db579644bc009df90f63ed87401b21eb4eb93d690c9b953c51ece29da605bfc4

Analysis

max time kernel
121s
max time network
133s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 07:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

db579644bc009df90f63ed87401b21eb4eb93d690c9b953c51ece29da605bfc4.dll
Size

5.0MB
MD5

ba9704ab131e3dd638891bb9c117d700
SHA1

474005ebd8a783067f5bf255b0523ff583698510
SHA256

db579644bc009df90f63ed87401b21eb4eb93d690c9b953c51ece29da605bfc4
SHA512

6a429219e4e7b2f4ad3134158b7e3aa0907481893ba70c3e14c20a740459d94af8954f5ffb2fb40d18e36410c1d3dd4f33625a03f1b5e220c665b61b60aecc04
SSDEEP

98304:0i+Imh2uOC7EJ5PC++D0FVQ/5v8+CQYO/CLUaJELcZkiFYSVYqB5:yImh2uOCk5PCY4/V8gsLDScZkmYSYqB5

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2128-0-0x0000000073DF0000-0x0000000074933000-memory.dmp	themida
behavioral1/memory/2128-2-0x0000000072B80000-0x00000000736C3000-memory.dmp	themida
behavioral1/memory/2128-3-0x0000000072B80000-0x00000000736C3000-memory.dmp	themida
behavioral1/memory/2128-5-0x0000000072B80000-0x00000000736C3000-memory.dmp	themida
behavioral1/memory/2128-6-0x0000000072B80000-0x00000000736C3000-memory.dmp	themida
behavioral1/memory/2128-7-0x0000000072B80000-0x00000000736C3000-memory.dmp	themida
behavioral1/memory/2128-8-0x0000000072B80000-0x00000000736C3000-memory.dmp	themida
behavioral1/memory/2128-9-0x0000000072B80000-0x00000000736C3000-memory.dmp	themida
behavioral1/memory/2128-10-0x0000000072B80000-0x00000000736C3000-memory.dmp	themida
behavioral1/memory/2128-11-0x0000000072B80000-0x00000000736C3000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2128	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2128	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 2128	1328	rundll32.exe	28
PID 1328 wrote to memory of 2128	1328	rundll32.exe	28
PID 1328 wrote to memory of 2128	1328	rundll32.exe	28
PID 1328 wrote to memory of 2128	1328	rundll32.exe	28
PID 1328 wrote to memory of 2128	1328	rundll32.exe	28
PID 1328 wrote to memory of 2128	1328	rundll32.exe	28
PID 1328 wrote to memory of 2128	1328	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\db579644bc009df90f63ed87401b21eb4eb93d690c9b953c51ece29da605bfc4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\db579644bc009df90f63ed87401b21eb4eb93d690c9b953c51ece29da605bfc4.dll,#1
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2128-0-0x0000000073DF0000-0x0000000074933000-memory.dmp

Filesize
11.3MB

Download
memory/2128-1-0x0000000073DF0000-0x0000000074933000-memory.dmp

Filesize
11.3MB

Download
memory/2128-2-0x0000000072B80000-0x00000000736C3000-memory.dmp

Filesize
11.3MB

Download
memory/2128-4-0x00000000772D0000-0x00000000772D2000-memory.dmp

Filesize
8KB

Download
memory/2128-3-0x0000000072B80000-0x00000000736C3000-memory.dmp

Filesize
11.3MB

Download
memory/2128-5-0x0000000072B80000-0x00000000736C3000-memory.dmp

Filesize
11.3MB

Download
memory/2128-6-0x0000000072B80000-0x00000000736C3000-memory.dmp

Filesize
11.3MB

Download
memory/2128-7-0x0000000072B80000-0x00000000736C3000-memory.dmp

Filesize
11.3MB

Download
memory/2128-8-0x0000000072B80000-0x00000000736C3000-memory.dmp

Filesize
11.3MB

Download
memory/2128-9-0x0000000072B80000-0x00000000736C3000-memory.dmp

Filesize
11.3MB

Download
memory/2128-10-0x0000000072B80000-0x00000000736C3000-memory.dmp

Filesize
11.3MB

Download
memory/2128-11-0x0000000072B80000-0x00000000736C3000-memory.dmp

Filesize
11.3MB

Download