fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7

General

Target

fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe
Size

8.7MB
MD5

e8e8cf7821915da7b1f04ff6930b7e07
SHA1

6fd4bb8a777cb4c732d319fc7b485e5a01037030
SHA256

fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7
SHA512

54258afa73d1af5589a9f8db3d30a3db37c00c1d505bbf5fce3e93bb7e1ceb4b965cd9ddc8da596d5a6f8af472ba1426e2b216f8d00a22038f60f1ae290a25a6
SSDEEP

196608:D6nmOG+MxcBD0kvbbVViXEoyxf+lHb6e6SQDi46eE7wUAwGDx0cJDR:D6nmOG+MSg6b6XEoN6SQDiRbw2KDR

Score

7^/10

themida

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2492-0-0x0000000000EE0000-0x0000000002018000-memory.dmp	themida
behavioral1/memory/2492-2-0x0000000000EE0000-0x0000000002018000-memory.dmp	themida
behavioral1/memory/2492-3-0x0000000000EE0000-0x0000000002018000-memory.dmp	themida
behavioral1/memory/2492-4-0x0000000000EE0000-0x0000000002018000-memory.dmp	themida
behavioral1/memory/2492-5-0x0000000000EE0000-0x0000000002018000-memory.dmp	themida
behavioral1/memory/2492-6-0x0000000000EE0000-0x0000000002018000-memory.dmp	themida
behavioral1/memory/2492-7-0x0000000000EE0000-0x0000000002018000-memory.dmp	themida
behavioral1/memory/2492-9-0x0000000000EE0000-0x0000000002018000-memory.dmp	themida
behavioral1/memory/2492-8-0x0000000000EE0000-0x0000000002018000-memory.dmp	themida
behavioral1/memory/2492-10-0x0000000000EE0000-0x0000000002018000-memory.dmp	themida
behavioral1/memory/2492-12-0x0000000000EE0000-0x0000000002018000-memory.dmp	themida
behavioral1/files/0x000f000000016fe7-14.dat	themida
behavioral1/files/0x000f000000016fe7-16.dat	themida
behavioral1/files/0x000f000000016fe7-15.dat	themida
behavioral1/files/0x000f000000016fe7-17.dat	themida
behavioral1/files/0x000f000000016fe7-19.dat	themida
behavioral1/files/0x000f000000016fe7-18.dat	themida
behavioral1/files/0x000f000000016fe7-20.dat	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2492	fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1516	2492	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2492	fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe
2492	fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe
2492	fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe
2492	fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe
2492	fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe
2492	fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2492	fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2492	fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 1516	2492	fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe	28
PID 2492 wrote to memory of 1516	2492	fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe	28
PID 2492 wrote to memory of 1516	2492	fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe	28
PID 2492 wrote to memory of 1516	2492	fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe	28

C:\Users\Admin\AppData\Local\Temp\fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe
"C:\Users\Admin\AppData\Local\Temp\fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 384
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe

Filesize
8.7MB

MD5
e8e8cf7821915da7b1f04ff6930b7e07

SHA1
6fd4bb8a777cb4c732d319fc7b485e5a01037030

SHA256
fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7

SHA512
54258afa73d1af5589a9f8db3d30a3db37c00c1d505bbf5fce3e93bb7e1ceb4b965cd9ddc8da596d5a6f8af472ba1426e2b216f8d00a22038f60f1ae290a25a6

Download Submit
\Users\Admin\AppData\Local\Temp\fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe

Filesize
8.7MB

MD5
e8e8cf7821915da7b1f04ff6930b7e07

SHA1
6fd4bb8a777cb4c732d319fc7b485e5a01037030

SHA256
fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7

SHA512
54258afa73d1af5589a9f8db3d30a3db37c00c1d505bbf5fce3e93bb7e1ceb4b965cd9ddc8da596d5a6f8af472ba1426e2b216f8d00a22038f60f1ae290a25a6

Download Submit
\Users\Admin\AppData\Local\Temp\fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe

Filesize
8.7MB

MD5
e8e8cf7821915da7b1f04ff6930b7e07

SHA1
6fd4bb8a777cb4c732d319fc7b485e5a01037030

SHA256
fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7

SHA512
54258afa73d1af5589a9f8db3d30a3db37c00c1d505bbf5fce3e93bb7e1ceb4b965cd9ddc8da596d5a6f8af472ba1426e2b216f8d00a22038f60f1ae290a25a6

Download Submit
\Users\Admin\AppData\Local\Temp\fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe

Filesize
8.7MB

MD5
e8e8cf7821915da7b1f04ff6930b7e07

SHA1
6fd4bb8a777cb4c732d319fc7b485e5a01037030

SHA256
fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7

SHA512
54258afa73d1af5589a9f8db3d30a3db37c00c1d505bbf5fce3e93bb7e1ceb4b965cd9ddc8da596d5a6f8af472ba1426e2b216f8d00a22038f60f1ae290a25a6

Download Submit
\Users\Admin\AppData\Local\Temp\fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe

Filesize
8.7MB

MD5
e8e8cf7821915da7b1f04ff6930b7e07

SHA1
6fd4bb8a777cb4c732d319fc7b485e5a01037030

SHA256
fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7

SHA512
54258afa73d1af5589a9f8db3d30a3db37c00c1d505bbf5fce3e93bb7e1ceb4b965cd9ddc8da596d5a6f8af472ba1426e2b216f8d00a22038f60f1ae290a25a6

Download Submit
\Users\Admin\AppData\Local\Temp\fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe

Filesize
8.7MB

MD5
e8e8cf7821915da7b1f04ff6930b7e07

SHA1
6fd4bb8a777cb4c732d319fc7b485e5a01037030

SHA256
fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7

SHA512
54258afa73d1af5589a9f8db3d30a3db37c00c1d505bbf5fce3e93bb7e1ceb4b965cd9ddc8da596d5a6f8af472ba1426e2b216f8d00a22038f60f1ae290a25a6

Download Submit
\Users\Admin\AppData\Local\Temp\fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7.exe

Filesize
8.7MB

MD5
e8e8cf7821915da7b1f04ff6930b7e07

SHA1
6fd4bb8a777cb4c732d319fc7b485e5a01037030

SHA256
fb5b8381c896aa6908b76900fa1e2f75f653a64ec4d00b3afbc8a81fcf07eba7

SHA512
54258afa73d1af5589a9f8db3d30a3db37c00c1d505bbf5fce3e93bb7e1ceb4b965cd9ddc8da596d5a6f8af472ba1426e2b216f8d00a22038f60f1ae290a25a6

Download Submit
memory/2492-4-0x0000000000EE0000-0x0000000002018000-memory.dmp

Filesize
17.2MB

Download
memory/2492-9-0x0000000000EE0000-0x0000000002018000-memory.dmp

Filesize
17.2MB

Download
memory/2492-8-0x0000000000EE0000-0x0000000002018000-memory.dmp

Filesize
17.2MB

Download
memory/2492-10-0x0000000000EE0000-0x0000000002018000-memory.dmp

Filesize
17.2MB

Download
memory/2492-12-0x0000000000EE0000-0x0000000002018000-memory.dmp

Filesize
17.2MB

Download
memory/2492-7-0x0000000000EE0000-0x0000000002018000-memory.dmp

Filesize
17.2MB

Download
memory/2492-6-0x0000000000EE0000-0x0000000002018000-memory.dmp

Filesize
17.2MB

Download
memory/2492-5-0x0000000000EE0000-0x0000000002018000-memory.dmp

Filesize
17.2MB

Download
memory/2492-0-0x0000000000EE0000-0x0000000002018000-memory.dmp

Filesize
17.2MB

Download
memory/2492-3-0x0000000000EE0000-0x0000000002018000-memory.dmp

Filesize
17.2MB

Download
memory/2492-2-0x0000000000EE0000-0x0000000002018000-memory.dmp

Filesize
17.2MB

Download
memory/2492-1-0x0000000077A10000-0x0000000077A12000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing