Overview

overview

10

Static

static

7

e726fce32b...d9.exe

windows7-x64

10

e726fce32b...d9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2023, 16:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e726fce32bb643902827af8126f05ad9.exe

  • Size

    6.8MB

  • MD5

    e726fce32bb643902827af8126f05ad9

  • SHA1

    56cd4a1e3c542cf4e4f917d06abcc1db58e5ce79

  • SHA256

    2da7ec7e791cdfacc5d24164fe9d74fd2123d4790bf64f3378573be4164c3da3

  • SHA512

    1a110309bf56558a747611cd009e19fa46937047e6dc15528496a53c78ebfeda58cb7eb3f24e188a7f4182000d828b0e6b5e3b5012dfc4f4a2dee96176b65f0a

  • SSDEEP

    196608:+oJ6O3UwxtOB0BGeuMieLesKAGUeR+SdYMfj:1JfnPjGelizsRbeZdZj

Score
10/10
evasionthemidatrojan

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1256
      • C:\Users\Admin\AppData\Local\Temp\e726fce32bb643902827af8126f05ad9.exe
        "C:\Users\Admin\AppData\Local\Temp\e726fce32bb643902827af8126f05ad9.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:1624
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
        2⤵
          PID:2668
        • C:\Windows\System32\schtasks.exe
          C:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\ekuqewhpcyqq.xml"
          2⤵
          • Creates scheduled task(s)
          PID:2736
        • C:\Windows\System32\schtasks.exe
          C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
          2⤵
            PID:2664

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\ekuqewhpcyqq.xml
          Filesize

          1KB

          MD5

          059ccb70dc2c65c81c0dc8bea26a4bb2

          SHA1

          09c60376bf998dff186950104a6e7e4f74b37c24

          SHA256

          0b28be2c63d9b0b5936fb7a5fecbe3dc9bb69de7d212fadaefc03d643bf9482d

          SHA512

          416909daef33f4c55dcd99594b47a2ea65a0fa034179cb206a477d73378b8981eddb2187398e4b121b5448d3643f48033bf131c89d6fbfab3c33f21b8bd42c9d

          Download Submit

        • memory/1624-1-0x000000013FC30000-0x0000000140A0F000-memory.dmp

          Filesize

          13.9MB

          Download

        • memory/1624-0-0x000000013FC30000-0x0000000140A0F000-memory.dmp

          Filesize

          13.9MB

          Download

        • memory/1624-2-0x0000000076FD0000-0x0000000077179000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1624-3-0x000000013FC30000-0x0000000140A0F000-memory.dmp

          Filesize

          13.9MB

          Download

        • memory/1624-4-0x000000013FC30000-0x0000000140A0F000-memory.dmp

          Filesize

          13.9MB

          Download

        • memory/1624-5-0x000000013FC30000-0x0000000140A0F000-memory.dmp

          Filesize

          13.9MB

          Download

        • memory/1624-6-0x000000013FC30000-0x0000000140A0F000-memory.dmp

          Filesize

          13.9MB

          Download

        • memory/1624-8-0x0000000076FD0000-0x0000000077179000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1624-13-0x0000000076FD0000-0x0000000077179000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1624-12-0x000000013FC30000-0x0000000140A0F000-memory.dmp

          Filesize

          13.9MB

          Download