2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65

Analysis

max time kernel
163s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe
Size

9.5MB
MD5

392666a39aa5606e5f161329ddba9403
SHA1

b567830d7179aaa44d016b84e4a5ebbe77d31cd7
SHA256

2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65
SHA512

b53c086adbc07c3f55ce3fba036f44cd0a0aaa80a7f8563ddf25437fe842822aac12b537a62753f09118bffe3ea858a92df6076b0ed4644d0c08c1cbff650843
SSDEEP

196608:AbDCH2S46KtwRs3701se3rtwWe0EqsryDhnY2S5ulXqZyTic:A3RS4Nqm370BMLF6Y/5Pyec

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Pubg.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Pubg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Pubg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe

Executes dropped EXE 1 IoCs

pid	Process
5040	Pubg.exe

Loads dropped DLL 1 IoCs

pid	Process
5040	Pubg.exe

Themida packer 37 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/3856-0-0x0000000000210000-0x000000000112E000-memory.dmp	themida
behavioral2/memory/3856-2-0x0000000000210000-0x000000000112E000-memory.dmp	themida
behavioral2/memory/3856-3-0x0000000000210000-0x000000000112E000-memory.dmp	themida
behavioral2/memory/3856-4-0x0000000000210000-0x000000000112E000-memory.dmp	themida
behavioral2/memory/3856-5-0x0000000000210000-0x000000000112E000-memory.dmp	themida
behavioral2/memory/3856-6-0x0000000000210000-0x000000000112E000-memory.dmp	themida
behavioral2/memory/3856-7-0x0000000000210000-0x000000000112E000-memory.dmp	themida
behavioral2/memory/3856-8-0x0000000000210000-0x000000000112E000-memory.dmp	themida
behavioral2/memory/3856-9-0x0000000000210000-0x000000000112E000-memory.dmp	themida
behavioral2/memory/3856-10-0x0000000000210000-0x000000000112E000-memory.dmp	themida
behavioral2/memory/3856-13-0x0000000000210000-0x000000000112E000-memory.dmp	themida
behavioral2/files/0x00070000000231be-23.dat	themida
behavioral2/files/0x00070000000231be-25.dat	themida
behavioral2/memory/5040-26-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/3856-24-0x0000000000210000-0x000000000112E000-memory.dmp	themida
behavioral2/memory/5040-27-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-28-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-29-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-30-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-31-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-32-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-33-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-34-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-36-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-37-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-38-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-39-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-40-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-41-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-42-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-43-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-44-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-45-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-46-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-47-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-48-0x0000000072E60000-0x0000000073941000-memory.dmp	themida
behavioral2/memory/5040-49-0x0000000072E60000-0x0000000073941000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Pubg.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Pubg.exe
File opened (read-only)	\??\Q:	Pubg.exe
File opened (read-only)	\??\V:	Pubg.exe
File opened (read-only)	\??\X:	Pubg.exe
File opened (read-only)	\??\Y:	Pubg.exe
File opened (read-only)	\??\E:	Pubg.exe
File opened (read-only)	\??\G:	Pubg.exe
File opened (read-only)	\??\H:	Pubg.exe
File opened (read-only)	\??\L:	Pubg.exe
File opened (read-only)	\??\M:	Pubg.exe
File opened (read-only)	\??\O:	Pubg.exe
File opened (read-only)	\??\P:	Pubg.exe
File opened (read-only)	\??\Z:	Pubg.exe
File opened (read-only)	\??\B:	Pubg.exe
File opened (read-only)	\??\I:	Pubg.exe
File opened (read-only)	\??\J:	Pubg.exe
File opened (read-only)	\??\K:	Pubg.exe
File opened (read-only)	\??\U:	Pubg.exe
File opened (read-only)	\??\W:	Pubg.exe
File opened (read-only)	\??\R:	Pubg.exe
File opened (read-only)	\??\S:	Pubg.exe
File opened (read-only)	\??\T:	Pubg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3856	2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe
5040	Pubg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Pubg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Pubg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3856	2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe
3856	2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe
3856	2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe
3856	2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe
3856	2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe
3856	2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe
3856	2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe
3856	2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe
5040	Pubg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3856	2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 5040	3856	2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe	92
PID 3856 wrote to memory of 5040	3856	2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe	92
PID 3856 wrote to memory of 5040	3856	2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe	92

C:\Users\Admin\AppData\Local\Temp\2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe
"C:\Users\Admin\AppData\Local\Temp\2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Users\Admin\AppData\Roaming\Pubg\Pubg.exe
  "C:\Users\Admin\AppData\Roaming\Pubg\Pubg.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Pubg\Pubg.exe

Filesize
2.0MB

MD5
9037a40fb3c7b5948345acb3a9401c53

SHA1
2957d67dc98c7058e9e556f0690f86b22b1dbd5b

SHA256
97b33e2b233b779dad59cecb75f8da31f7a197c278118452dffa94bb6e178aa3

SHA512
b129e98fc7bc22186562d9b18f9236f1cc44ad8df657135029f4e1c577eb016d982ae7dce18eb06a3d207cf07a85f9c4986b765b6e918dad902c69ba3424f6cf

Download Submit
C:\Users\Admin\AppData\Roaming\Pubg\Pubg.exe

Filesize
2.0MB

MD5
9037a40fb3c7b5948345acb3a9401c53

SHA1
2957d67dc98c7058e9e556f0690f86b22b1dbd5b

SHA256
97b33e2b233b779dad59cecb75f8da31f7a197c278118452dffa94bb6e178aa3

SHA512
b129e98fc7bc22186562d9b18f9236f1cc44ad8df657135029f4e1c577eb016d982ae7dce18eb06a3d207cf07a85f9c4986b765b6e918dad902c69ba3424f6cf

Download Submit
C:\Users\Admin\AppData\Roaming\Pubg\Pubg.exe

Filesize
2.0MB

MD5
9037a40fb3c7b5948345acb3a9401c53

SHA1
2957d67dc98c7058e9e556f0690f86b22b1dbd5b

SHA256
97b33e2b233b779dad59cecb75f8da31f7a197c278118452dffa94bb6e178aa3

SHA512
b129e98fc7bc22186562d9b18f9236f1cc44ad8df657135029f4e1c577eb016d982ae7dce18eb06a3d207cf07a85f9c4986b765b6e918dad902c69ba3424f6cf

Download Submit
C:\Users\Admin\AppData\Roaming\Pubg\libcef.dll

Filesize
4.8MB

MD5
0fc261b54b97df2c0c3e0699b367e0bd

SHA1
c732ad05d195fda68e5cc34cb6cb7bfa7e54f0ea

SHA256
8fe43723ea28ecaf1bd8496dc27aaf45c6d2818ee4ba77a8945588af73e21e82

SHA512
fd39a201420c4a14e6793ac3ebef0743b5bba9ab27274b09d73a8338cb61b850cfc2839e8afa365b6db157fb936887bbf7553bdbdd64c437a6bd9857529510f3

Download Submit
C:\Users\Admin\AppData\Roaming\Pubg\libcef.dll

Filesize
4.8MB

MD5
0fc261b54b97df2c0c3e0699b367e0bd

SHA1
c732ad05d195fda68e5cc34cb6cb7bfa7e54f0ea

SHA256
8fe43723ea28ecaf1bd8496dc27aaf45c6d2818ee4ba77a8945588af73e21e82

SHA512
fd39a201420c4a14e6793ac3ebef0743b5bba9ab27274b09d73a8338cb61b850cfc2839e8afa365b6db157fb936887bbf7553bdbdd64c437a6bd9857529510f3

Download Submit
memory/3856-4-0x0000000000210000-0x000000000112E000-memory.dmp

Filesize
15.1MB

Download
memory/3856-6-0x0000000000210000-0x000000000112E000-memory.dmp

Filesize
15.1MB

Download
memory/3856-7-0x0000000000210000-0x000000000112E000-memory.dmp

Filesize
15.1MB

Download
memory/3856-8-0x0000000000210000-0x000000000112E000-memory.dmp

Filesize
15.1MB

Download
memory/3856-9-0x0000000000210000-0x000000000112E000-memory.dmp

Filesize
15.1MB

Download
memory/3856-10-0x0000000000210000-0x000000000112E000-memory.dmp

Filesize
15.1MB

Download
memory/3856-13-0x0000000000210000-0x000000000112E000-memory.dmp

Filesize
15.1MB

Download
memory/3856-5-0x0000000000210000-0x000000000112E000-memory.dmp

Filesize
15.1MB

Download
memory/3856-0-0x0000000000210000-0x000000000112E000-memory.dmp

Filesize
15.1MB

Download
memory/3856-3-0x0000000000210000-0x000000000112E000-memory.dmp

Filesize
15.1MB

Download
memory/3856-2-0x0000000000210000-0x000000000112E000-memory.dmp

Filesize
15.1MB

Download
memory/3856-1-0x0000000077274000-0x0000000077276000-memory.dmp

Filesize
8KB

Download
memory/3856-24-0x0000000000210000-0x000000000112E000-memory.dmp

Filesize
15.1MB

Download
memory/5040-29-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-38-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-27-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-30-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-31-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-32-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-33-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-34-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-26-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-36-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-37-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-28-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-39-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-40-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-41-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-42-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-43-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-44-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-45-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-46-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-47-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-48-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download
memory/5040-49-0x0000000072E60000-0x0000000073941000-memory.dmp

Filesize
10.9MB

Download