Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Midnight.exe

windows10-1703-x64

10

Resubmissions

03/07/2023, 16:37

230703-t42feahb49 10

Analysis

  • max time kernel
    39s
  • max time network
    23s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/07/2023, 16:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Midnight.exe

  • Size

    8.1MB

  • MD5

    6f11c5992143140763a08fefa9d84f21

  • SHA1

    713974e0aa9a2f75033de31347ac4197cede11c6

  • SHA256

    f2fa9c083abe324d132d6e687caf1b7f5825e9a12dc6e2dd9ff40cf3aebafb03

  • SHA512

    9929f0aff403a317f8946285aef94b42fab6451f39dd206017977b7770c7eaab6672cc351fe164057a66c228e972fbca6766b820c9210c7777a6da5ac1bf29c0

  • SSDEEP

    196608:VQZxXEzlHtUwN2mRpnJWjLHXenG2KWpHFNRAnBdC:+XKlCNmvg3engKHCvC

Score
10/10
evasionthemidatrojan

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Themida packer 8 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3204
      • C:\Users\Admin\AppData\Local\Temp\Midnight.exe
        "C:\Users\Admin\AppData\Local\Temp\Midnight.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1804
        • C:\Users\Admin\AppData\Roaming\Update.exe
          C:\Users\Admin\AppData\Roaming\Update.exe
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:4524
        • C:\Users\Admin\AppData\Roaming\Launcher.exe
          C:\Users\Admin\AppData\Roaming\Launcher.exe
          3⤵
          • Executes dropped EXE
          PID:3584
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        2⤵
          PID:3972

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Launcher.exe
        Filesize

        7.8MB

        MD5

        af1416415d2f697786e4949f769078d0

        SHA1

        94db52ed6eae961b9bbfb7631b012ab74795e625

        SHA256

        37a40c467491c0fc49d17bf68125e94f7f4eb3a9f5210748be26a2cd7db54c38

        SHA512

        68bd98bd7974115cd64f3ca7f6829730beadf759998a154ee18028176fc72f8f7f3eb8c1caf1d9d05d16a8588a6d04fdfe66031421323be4eef362b47ee49a6b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Update.exe
        Filesize

        201.6MB

        MD5

        18cc68c9b3489591eb172c5dd0c9cdf8

        SHA1

        ef3a54eeb9e2995267653a48f593ea0b39d9c321

        SHA256

        73b8e5f0223f9227bd9bb78b8c3215f4b90fd2b07940119db8bff7c86d5ae53e

        SHA512

        7694a1c02e2583bcceab3d8fd81afa5cdf9620ea018e36695216c7dd1976b33001dbb2efa6907f759943a5dcfd8f79c947544f0708655beca0d4f2876e042298

        Download Submit

      • memory/4524-125-0x00007FF64A9F0000-0x00007FF64B5F5000-memory.dmp

        Filesize

        12.0MB

        Download

      • memory/4524-126-0x00007FF64A9F0000-0x00007FF64B5F5000-memory.dmp

        Filesize

        12.0MB

        Download

      • memory/4524-128-0x00007FF64A9F0000-0x00007FF64B5F5000-memory.dmp

        Filesize

        12.0MB

        Download

      • memory/4524-129-0x00007FF64A9F0000-0x00007FF64B5F5000-memory.dmp

        Filesize

        12.0MB

        Download

      • memory/4524-130-0x00007FF64A9F0000-0x00007FF64B5F5000-memory.dmp

        Filesize

        12.0MB

        Download

      • memory/4524-131-0x00007FF64A9F0000-0x00007FF64B5F5000-memory.dmp

        Filesize

        12.0MB

        Download

      • memory/4524-132-0x00007FF64A9F0000-0x00007FF64B5F5000-memory.dmp

        Filesize

        12.0MB

        Download