44e785aa685da593f0f4e98c773948c101e42f655e5b8f84d2d445d53851b498

Analysis

max time kernel
72s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2023, 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe
Size

3.9MB
MD5

29d48c1a6adcb603baedeb81ecb746a2
SHA1

65a8cdb82e062ec5bb93465525e8d7b7f7e1761b
SHA256

5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76
SHA512

3aed36bd734fa90c2ff741af23deef52f17d764a66bd59319ace7193baf1fa44090179e5c907720e112c1741fcf2c25f0d088682ba37c8a93c003512a64b134f
SSDEEP

98304:4LrEGCBmFA+vgV4jjoNEZ2XyvgrpZsMSmI7+RAzI0:4HErBiA464jcNEAXWgrpZsMSD7+h0

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2176-136-0x0000000000F00000-0x000000000188E000-memory.dmp	themida
behavioral2/memory/2176-137-0x0000000000F00000-0x000000000188E000-memory.dmp	themida
behavioral2/memory/2176-149-0x0000000000F00000-0x000000000188E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2176	5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4020	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2176	5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe
2176	5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe
2176	5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe
2176	5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe
2176	5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 224	2176	5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe	91
PID 2176 wrote to memory of 224	2176	5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe	91
PID 2176 wrote to memory of 224	2176	5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe	91
PID 224 wrote to memory of 4020	224	cmd.exe	93
PID 224 wrote to memory of 4020	224	cmd.exe	93
PID 224 wrote to memory of 4020	224	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe
"C:\Users\Admin\AppData\Local\Temp\5b401c1e2d29dc0d4ea552f872adcba2db55e85182cdfc86e955a6b12d580f76.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp96B7.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:4020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp96B7.tmp.bat

Filesize
326B

MD5
5caaee05881b4e2968943c96cf929ba5

SHA1
11eb243c48b440b58d20d702d62e478cad36e704

SHA256
eeca99cf84f6225363bcefb7e3cd4d72bc4384bbf596ce228e8b3d5e40189399

SHA512
788de9b25ce535ce841ee95796b95de09743c0af441c51912b13e419e17cd2857c9be089f5953c1a7897428a3ec8fd507dd8b3548eb1dc30546a613d60fafe98

Download Submit
memory/2176-133-0x0000000000F00000-0x000000000188E000-memory.dmp

Filesize
9.6MB

Download
memory/2176-136-0x0000000000F00000-0x000000000188E000-memory.dmp

Filesize
9.6MB

Download
memory/2176-137-0x0000000000F00000-0x000000000188E000-memory.dmp

Filesize
9.6MB

Download
memory/2176-139-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/2176-140-0x0000000003120000-0x0000000003130000-memory.dmp

Filesize
64KB

Download
memory/2176-147-0x0000000000F00000-0x000000000188E000-memory.dmp

Filesize
9.6MB

Download
memory/2176-149-0x0000000000F00000-0x000000000188E000-memory.dmp

Filesize
9.6MB

Download