86d04cd48601528014a0781d1d491e033f88c7ef30d016103d5a8c4c04b07d3f

Resubmissions

15/06/2023, 13:43

230615-q1ntcshd91 10

15/06/2023, 13:40

230615-qy1edahe32 10

15/06/2023, 12:34

230615-pr2s7agg72 10

Analysis

max time kernel
72s
max time network
79s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2023, 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Release-x64 (1).zip
Size

22.1MB
MD5

02308f5d3fd4d0dca0b1b84409124693
SHA1

35f50b2cb9fe936037c8ddf9533d25598e1568ad
SHA256

86d04cd48601528014a0781d1d491e033f88c7ef30d016103d5a8c4c04b07d3f
SHA512

bb4e486e88deab530ef0109821b428166e7c6c444a76fe89ef4e5473c2766918ded17683600c68b5844e889b53fbe2d5c17ad0e505c1dc988854003f23cde547
SSDEEP

393216:uve5n24qm5ASHAep8IBz15m5l5ObLC4u54hXl87Vy4QO5X4Lfut6jA66k:uW124n5ASHAedBRkQLC4u54mVy4QO5XO

Score

10^/10

evasion themida

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 3452 created 3164	3452	injector.exe	20
PID 3376 created 3164	3376	injector.exe	20
PID 3720 created 3164	3720	injector.exe	20

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GenshinImpact.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GenshinImpact.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GenshinImpact.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GenshinImpact.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GenshinImpact.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GenshinImpact.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GenshinImpact.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GenshinImpact.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GenshinImpact.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/3068-135-0x00007FFD36150000-0x00007FFD38A1E000-memory.dmp	themida
behavioral1/memory/3068-137-0x00007FFD36150000-0x00007FFD38A1E000-memory.dmp	themida
behavioral1/memory/3432-141-0x00007FFD2F2A0000-0x00007FFD31B6E000-memory.dmp	themida
behavioral1/memory/3432-146-0x00007FFD2F2A0000-0x00007FFD31B6E000-memory.dmp	themida
behavioral1/memory/1064-150-0x00007FFD2F2A0000-0x00007FFD31B6E000-memory.dmp	themida
behavioral1/memory/1064-155-0x00007FFD2F2A0000-0x00007FFD31B6E000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3068	GenshinImpact.exe
3432	GenshinImpact.exe
1064	GenshinImpact.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3952	3432	WerFault.exe	103
4576	1064	WerFault.exe	110

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	injector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	injector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	injector.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	injector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	injector.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	injector.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	injector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	injector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	injector.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	injector.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	injector.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	injector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	injector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	injector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	injector.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	injector.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	injector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	injector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	injector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	injector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	injector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	injector.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	injector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	injector.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	injector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "7"	injector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	injector.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	injector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	injector.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	injector.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	injector.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3452	injector.exe
3452	injector.exe
3376	injector.exe
3376	injector.exe
3432	GenshinImpact.exe
3432	GenshinImpact.exe
3432	GenshinImpact.exe
3432	GenshinImpact.exe
3720	injector.exe
3720	injector.exe
1064	GenshinImpact.exe
1064	GenshinImpact.exe
1064	GenshinImpact.exe
1064	GenshinImpact.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3452	injector.exe
3452	injector.exe
3068	GenshinImpact.exe
3376	injector.exe
3432	GenshinImpact.exe
3720	injector.exe
1064	GenshinImpact.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 3068	3452	injector.exe	96
PID 3452 wrote to memory of 3068	3452	injector.exe	96
PID 3452 wrote to memory of 3068	3452	injector.exe	96
PID 3376 wrote to memory of 3432	3376	injector.exe	103
PID 3376 wrote to memory of 3432	3376	injector.exe	103
PID 3376 wrote to memory of 3432	3376	injector.exe	103
PID 3720 wrote to memory of 1064	3720	injector.exe	110
PID 3720 wrote to memory of 1064	3720	injector.exe	110
PID 3720 wrote to memory of 1064	3720	injector.exe	110

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3164
- C:\Windows\Explorer.exe
  C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Release-x64 (1).zip"
  2⤵
  PID:2472
- C:\Users\Admin\Desktop\injector.exe
  "C:\Users\Admin\Desktop\injector.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3452
- C:\Users\Admin\Desktop\GenshinImpact.exe
  "C:\Users\Admin\Desktop\GenshinImpact.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:3068
- C:\Users\Admin\Desktop\injector.exe
  "C:\Users\Admin\Desktop\injector.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3376
- C:\Users\Admin\Desktop\GenshinImpact.exe
  "C:\Users\Admin\Desktop\GenshinImpact.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3432
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3432 -s 492
    3⤵
    - Program crash
    PID:3952
- C:\Users\Admin\Desktop\injector.exe
  "C:\Users\Admin\Desktop\injector.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3720
- C:\Users\Admin\Desktop\GenshinImpact.exe
  "C:\Users\Admin\Desktop\GenshinImpact.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1064
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1064 -s 480
    3⤵
    - Program crash
    PID:4576

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3432 -ip 3432
1⤵
PID:2056

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 1064 -ip 1064
1⤵
PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\cfg.ini

Filesize
69B

MD5
c0b0087fa68d6fea7fbfbe063dd4bc54

SHA1
4aa3d30760d1e3cbb59f075b5a005bdbb45464cb

SHA256
9afa09fce8e63289512e3204b118665443b2956c2c92dde7cf925044b4ac73c4

SHA512
40ae37f6fa48fd3a343bcc6703a47b88d2e4f81fcf816b241c54988ce6f1fd0d6da2e4e15512299c952a6720aed92b7059dcbbde9671a6c8ee0fbb99d866080e

Download Submit
C:\Users\Admin\Desktop\cfg.ini

Filesize
114B

MD5
4168b7fb1245a796014490e08a0056e7

SHA1
90e1a1fc1f8170fe6fd580dabaa82b9b11dbc9dc

SHA256
c6b78e44b74442294133195e786c26c015ab008952e67fbbd508d387dc575b49

SHA512
a93230a90fd07d8ccc718c941d4a31af17a3eefe76713b037411d3ec2c32bddb0d383e78aca6930c410418e8315e0ce16845b44a3086fb5fe5e6cd726edbdb4f

Download Submit
C:\Users\Admin\Desktop\cfg.ini

Filesize
114B

MD5
4168b7fb1245a796014490e08a0056e7

SHA1
90e1a1fc1f8170fe6fd580dabaa82b9b11dbc9dc

SHA256
c6b78e44b74442294133195e786c26c015ab008952e67fbbd508d387dc575b49

SHA512
a93230a90fd07d8ccc718c941d4a31af17a3eefe76713b037411d3ec2c32bddb0d383e78aca6930c410418e8315e0ce16845b44a3086fb5fe5e6cd726edbdb4f

Download Submit
C:\Users\Admin\Desktop\cfg.ini

Filesize
114B

MD5
4168b7fb1245a796014490e08a0056e7

SHA1
90e1a1fc1f8170fe6fd580dabaa82b9b11dbc9dc

SHA256
c6b78e44b74442294133195e786c26c015ab008952e67fbbd508d387dc575b49

SHA512
a93230a90fd07d8ccc718c941d4a31af17a3eefe76713b037411d3ec2c32bddb0d383e78aca6930c410418e8315e0ce16845b44a3086fb5fe5e6cd726edbdb4f

Download Submit
C:\Users\Admin\Desktop\cfg.json

Filesize
111B

MD5
b29152e81b4614945d05f8b30275064a

SHA1
4a4101d21c2a16595725da204c3ffd2e10020b4c

SHA256
6ec9e31fd72824c942c2995a5f2e1c542d6579c64884ff0c9a335267f54ea461

SHA512
a0e8a9c1395a7e0c386990c1c2723055c7ddd83d876b9e4252eb7052e88a5e5c3a7718748f864aa79fdb4a4ea7727b7acf3eef568c68ad4ce41cb840ebd55ff2

Download Submit
C:\Users\Admin\Desktop\cfg.json

Filesize
109B

MD5
7a67ae5841bb83225b0a1997ce21e554

SHA1
81b8b2dd989cf5cadef88705ac924b0799a6087d

SHA256
4fde99e4ce00f147809c1162bdb3d139a76ae7c3f3d18f07eec3a4c32ace119d

SHA512
65d5c639a3e0ad4cc2699efa009590d5e66e63ce274ba5fecba75eb5f4c852f679078881356bf3f700efa73d7edd8cfbbd59c85090c1e71e83949bf01cf4164c

Download Submit
memory/1064-150-0x00007FFD2F2A0000-0x00007FFD31B6E000-memory.dmp

Filesize
40.8MB

Download
memory/1064-155-0x00007FFD2F2A0000-0x00007FFD31B6E000-memory.dmp

Filesize
40.8MB

Download
memory/3068-135-0x00007FFD36150000-0x00007FFD38A1E000-memory.dmp

Filesize
40.8MB

Download
memory/3068-137-0x00007FFD36150000-0x00007FFD38A1E000-memory.dmp

Filesize
40.8MB

Download
memory/3432-141-0x00007FFD2F2A0000-0x00007FFD31B6E000-memory.dmp

Filesize
40.8MB

Download
memory/3432-146-0x00007FFD2F2A0000-0x00007FFD31B6E000-memory.dmp

Filesize
40.8MB

Download