491e033f88c7ef30d016103d5a8c4c04b07d3f
SHA512

bb4e486e88deab530ef0109821b428166e7c6c444a76fe89ef4e5473c2766918ded17683600c68b5844e889b53fbe2d5c17ad0e505c1dc988854003f23cde547
SSDEEP

393216:uve5n24qm5ASHAep8IBz15m5l5ObLC4u54hXl87Vy4QO5X4Lfut6jA66k:uW124n5ASHAedBRkQLC4u54mVy4QO5XO

Score

10^/10

evasion themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

HoYoKProtect.dll

Resource

win10v2004-20230220-en

evasion themida trojan

windows10-2004-x64

6 signatures

1800 seconds

Behavioral task

behavioral2

Sample

injector.exe

Resource

win10v2004-20230220-en

evasion themida

windows10-2004-x64

12 signatures

1800 seconds

Malware Config

Targets

- Target
  
  HoYoKProtect.dll
- Size
  
  35.2MB
- MD5
  
  e5d96d21d67f7bad6c322e38ad07f923
- SHA1
  
  e9522287a4899f2c635705d93c5791986fd34461
- SHA256
  
  ce013c6c0390979c05021d83edac4fbce3aaed26bd3b5a4b38ad64fb50871826
- SHA512
  
  f1772609552e1d39f4feb2e2fab9bb6738e4f1761843b7bdb59fc6ddb5c72d784ce024860f5b1da44daa840626018efbacd8cbd5320fe61cbf27145d3708c760
- SSDEEP
  
  786432:RmJR64tcoCK+n6dw2Ptc5qWiTBW8PvyCA51rwigv:RO4K+n69RA8iCA70d
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  injector.exe
- Size
  
  895KB
- MD5
  
  625cccce906ba1efeb397aa4cfb29fb1
- SHA1
  
  63428046620eb25022f0dd049a9c425ae6aaad0c
- SHA256
  
  c6d4ca13c529a0b7a808f46c35543d63518f8edf27e308fecbf142057437076c
- SHA512
  
  89e0c78b1c68725496ad88b2f2bd4387dd2a9246c689702669ea32072494333553271db05958e534f8001c50eb58f9d81d1a5262b1023bb4caf156c834fbad9a
- SSDEEP
  
  12288:qDdBrBoEvs6TnSEl1yt6zzng0Lw5sK9k5gfwhbAwJSPFHPx3Z9HZCDQM:0PdoGtRnK9k5gfwhbXJSPFvhZ95CDN
Score

10^/10

evasion themida
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionthemidatrojan

behavioral2

© 2018-2025

Terms | Privacy