Overview

overview

10

Static

static

7

90428802a4...35.exe

windows7-x64

10

90428802a4...35.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    160s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2023, 12:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90428802a49f12a106b15e2bd21bdc35.exe

  • Size

    2.6MB

  • MD5

    90428802a49f12a106b15e2bd21bdc35

  • SHA1

    4d701ff5725c177fd516c183e0f84a275a80adf5

  • SHA256

    855369a144b1aa10dba06b6b5f12e866912f7f3dca6e905b822ee12aaea3b3f0

  • SHA512

    cbaf18998859fc686c87e253c71c85ccdf85e34daf05f469d7d66b550f1458528b4f30678a9118ab2d9fee0b60934427d6313905927b857f44b0653f0450da12

  • SSDEEP

    49152:tU/5M1X4Wl/YvzYCQR9RQs+C40yZpJaD99Gn:tKq4oEa9RQs+Cn4/UKn

Score
10/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Themida packer 27 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90428802a49f12a106b15e2bd21bdc35.exe
    "C:\Users\Admin\AppData\Local\Temp\90428802a49f12a106b15e2bd21bdc35.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2624
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2784
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2728
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2768
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:2528
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:56 /f
            5⤵
            • Creates scheduled task(s)
            PID:364
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:57 /f
            5⤵
            • Creates scheduled task(s)
            PID:2448
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:58 /f
            5⤵
            • Creates scheduled task(s)
            PID:2380
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2156

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      402KB

      MD5

      79bb4adefb21a66b3c1529164f8ec92d

      SHA1

      a59707c8a4fc322b70da9abbc7ab60594239a862

      SHA256

      a284a0bf63663da80fc404318af28e3c39c400b17b1722f622a7d87d924197cd

      SHA512

      46b46ced8fd3def33a46989dd21523df8fb3de506d053e27d228b2b7da9b712ec5e46df2c3b43a7bc4eb99805e60332c83ec7176c1b8d4aa84b0a71363bb1f21

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      207KB

      MD5

      f924c145ab85604bf5e5146ecd73cb18

      SHA1

      487cefc33deb1030a4f856c5a716cb1b5b2cecef

      SHA256

      6e5474905c77b85acb3400b04eecc31c8165e7e210a34ffe0f48e732351ade6b

      SHA512

      0db0bf53f5b804281eb2d26c6be5841b51631000a8e4bc66d211c07775b867eac6e2643b5a4b19b0289cdf40ffbdb3ab9df220f9c3b8a2ffb77ed06b80195479

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      85KB

      MD5

      7136e5cfc2093de4220b9aa34b67120f

      SHA1

      0e01d1ae86240c8d3575d96c4171bf8a0bbb437e

      SHA256

      104755f9810693cfda618a99a0cfe4d0b12ec781bcbfac5c2dff4df6c91078b2

      SHA512

      8b947c540f1a6a841e64e45778df715c54cc6b8e0946465c979819edb1b4377d512ebae3e3248c5323c979ea0152d0c948e4e01bbf7f40e931fcbf176dd70614

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      118KB

      MD5

      fe2f93030fb2d1b7a170edc752c56121

      SHA1

      a17d26f4fb9ae62e008179025054c1a82abdcf66

      SHA256

      1731bbb44b3f92af56beb79c64b78d4d775ff3b436ef1e0015549d58c77b8e3b

      SHA512

      c1971e244b6990d7e11f6cbb8446d20c74b72e624c8f88ab8395ef607e275a3fc645f30eaa7f823b7bc2b31463fe70192e7ae101691c960bb6b5483dc70cf252

      Download Submit

    • C:\Windows\Resources\svchost.exe
      Filesize

      33KB

      MD5

      d28504a84be3fce822a508ca606dfe12

      SHA1

      953d2141375dce6abd612deeb4c28486d6ce08b0

      SHA256

      6634511b076be72199c2c6da12ff0f3d7112379c2c0bf368642dc19e59c8fa00

      SHA512

      74262b2cfe24263ff5799dc105e2acb71004b81388b13279d359571fb7c03f68693f5c06eef2a2a5636a2f5e37d86034d5075ce5d592c2443da146ef675b3f3c

      Download Submit

    • \??\c:\windows\resources\spoolsv.exe
      Filesize

      62KB

      MD5

      d52e7700e8657229b2d10510f76598e6

      SHA1

      9387db4a8c090bf8206d3b52c5ba7de53c3cb7af

      SHA256

      01e9d449c286abe4241a681228d6df79c632b377fdc53f5cd552a292da90b06f

      SHA512

      d8ef65d673f246c006286f25a0f214663d097f61912cb3a4ffb97ad32459e0484fc1a3684ce806eeb0ca9764ab768244656ab71688fbdd430fed322038fca547

      Download Submit

    • \??\c:\windows\resources\svchost.exe
      Filesize

      130KB

      MD5

      f185537cd595335b0ffe9d4764396717

      SHA1

      093a2e809427f5a7549a1d885067589a648d5040

      SHA256

      04ed24dbf7d78b2931b3c78de93fdaa6a9b43f006d31504eddcdb626fb5fe94d

      SHA512

      f3f7d4f64f1f60c75c7ff28d75da81009a41a3503d7563a27c986618e79f6a6eef8129843d5d61b3cf3434a2f2a9f3644d984ff7022ca57b286fee079dc26320

      Download Submit

    • \??\c:\windows\resources\themes\explorer.exe
      Filesize

      314KB

      MD5

      53822b7b1f789f1891687716e1427e22

      SHA1

      e47d8cf8f3fe3268fe53f9c07738a3c290901cdd

      SHA256

      41fe535c3cf255386d65d6070e969206aa597d8bdc94681b611eabb1935b84ca

      SHA512

      f355c619c4859e3a17aefb1302cfc88e49a2cb70049356df0a8df7632c0e87b488f0083ff09c2e9fad8e1e81ba21b197a941525541e3402ceebe827a7236fb7c

      Download Submit

    • \Windows\Resources\Themes\explorer.exe
      Filesize

      711KB

      MD5

      d1aa5a0aaac853842c118a0dfe45df14

      SHA1

      b5ee74fd151a173e420eddb80aae2c53eddd6e74

      SHA256

      3937a45f09196b3db1b7c090a5a520ff4b85238cd7030f35aaf57df1716f2fd3

      SHA512

      d25fb49e7a4d1544b695ac54cf52cf2cfd6be4f21750e3f9f7e6f3315b221a765da8495c2706283383763868cc5dcac366e7bcf144f91db0553e7ce5182924aa

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      241KB

      MD5

      0d0a5e2d6874ed0caaab3af51c7e4c1a

      SHA1

      9380eb15bb9ade3c115de636b31046243fc9b17c

      SHA256

      82c68dd97070d50f0d185cb27c14501e4c14bd1014e3df60f5bf5ab3f64e6901

      SHA512

      aa135f8f3c563c91950d0b68e82511cb58ca1f6e751f2d2a299ba763b3330d65b4b6ca3f68deb17563aa9d23a5351c21257a54fce2a3597704d9e7eaacee424a

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      235KB

      MD5

      be190efeff8820f979b05dfcde421d66

      SHA1

      4380f7287e9af3f7313a7fdf6a040608895ebfa2

      SHA256

      1876d9235fe6c60280f9791867ecfe5e2b2480884d9cc22e4fb1c348225277b9

      SHA512

      45169f8099dadcaab8ddf9fc376abaa5fd371bae38a81eab8c0584c4b20c87ac664b9afcd2f4f751ce9f45acdd9cd6b2884a30f1942c0ac2d96c8743d50fb634

      Download Submit

    • \Windows\Resources\svchost.exe
      Filesize

      65KB

      MD5

      cfcccee83447bc35709cefe089c5df84

      SHA1

      cc0c5538ef32665dc5a78908febc6377cfec1815

      SHA256

      34d7911ded92ec407453ee3fbec914d8b541791d7d5b209d7487557dcc3a0795

      SHA512

      786e787b61d77f1a0c607e1fa5d418dc02e4e00604c0a47a0a680fe51fd8f6d137c0f40b321e73d9356057cd701a9840f3dd4c975ea01c138ba8082f8422cfcb

      Download Submit

    • memory/2528-50-0x0000000000400000-0x0000000000A17000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2528-45-0x0000000000400000-0x0000000000A17000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2624-1-0x0000000077DF0000-0x0000000077DF2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2624-52-0x0000000000400000-0x0000000000A17000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2624-0-0x0000000000400000-0x0000000000A17000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2624-48-0x0000000003350000-0x0000000003967000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2624-10-0x0000000003350000-0x0000000003967000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2624-43-0x0000000000400000-0x0000000000A17000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2728-51-0x0000000000400000-0x0000000000A17000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2728-24-0x0000000000400000-0x0000000000A17000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2728-35-0x0000000003210000-0x0000000003827000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2768-36-0x0000000000400000-0x0000000000A17000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2768-54-0x0000000000400000-0x0000000000A17000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2768-61-0x0000000000400000-0x0000000000A17000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2784-12-0x0000000000400000-0x0000000000A17000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2784-49-0x0000000000400000-0x0000000000A17000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2784-23-0x00000000034C0000-0x0000000003AD7000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2784-53-0x0000000000400000-0x0000000000A17000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2784-55-0x00000000034C0000-0x0000000003AD7000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2784-66-0x0000000000400000-0x0000000000A17000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2784-72-0x0000000000400000-0x0000000000A17000-memory.dmp

      Filesize

      6.1MB

      Download