e82621503a51dbb8986725217c2dd391df39711e6ccbbb68d93eb8df1e3a5c18

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15-08-2023 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tax2.exe
Size

9.4MB
MD5

1d0ba5029590e6d2b74b7e5fab8df1a8
SHA1

82bfe6dd1348411b248bcd9df87d7701e5f36070
SHA256

e82621503a51dbb8986725217c2dd391df39711e6ccbbb68d93eb8df1e3a5c18
SHA512

bc94e999a15fdb54eb72137894c09039081a3b92cdaa1f6a1785754ef65f6810222ba8b8adf1e5cb18ed71f4ac760347b8ddca24abed520b4b0ef7f820d37592
SSDEEP

196608:NbVhMIVoOezLknhHslZUKsXO72JBZdAahL1FHvmvqUl6trJB:hVhMg8ahHB16aFHvgqy6trJB

Score

7^/10

themida vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2776	sg.tmp
2820	medge.exe

Loads dropped DLL 3 IoCs

pid	Process
2592	tax2.exe
2412	Process not Found
2820	medge.exe

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2592-54-0x0000000140000000-0x0000000140BB1000-memory.dmp	themida
behavioral1/memory/2592-56-0x0000000140000000-0x0000000140BB1000-memory.dmp	themida
behavioral1/memory/2592-57-0x0000000140000000-0x0000000140BB1000-memory.dmp	themida
behavioral1/memory/2592-58-0x0000000140000000-0x0000000140BB1000-memory.dmp	themida
behavioral1/memory/2592-59-0x0000000140000000-0x0000000140BB1000-memory.dmp	themida
behavioral1/memory/2336-68-0x0000000140000000-0x0000000140BB1000-memory.dmp	themida
behavioral1/memory/2336-67-0x0000000140000000-0x0000000140BB1000-memory.dmp	themida
behavioral1/memory/2336-69-0x0000000140000000-0x0000000140BB1000-memory.dmp	themida
behavioral1/memory/2336-71-0x0000000140000000-0x0000000140BB1000-memory.dmp	themida
behavioral1/memory/2592-73-0x0000000140000000-0x0000000140BB1000-memory.dmp	themida
behavioral1/memory/2336-72-0x0000000140000000-0x0000000140BB1000-memory.dmp	themida
behavioral1/memory/2592-75-0x0000000140000000-0x0000000140BB1000-memory.dmp	themida
behavioral1/memory/2336-77-0x0000000140000000-0x0000000140BB1000-memory.dmp	themida
behavioral1/memory/2592-941-0x0000000140000000-0x0000000140BB1000-memory.dmp	themida

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0007000000015bf8-98.dat	vmprotect
behavioral1/files/0x0007000000015bf8-101.dat	vmprotect
behavioral1/memory/2820-102-0x0000000010000000-0x00000000101C7000-memory.dmp	vmprotect
behavioral1/memory/2820-103-0x0000000010000000-0x00000000101C7000-memory.dmp	vmprotect
behavioral1/memory/2820-8803-0x0000000010000000-0x00000000101C7000-memory.dmp	vmprotect
behavioral1/memory/2820-8804-0x0000000010000000-0x00000000101C7000-memory.dmp	vmprotect
behavioral1/memory/2820-8810-0x0000000010000000-0x00000000101C7000-memory.dmp	vmprotect
behavioral1/memory/2820-8817-0x0000000010000000-0x00000000101C7000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	medge.exe
File opened (read-only)	\??\K:	medge.exe
File opened (read-only)	\??\Q:	medge.exe
File opened (read-only)	\??\G:	medge.exe
File opened (read-only)	\??\O:	medge.exe
File opened (read-only)	\??\T:	medge.exe
File opened (read-only)	\??\Y:	medge.exe
File opened (read-only)	\??\Z:	medge.exe
File opened (read-only)	\??\I:	medge.exe
File opened (read-only)	\??\M:	medge.exe
File opened (read-only)	\??\N:	medge.exe
File opened (read-only)	\??\R:	medge.exe
File opened (read-only)	\??\U:	medge.exe
File opened (read-only)	\??\L:	medge.exe
File opened (read-only)	\??\E:	medge.exe
File opened (read-only)	\??\H:	medge.exe
File opened (read-only)	\??\P:	medge.exe
File opened (read-only)	\??\S:	medge.exe
File opened (read-only)	\??\V:	medge.exe
File opened (read-only)	\??\W:	medge.exe
File opened (read-only)	\??\X:	medge.exe
File opened (read-only)	\??\B:	medge.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2592	tax2.exe
2336	tax2.exe
2820	medge.exe
2820	medge.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Silverlighte\medge.exe	sg.tmp
File created	C:\Program Files (x86)\Microsoft Silverlighte\SmadHook32.dll	sg.tmp
File created	C:\Program Files (x86)\Microsoft Silverlighte\xir.exe	sg.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Silverlighte\xir.exe	sg.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Silverlighte\medge.exe	tax2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Silverlighte\SmadHook32.dll	tax2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Silverlighte	tax2.exe
File created	C:\Program Files (x86)\Microsoft Silverlighte\medge.exe	sg.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Silverlighte\SmadHook32.dll	sg.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Silverlighte\xir.exe	tax2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2820	medge.exe
2820	medge.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeBackupPrivilege	2592	tax2.exe
Token: SeRestorePrivilege	2592	tax2.exe
Token: 33	2592	tax2.exe
Token: SeIncBasePriorityPrivilege	2592	tax2.exe
Token: SeCreateGlobalPrivilege	2592	tax2.exe
Token: 33	2592	tax2.exe
Token: SeIncBasePriorityPrivilege	2592	tax2.exe
Token: 33	2592	tax2.exe
Token: SeIncBasePriorityPrivilege	2592	tax2.exe
Token: SeBackupPrivilege	2336	tax2.exe
Token: SeRestorePrivilege	2336	tax2.exe
Token: 33	2336	tax2.exe
Token: SeIncBasePriorityPrivilege	2336	tax2.exe
Token: 33	2592	tax2.exe
Token: SeIncBasePriorityPrivilege	2592	tax2.exe
Token: SeRestorePrivilege	2776	sg.tmp
Token: 35	2776	sg.tmp
Token: SeSecurityPrivilege	2776	sg.tmp
Token: SeSecurityPrivilege	2776	sg.tmp
Token: 33	2592	tax2.exe
Token: SeIncBasePriorityPrivilege	2592	tax2.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 1508	2592	tax2.exe	28
PID 2592 wrote to memory of 1508	2592	tax2.exe	28
PID 2592 wrote to memory of 1508	2592	tax2.exe	28
PID 2592 wrote to memory of 2336	2592	tax2.exe	30
PID 2592 wrote to memory of 2336	2592	tax2.exe	30
PID 2592 wrote to memory of 2336	2592	tax2.exe	30
PID 2592 wrote to memory of 2776	2592	tax2.exe	31
PID 2592 wrote to memory of 2776	2592	tax2.exe	31
PID 2592 wrote to memory of 2776	2592	tax2.exe	31
PID 2592 wrote to memory of 2820	2592	tax2.exe	33
PID 2592 wrote to memory of 2820	2592	tax2.exe	33
PID 2592 wrote to memory of 2820	2592	tax2.exe	33
PID 2592 wrote to memory of 2820	2592	tax2.exe	33

C:\Users\Admin\AppData\Local\Temp\tax2.exe
"C:\Users\Admin\AppData\Local\Temp\tax2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:1508
- C:\Users\Admin\AppData\Local\Temp\tax2.exe
  PECMD**pecmd-cmd* PUTF -dd -skipb=5125120 -len=4697418 "C:\Users\Admin\AppData\Local\Temp\~1143031530174639737.tmp",,C:\Users\Admin\AppData\Local\Temp\tax2.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\~7293658929522921785~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~1143031530174639737.tmp" -y -aos -o"C:\Program Files (x86)\Microsoft Silverlighte" -psMx8I9DtD9bmbxpmTWuHxRmwhZXq0iv7TqkKXpWcSTURDdZqEQVO13x
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Program Files (x86)\Microsoft Silverlighte\medge.exe
  "C:\Program Files (x86)\Microsoft Silverlighte\medge.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2820

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Silverlighte\SmadHook32.dll

Filesize
832KB

MD5
56d6cfe8df69e0caf27ea087db63b716

SHA1
5794014ddec2adfe6917cc18a878d977a928477d

SHA256
4102a0c9118c27f5ebb282224a8f85f7a584f80180c0e6c2b87663c5b1873b4c

SHA512
9f7282de1be48f17c3f5922a61a4582cb9e766bae83d073573fdb1591ccb241416855bf929be4c43524a635158d08094ffd275894a3234c1a0c13807769cef06

Download Submit
C:\Program Files (x86)\Microsoft Silverlighte\medge.exe

Filesize
77KB

MD5
b830cd1b49bd31bcdb6192c20cf0b141

SHA1
b9629fdd735956772e9a3ceedcdb829bba6f8a43

SHA256
21d34a02ec28e9bd6f7b2f96ac7921f5ef08d291416b38a3fc8cf651f11fc820

SHA512
0ffef5b2681e57d3586b878bbf174a667423cd30e75a7f4ef60910922b2f9e3e02af309a7c3f15b70a42b747445513df43ce651dcb85bec7b94bfed6a7704ccd

Download Submit
C:\Program Files (x86)\Microsoft Silverlighte\medge.exe

Filesize
77KB

MD5
b830cd1b49bd31bcdb6192c20cf0b141

SHA1
b9629fdd735956772e9a3ceedcdb829bba6f8a43

SHA256
21d34a02ec28e9bd6f7b2f96ac7921f5ef08d291416b38a3fc8cf651f11fc820

SHA512
0ffef5b2681e57d3586b878bbf174a667423cd30e75a7f4ef60910922b2f9e3e02af309a7c3f15b70a42b747445513df43ce651dcb85bec7b94bfed6a7704ccd

Download Submit
C:\Program Files (x86)\Microsoft Silverlighte\xir.exe

Filesize
3.8MB

MD5
aba4ffbb5ac39a5225770f729aac4a1f

SHA1
1a951b09feb042c384af679b045b32f9a736f492

SHA256
5c061bfb44d8e7c50b82fc926aca9f268dfe2741107c3b3f0cab7a4ad72cceeb

SHA512
1e5b9b97aaa657b463c06498b4f51bfd81ea7f78297206925485f8a79c65dcccb29e3b7059640bf7460b1997d024d3305c9b1b150260e78ab6b48ebbae7f9b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1143031530174639737.tmp

Filesize
4.5MB

MD5
0d4d4f2e711e582b44bc321013482a9a

SHA1
d28ac688899a6a78bdef278a18785992803dd655

SHA256
628cda2c6691c5a22ca453a33ade1336327a765719b2c379e719ab2515a2e7b1

SHA512
c4d055c0aad9fb1ec06616f90b56f41c94e287b1eba378d4724db6ab1f46c48b20c36ee78e78fadb2bcb0488816ff8bddbb592d6b59e2f083534e4694f845257

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1143031530174639737.tmp

Filesize
4.5MB

MD5
a3dff8a7b8e0a9ba788d44593c994ab1

SHA1
b5acda93a69a572f6a6400bb3b79662b17795db8

SHA256
f356f0a1a59f60b97e3d382716dde5cd43c0a560f800e0ed702ff699821fa9b4

SHA512
53154b5678871542047e37c2ad63b6c5d68aaf6d2f1260d907e1866b3650e7e24521b90453ce3f89b56e15902603675cf78b35c9a9271154b6989e8b3479390b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7293658929522921785~\sg.tmp

Filesize
1.1MB

MD5
8a36dcd25ae8543d26b0a99b7d48864a

SHA1
72581de60cedf59b1b932f6201bafc7cb02bb56e

SHA256
b3daf97e499467c6337b4320059ac44bc7a949dc4e500eb0d2f79f900a229531

SHA512
26eecfa81f6c94a89d1f9be0224a3f36309a5c43d658055f48e6e7ee2847c29bddf665f077381ee5b318201bc7658f6cfc36d248f64f51302622e5e949f147ef

Download Submit
\Program Files (x86)\Microsoft Silverlighte\SmadHook32.dll

Filesize
832KB

MD5
56d6cfe8df69e0caf27ea087db63b716

SHA1
5794014ddec2adfe6917cc18a878d977a928477d

SHA256
4102a0c9118c27f5ebb282224a8f85f7a584f80180c0e6c2b87663c5b1873b4c

SHA512
9f7282de1be48f17c3f5922a61a4582cb9e766bae83d073573fdb1591ccb241416855bf929be4c43524a635158d08094ffd275894a3234c1a0c13807769cef06

Download Submit
\Users\Admin\AppData\Local\Temp\~7293658929522921785~\sg.tmp

Filesize
1.1MB

MD5
8a36dcd25ae8543d26b0a99b7d48864a

SHA1
72581de60cedf59b1b932f6201bafc7cb02bb56e

SHA256
b3daf97e499467c6337b4320059ac44bc7a949dc4e500eb0d2f79f900a229531

SHA512
26eecfa81f6c94a89d1f9be0224a3f36309a5c43d658055f48e6e7ee2847c29bddf665f077381ee5b318201bc7658f6cfc36d248f64f51302622e5e949f147ef

Download Submit
\Users\Admin\AppData\Local\Temp\~7293658929522921785~\sg.tmp

Filesize
1.1MB

MD5
8a36dcd25ae8543d26b0a99b7d48864a

SHA1
72581de60cedf59b1b932f6201bafc7cb02bb56e

SHA256
b3daf97e499467c6337b4320059ac44bc7a949dc4e500eb0d2f79f900a229531

SHA512
26eecfa81f6c94a89d1f9be0224a3f36309a5c43d658055f48e6e7ee2847c29bddf665f077381ee5b318201bc7658f6cfc36d248f64f51302622e5e949f147ef

Download Submit
memory/2336-68-0x0000000140000000-0x0000000140BB1000-memory.dmp

Filesize
11.7MB

Download
memory/2336-69-0x0000000140000000-0x0000000140BB1000-memory.dmp

Filesize
11.7MB

Download
memory/2336-67-0x0000000140000000-0x0000000140BB1000-memory.dmp

Filesize
11.7MB

Download
memory/2336-72-0x0000000140000000-0x0000000140BB1000-memory.dmp

Filesize
11.7MB

Download
memory/2336-70-0x0000000077420000-0x00000000775C9000-memory.dmp

Filesize
1.7MB

Download
memory/2336-71-0x0000000140000000-0x0000000140BB1000-memory.dmp

Filesize
11.7MB

Download
memory/2336-77-0x0000000140000000-0x0000000140BB1000-memory.dmp

Filesize
11.7MB

Download
memory/2336-78-0x0000000077420000-0x00000000775C9000-memory.dmp

Filesize
1.7MB

Download
memory/2592-75-0x0000000140000000-0x0000000140BB1000-memory.dmp

Filesize
11.7MB

Download
memory/2592-74-0x0000000077420000-0x00000000775C9000-memory.dmp

Filesize
1.7MB

Download
memory/2592-73-0x0000000140000000-0x0000000140BB1000-memory.dmp

Filesize
11.7MB

Download
memory/2592-54-0x0000000140000000-0x0000000140BB1000-memory.dmp

Filesize
11.7MB

Download
memory/2592-66-0x0000000002730000-0x00000000032E1000-memory.dmp

Filesize
11.7MB

Download
memory/2592-88-0x0000000002730000-0x00000000032E1000-memory.dmp

Filesize
11.7MB

Download
memory/2592-59-0x0000000140000000-0x0000000140BB1000-memory.dmp

Filesize
11.7MB

Download
memory/2592-58-0x0000000140000000-0x0000000140BB1000-memory.dmp

Filesize
11.7MB

Download
memory/2592-57-0x0000000140000000-0x0000000140BB1000-memory.dmp

Filesize
11.7MB

Download
memory/2592-56-0x0000000140000000-0x0000000140BB1000-memory.dmp

Filesize
11.7MB

Download
memory/2592-55-0x0000000077420000-0x00000000775C9000-memory.dmp

Filesize
1.7MB

Download
memory/2592-941-0x0000000140000000-0x0000000140BB1000-memory.dmp

Filesize
11.7MB

Download
memory/2820-917-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-950-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-914-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-915-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-103-0x0000000010000000-0x00000000101C7000-memory.dmp

Filesize
1.8MB

Download
memory/2820-919-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-921-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-923-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-925-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-927-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-929-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-931-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-933-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-935-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-937-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-939-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-102-0x0000000010000000-0x00000000101C7000-memory.dmp

Filesize
1.8MB

Download
memory/2820-942-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-944-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-946-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-948-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-104-0x0000000076360000-0x00000000763A7000-memory.dmp

Filesize
284KB

Download
memory/2820-952-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-954-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-960-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-958-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-956-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-962-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-964-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-2652-0x0000000001DC0000-0x0000000001EC0000-memory.dmp

Filesize
1024KB

Download
memory/2820-2653-0x0000000001F90000-0x0000000002111000-memory.dmp

Filesize
1.5MB

Download
memory/2820-4343-0x0000000001DC0000-0x0000000001EC0000-memory.dmp

Filesize
1024KB

Download
memory/2820-8795-0x00000000022C0000-0x00000000023D1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-8798-0x00000000024F0000-0x0000000002591000-memory.dmp

Filesize
644KB

Download
memory/2820-8803-0x0000000010000000-0x00000000101C7000-memory.dmp

Filesize
1.8MB

Download
memory/2820-8804-0x0000000010000000-0x00000000101C7000-memory.dmp

Filesize
1.8MB

Download
memory/2820-8805-0x00000000023E0000-0x00000000024E1000-memory.dmp

Filesize
1.0MB

Download
memory/2820-8807-0x0000000002160000-0x00000000021A0000-memory.dmp

Filesize
256KB

Download
memory/2820-8810-0x0000000010000000-0x00000000101C7000-memory.dmp

Filesize
1.8MB

Download
memory/2820-8812-0x0000000002160000-0x00000000021A0000-memory.dmp

Filesize
256KB

Download
memory/2820-8817-0x0000000010000000-0x00000000101C7000-memory.dmp

Filesize
1.8MB

Download