96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4

Analysis

max time kernel
163s
max time network
174s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
19-11-2023 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4.exe
Size

3.9MB
MD5

75a37a0a4144f09d9c356a521ed2a0c7
SHA1

bd60e11bce93ee9eab4fc1e311bb3808c87ed32c
SHA256

96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4
SHA512

27f071d7f939e533cc0e07be5b9be062f98049c83bf955708bd4c6de912617a50b4a6b2fda5fc937ed1aeee7966201e036d74b81ab1747bb36d0bfcc3d78d34b
SSDEEP

98304:K1X29SacJCl3Bw95kLLvE5Qb54Q1CgUi+ySOs0q4R:K1ySzJk3Bw9YvE+b6s240c

Score

10^/10

evasion themida trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	DqzDk6ew.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4.exe

Executes dropped EXE 1 IoCs

pid	Process
1668	DqzDk6ew.exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2256-0-0x000000013F8B0000-0x0000000140229000-memory.dmp	themida
behavioral1/memory/2256-1-0x000000013F8B0000-0x0000000140229000-memory.dmp	themida
behavioral1/memory/2256-2-0x000000013F8B0000-0x0000000140229000-memory.dmp	themida
behavioral1/memory/2256-3-0x000000013F8B0000-0x0000000140229000-memory.dmp	themida
behavioral1/memory/2256-4-0x000000013F8B0000-0x0000000140229000-memory.dmp	themida
behavioral1/memory/2256-5-0x000000013F8B0000-0x0000000140229000-memory.dmp	themida
behavioral1/memory/2256-6-0x000000013F8B0000-0x0000000140229000-memory.dmp	themida
behavioral1/memory/2256-7-0x000000013F8B0000-0x0000000140229000-memory.dmp	themida
behavioral1/memory/2256-8-0x000000013F8B0000-0x0000000140229000-memory.dmp	themida
behavioral1/memory/2256-9-0x000000013F8B0000-0x0000000140229000-memory.dmp	themida
behavioral1/memory/2256-10-0x000000013F8B0000-0x0000000140229000-memory.dmp	themida
behavioral1/memory/2256-18-0x000000013F8B0000-0x0000000140229000-memory.dmp	themida

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002e000000014b92-17.dat	upx
behavioral1/memory/1668-20-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/files/0x002e000000014b92-50.dat	upx
behavioral1/memory/1668-61-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2256	96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4.exe
2256	96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4.exe
2256	96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4.exe
2256	96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1668	DqzDk6ew.exe
1668	DqzDk6ew.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1668	2256	96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4.exe	27
PID 2256 wrote to memory of 1668	2256	96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4.exe	27
PID 2256 wrote to memory of 1668	2256	96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4.exe	27
PID 2256 wrote to memory of 1668	2256	96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4.exe	27
PID 2256 wrote to memory of 1668	2256	96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4.exe	27
PID 2256 wrote to memory of 1668	2256	96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4.exe	27
PID 2256 wrote to memory of 1668	2256	96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4.exe	27
PID 1668 wrote to memory of 3048	1668	DqzDk6ew.exe	30
PID 1668 wrote to memory of 3048	1668	DqzDk6ew.exe	30
PID 1668 wrote to memory of 3048	1668	DqzDk6ew.exe	30
PID 1668 wrote to memory of 3048	1668	DqzDk6ew.exe	30

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	DqzDk6ew.exe

C:\Users\Admin\AppData\Local\Temp\96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4.exe
"C:\Users\Admin\AppData\Local\Temp\96c61a0946342b2914ca29dd0d71f30a3a6fea23b8cad73f8ecf664a068a49e4.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Public\Downloads\vsqKPA3O\DqzDk6ew.exe
  "C:\Users\Public\Downloads\vsqKPA3O\DqzDk6ew.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo.>c:\xxxx.ini
    3⤵
    PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG

Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Public\Downloads\vsqKPA3O\DqzDk6ew.dat

Filesize
132KB

MD5
e106b7fd4c3d48bb868b798c2c76d7f2

SHA1
6b3a7cc1f47429a683b9321db1cc165046d3cfb6

SHA256
03d8f1d778be79c3cd4476b1cc8c657c6d95bc684006ee4c1531d451385b40af

SHA512
53a58280024bba85f40e1e6dbe5663aff5b78006a9ed0a8e7d0b7a78c31dcb1512a7dbe8a3cc9191fea7576795e66b8af0f58f11e9c52ebbdc1085a308fe2570

Download Submit
C:\Users\Public\Downloads\vsqKPA3O\DqzDk6ew.exe

Filesize
525KB

MD5
a0ef30abe1f03fc300ebb0e318a49901

SHA1
f8407e194804c1dae186dbf2d84faeea610adec3

SHA256
910ac6be0ab337b7893fa35cd526de1f55c6813a4d559cd4a82e043d66ab3636

SHA512
83bcf6f493fee0de979d9ba42a5961f7b04f10aa6828f757cdd752c84de19c09c02ae9b4457a6cd1aa9e4bfcb314b246936bbca0464704bcab7a27dc8a3a60d2

Download Submit
C:\Users\Public\Downloads\vsqKPA3O\DqzDk6ew.exe

Filesize
525KB

MD5
a0ef30abe1f03fc300ebb0e318a49901

SHA1
f8407e194804c1dae186dbf2d84faeea610adec3

SHA256
910ac6be0ab337b7893fa35cd526de1f55c6813a4d559cd4a82e043d66ab3636

SHA512
83bcf6f493fee0de979d9ba42a5961f7b04f10aa6828f757cdd752c84de19c09c02ae9b4457a6cd1aa9e4bfcb314b246936bbca0464704bcab7a27dc8a3a60d2

Download Submit
C:\Users\Public\Downloads\vsqKPA3O\Edge.jpg

Filesize
358KB

MD5
7ff7e6fc3e8fa734a34d444104e053a0

SHA1
3ff8c544ad1c952a0259cadf048bb64729c70f38

SHA256
65989df141eb5a8093642903d777b57ff5ce108679f722d7687f09b4e5eda1c1

SHA512
bba2a53ae8e92b656b5dcb335d9bca0b297aa6469c9d79f027a405d0b0cb031fb1d5488b82aefd91dcc8b8767ff3f8a3e6fd372f58bf03b06f2b6ee2acac9265

Download Submit
C:\Users\Public\Downloads\vsqKPA3O\edge.xml

Filesize
84KB

MD5
24bcaf0cb50a6e93450601763525359e

SHA1
6147d2c6e19f0066a3ab25c06de76b5752b669b7

SHA256
5852114c4735d09db08b56ca9df16a8d1b9fce2baefc1e01d24e8b667b3abcd8

SHA512
d8f697ca8c87acf5222a2c3fcd493df53d0b9965b0e6718ddec0c06e6247e81567732a4327c5bff45579ab8762d7b4000cb052b5dd782d5f8cefe54de901d982

Download Submit
memory/1668-20-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1668-41-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1668-63-0x00000000021B0000-0x00000000021C7000-memory.dmp

Filesize
92KB

Download
memory/1668-61-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1668-47-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/1668-44-0x00000000021B0000-0x00000000021C7000-memory.dmp

Filesize
92KB

Download
memory/2256-4-0x000000013F8B0000-0x0000000140229000-memory.dmp

Filesize
9.5MB

Download
memory/2256-6-0x000000013F8B0000-0x0000000140229000-memory.dmp

Filesize
9.5MB

Download
memory/2256-5-0x000000013F8B0000-0x0000000140229000-memory.dmp

Filesize
9.5MB

Download
memory/2256-8-0x000000013F8B0000-0x0000000140229000-memory.dmp

Filesize
9.5MB

Download
memory/2256-18-0x000000013F8B0000-0x0000000140229000-memory.dmp

Filesize
9.5MB

Download
memory/2256-3-0x000000013F8B0000-0x0000000140229000-memory.dmp

Filesize
9.5MB

Download
memory/2256-0-0x000000013F8B0000-0x0000000140229000-memory.dmp

Filesize
9.5MB

Download
memory/2256-2-0x000000013F8B0000-0x0000000140229000-memory.dmp

Filesize
9.5MB

Download
memory/2256-7-0x000000013F8B0000-0x0000000140229000-memory.dmp

Filesize
9.5MB

Download
memory/2256-1-0x000000013F8B0000-0x0000000140229000-memory.dmp

Filesize
9.5MB

Download
memory/2256-10-0x000000013F8B0000-0x0000000140229000-memory.dmp

Filesize
9.5MB

Download
memory/2256-9-0x000000013F8B0000-0x0000000140229000-memory.dmp

Filesize
9.5MB

Download