Overview

overview

9

Static

static

7

tmp.exe

windows7-x64

9

tmp.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    143s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    23/11/2023, 22:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    5.5MB

  • MD5

    7f8632e087ebf8eb9a4638f4da5cbed8

  • SHA1

    ab40cb7b418e86ee0bb8ae3d2459bb30dc8af789

  • SHA256

    5480a005883fdba87ee7ab7c9e7e10d553811c89837a03825b4a702c0c234e6f

  • SHA512

    b385733ff09b89fcae2f8e2f9d6423fc98277122a2ee375afe7a0d4624e15acfb8d4a4f69329dae6ad5a0808cc6b23912bae96ccf89c4f2c5a391cd0109776ea

  • SSDEEP

    98304:CgNgqVpbTYVgZoj47MZ5FV0ZIvY4mQj1zvJliBN0FLKhsxNv/jA1MXXgnFtEZHOk:CgNvpbXZ778hsIvY6j1mBIN0MniXitky

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Themida packer 23 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\s27s.0.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1192
      • C:\ProgramData\pinterests\XRJNZC.exe
        "C:\ProgramData\pinterests\XRJNZC.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
          4⤵
          • Creates scheduled task(s)
          PID:2824
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {F440B908-0AA8-4065-9FAE-BAD8868E152A} S-1-5-21-3618187007-3650799920-3290345941-1000:BPDFUYWR\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\ProgramData\pinterests\XRJNZC.exe
      C:\ProgramData\pinterests\XRJNZC.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2424
    • C:\ProgramData\pinterests\XRJNZC.exe
      C:\ProgramData\pinterests\XRJNZC.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2444

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\pinterests\XRJNZC.exe
          Filesize

          5.5MB

          MD5

          7f8632e087ebf8eb9a4638f4da5cbed8

          SHA1

          ab40cb7b418e86ee0bb8ae3d2459bb30dc8af789

          SHA256

          5480a005883fdba87ee7ab7c9e7e10d553811c89837a03825b4a702c0c234e6f

          SHA512

          b385733ff09b89fcae2f8e2f9d6423fc98277122a2ee375afe7a0d4624e15acfb8d4a4f69329dae6ad5a0808cc6b23912bae96ccf89c4f2c5a391cd0109776ea

          Download Submit

        • C:\ProgramData\pinterests\XRJNZC.exe
          Filesize

          5.5MB

          MD5

          7f8632e087ebf8eb9a4638f4da5cbed8

          SHA1

          ab40cb7b418e86ee0bb8ae3d2459bb30dc8af789

          SHA256

          5480a005883fdba87ee7ab7c9e7e10d553811c89837a03825b4a702c0c234e6f

          SHA512

          b385733ff09b89fcae2f8e2f9d6423fc98277122a2ee375afe7a0d4624e15acfb8d4a4f69329dae6ad5a0808cc6b23912bae96ccf89c4f2c5a391cd0109776ea

          Download Submit

        • C:\ProgramData\pinterests\XRJNZC.exe
          Filesize

          5.5MB

          MD5

          7f8632e087ebf8eb9a4638f4da5cbed8

          SHA1

          ab40cb7b418e86ee0bb8ae3d2459bb30dc8af789

          SHA256

          5480a005883fdba87ee7ab7c9e7e10d553811c89837a03825b4a702c0c234e6f

          SHA512

          b385733ff09b89fcae2f8e2f9d6423fc98277122a2ee375afe7a0d4624e15acfb8d4a4f69329dae6ad5a0808cc6b23912bae96ccf89c4f2c5a391cd0109776ea

          Download Submit

        • C:\ProgramData\pinterests\XRJNZC.exe
          Filesize

          5.5MB

          MD5

          7f8632e087ebf8eb9a4638f4da5cbed8

          SHA1

          ab40cb7b418e86ee0bb8ae3d2459bb30dc8af789

          SHA256

          5480a005883fdba87ee7ab7c9e7e10d553811c89837a03825b4a702c0c234e6f

          SHA512

          b385733ff09b89fcae2f8e2f9d6423fc98277122a2ee375afe7a0d4624e15acfb8d4a4f69329dae6ad5a0808cc6b23912bae96ccf89c4f2c5a391cd0109776ea

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\s27s.0.bat
          Filesize

          176B

          MD5

          a0839764bd5cef32fdd082aa68b654f9

          SHA1

          600f82c9b4ed1d8e435ecbc2006f3d97265fc5bf

          SHA256

          13ad70ef4cca248db7c065be8f64f768d31fba5481cab3f4974fc741e08f9279

          SHA512

          b9f70324622a909ea9f1e967d5a8a22a13bc7d4019fe7bcb9903797aa82dba23b14688e4a4049403f6dace5d62b8ca3c268888861d1d1483df6ee342da2266a6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\s27s.0.bat
          Filesize

          176B

          MD5

          a0839764bd5cef32fdd082aa68b654f9

          SHA1

          600f82c9b4ed1d8e435ecbc2006f3d97265fc5bf

          SHA256

          13ad70ef4cca248db7c065be8f64f768d31fba5481cab3f4974fc741e08f9279

          SHA512

          b9f70324622a909ea9f1e967d5a8a22a13bc7d4019fe7bcb9903797aa82dba23b14688e4a4049403f6dace5d62b8ca3c268888861d1d1483df6ee342da2266a6

          Download Submit

        • \ProgramData\pinterests\XRJNZC.exe
          Filesize

          5.5MB

          MD5

          7f8632e087ebf8eb9a4638f4da5cbed8

          SHA1

          ab40cb7b418e86ee0bb8ae3d2459bb30dc8af789

          SHA256

          5480a005883fdba87ee7ab7c9e7e10d553811c89837a03825b4a702c0c234e6f

          SHA512

          b385733ff09b89fcae2f8e2f9d6423fc98277122a2ee375afe7a0d4624e15acfb8d4a4f69329dae6ad5a0808cc6b23912bae96ccf89c4f2c5a391cd0109776ea

          Download Submit

        • memory/2424-103-0x0000000000DE0000-0x0000000001C0C000-memory.dmp

          Filesize

          14.2MB

          Download

        • memory/2424-106-0x0000000000DE0000-0x0000000001C0C000-memory.dmp

          Filesize

          14.2MB

          Download

        • memory/2424-146-0x0000000000DE0000-0x0000000001C0C000-memory.dmp

          Filesize

          14.2MB

          Download

        • memory/2444-155-0x0000000000DE0000-0x0000000001C0C000-memory.dmp

          Filesize

          14.2MB

          Download

        • memory/2444-195-0x0000000000DE0000-0x0000000001C0C000-memory.dmp

          Filesize

          14.2MB

          Download

        • memory/2496-57-0x0000000002170000-0x0000000002F9C000-memory.dmp

          Filesize

          14.2MB

          Download

        • memory/2816-74-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2816-61-0x0000000000DE0000-0x0000000001C0C000-memory.dmp

          Filesize

          14.2MB

          Download

        • memory/2816-58-0x0000000000DE0000-0x0000000001C0C000-memory.dmp

          Filesize

          14.2MB

          Download

        • memory/2816-62-0x0000000000100000-0x0000000000101000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2816-64-0x0000000000100000-0x0000000000101000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2816-69-0x0000000000110000-0x0000000000111000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2816-79-0x0000000000170000-0x0000000000171000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2816-101-0x0000000000DE0000-0x0000000001C0C000-memory.dmp

          Filesize

          14.2MB

          Download

        • memory/2872-21-0x0000000000170000-0x0000000000171000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2872-26-0x0000000000180000-0x0000000000181000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2872-40-0x0000000000C20000-0x0000000001A4C000-memory.dmp

          Filesize

          14.2MB

          Download

        • memory/2872-52-0x0000000000C20000-0x0000000001A4C000-memory.dmp

          Filesize

          14.2MB

          Download

        • memory/2872-39-0x0000000000C20000-0x0000000001A4C000-memory.dmp

          Filesize

          14.2MB

          Download

        • memory/2872-38-0x0000000000C20000-0x0000000001A4C000-memory.dmp

          Filesize

          14.2MB

          Download

        • memory/2872-36-0x0000000000C20000-0x0000000001A4C000-memory.dmp

          Filesize

          14.2MB

          Download

        • memory/2872-37-0x0000000077630000-0x0000000077632000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2872-32-0x0000000000C20000-0x0000000001A4C000-memory.dmp

          Filesize

          14.2MB

          Download

        • memory/2872-31-0x0000000000190000-0x0000000000191000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2872-29-0x0000000000190000-0x0000000000191000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2872-41-0x0000000000C20000-0x0000000001A4C000-memory.dmp

          Filesize

          14.2MB

          Download

        • memory/2872-24-0x0000000000180000-0x0000000000181000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2872-0-0x0000000000C20000-0x0000000001A4C000-memory.dmp

          Filesize

          14.2MB

          Download

        • memory/2872-19-0x0000000000170000-0x0000000000171000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2872-14-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2872-16-0x0000000000120000-0x0000000000121000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2872-11-0x0000000000110000-0x0000000000111000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2872-9-0x0000000000110000-0x0000000000111000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2872-7-0x0000000000110000-0x0000000000111000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2872-6-0x00000000000F0000-0x00000000000F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2872-3-0x00000000000F0000-0x00000000000F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2872-4-0x0000000000C20000-0x0000000001A4C000-memory.dmp

          Filesize

          14.2MB

          Download

        • memory/2872-1-0x00000000000F0000-0x00000000000F1000-memory.dmp

          Filesize

          4KB

          Download