b6e5cc7b33d3e6053e86d09d76763af2552bd9d8cbad6c52d060a31aab047439

Analysis

max time kernel
125s
max time network
132s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
27/08/2023, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spoofer.exe
Size

15.3MB
MD5

5964a31f5f2c64f8ee7abaee0ac3a65e
SHA1

c52bb1668274df052b1c7f10baeeed62c20ea787
SHA256

b6e5cc7b33d3e6053e86d09d76763af2552bd9d8cbad6c52d060a31aab047439
SHA512

3fdae9a9fc80735366b59ce35ca4eca1084e27e7f8eecf405875d6ce6c5e8c142dfc90b8b63a8a4e03f4152b7f3350edb824216238fb9d0cc960840fb7f846f0
SSDEEP

393216:h/Ld4ELgKnC2rKQl2EUGj+350J7CstgBxDw5pZvg5hnJSdAvDge6bu+wyUNZRU+q:h/Ld4ELgKnC2rKQl2EUGj+350J7CstgI

Score

7^/10

themida

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4760	spoofer.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000700000001afb1-6.dat	themida
behavioral1/files/0x000700000001afb1-8.dat	themida
behavioral1/memory/4760-9-0x00007FFD7A800000-0x00007FFD7B384000-memory.dmp	themida
behavioral1/memory/4760-12-0x00007FFD7A800000-0x00007FFD7B384000-memory.dmp	themida
behavioral1/memory/4760-19-0x00007FFD7A800000-0x00007FFD7B384000-memory.dmp	themida
behavioral1/memory/4760-22-0x00007FFD7A800000-0x00007FFD7B384000-memory.dmp	themida
behavioral1/memory/4760-24-0x00007FFD7A800000-0x00007FFD7B384000-memory.dmp	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4760	spoofer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe
4760	spoofer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	spoofer.exe

C:\Users\Admin\AppData\Local\Temp\spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ee938bb5-5b0f-4655-bd21-02806fb568cd\loader.dll

Filesize
4.2MB

MD5
05b012457488a95a05d0541e0470d392

SHA1
74f541d6a8365508c794ef7b4ac7c297457f9ce3

SHA256
1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

SHA512
6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

Download Submit
\Users\Admin\AppData\Local\Temp\ee938bb5-5b0f-4655-bd21-02806fb568cd\loader.dll

Filesize
4.2MB

MD5
05b012457488a95a05d0541e0470d392

SHA1
74f541d6a8365508c794ef7b4ac7c297457f9ce3

SHA256
1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

SHA512
6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

Download Submit
memory/4760-15-0x00007FFD8C7D0000-0x00007FFD8C8FC000-memory.dmp

Filesize
1.2MB

Download
memory/4760-18-0x00007FFD8CA00000-0x00007FFD8D3EC000-memory.dmp

Filesize
9.9MB

Download
memory/4760-0-0x00007FFD8CA00000-0x00007FFD8D3EC000-memory.dmp

Filesize
9.9MB

Download
memory/4760-9-0x00007FFD7A800000-0x00007FFD7B384000-memory.dmp

Filesize
11.5MB

Download
memory/4760-10-0x00007FFD99450000-0x00007FFD9962B000-memory.dmp

Filesize
1.9MB

Download
memory/4760-12-0x00007FFD7A800000-0x00007FFD7B384000-memory.dmp

Filesize
11.5MB

Download
memory/4760-1-0x00000258B59A0000-0x00000258B68E8000-memory.dmp

Filesize
15.3MB

Download
memory/4760-16-0x00000258D0DA0000-0x00000258D0DB2000-memory.dmp

Filesize
72KB

Download
memory/4760-17-0x00000258D0E20000-0x00000258D0E5E000-memory.dmp

Filesize
248KB

Download
memory/4760-2-0x00000258D0E90000-0x00000258D0EA0000-memory.dmp

Filesize
64KB

Download
memory/4760-19-0x00007FFD7A800000-0x00007FFD7B384000-memory.dmp

Filesize
11.5MB

Download
memory/4760-20-0x00000258D0E90000-0x00000258D0EA0000-memory.dmp

Filesize
64KB

Download
memory/4760-21-0x00007FFD99450000-0x00007FFD9962B000-memory.dmp

Filesize
1.9MB

Download
memory/4760-22-0x00007FFD7A800000-0x00007FFD7B384000-memory.dmp

Filesize
11.5MB

Download
memory/4760-24-0x00007FFD7A800000-0x00007FFD7B384000-memory.dmp

Filesize
11.5MB

Download
memory/4760-25-0x00007FFD8CA00000-0x00007FFD8D3EC000-memory.dmp

Filesize
9.9MB

Download
memory/4760-26-0x00007FFD99450000-0x00007FFD9962B000-memory.dmp

Filesize
1.9MB

Download