4b136365472bd1358a5dc4090b4c5c57ad219d810af59e36136ee9dc41737d33

General

Target

09ae3b0a33f7880ee38c428d596de8ba.exe
Size

1.9MB
MD5

09ae3b0a33f7880ee38c428d596de8ba
SHA1

3cbe809f6a8e734f6f765fe2062a4add2cf79828
SHA256

4b136365472bd1358a5dc4090b4c5c57ad219d810af59e36136ee9dc41737d33
SHA512

0b1cb9045fcbaa30b7724b1679b3e96b623b82e94da07f301291f9e0da881394847cdd88132642c18b4257bb5d70a6bf0f468a00fb0c43eb12fec701a16dbabd
SSDEEP

49152:uedx5C5lzhIxOjI16oDB7G5tkLJJZIDd2yZtIwK:Fx5CLq2aZG4JYltIB

Score

7^/10

themida upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2072	Set_Lime.exe
2588	keygen_unpack.exe

Loads dropped DLL 6 IoCs

pid	Process
2232	09ae3b0a33f7880ee38c428d596de8ba.exe
2232	09ae3b0a33f7880ee38c428d596de8ba.exe
2232	09ae3b0a33f7880ee38c428d596de8ba.exe
2232	09ae3b0a33f7880ee38c428d596de8ba.exe
2588	keygen_unpack.exe
2588	keygen_unpack.exe

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2232-1-0x0000000000400000-0x00000000004E2000-memory.dmp	themida
behavioral1/files/0x000f00000001230d-16.dat	themida
behavioral1/memory/2072-18-0x0000000000400000-0x0000000000481000-memory.dmp	themida
behavioral1/memory/2232-42-0x0000000000400000-0x00000000004E2000-memory.dmp	themida
behavioral1/memory/2232-44-0x0000000000400000-0x00000000004E2000-memory.dmp	themida
behavioral1/memory/2232-46-0x0000000000400000-0x00000000004E2000-memory.dmp	themida
behavioral1/memory/2232-48-0x0000000000400000-0x00000000004E2000-memory.dmp	themida
behavioral1/memory/2232-50-0x0000000000400000-0x00000000004E2000-memory.dmp	themida
behavioral1/memory/2232-52-0x0000000000400000-0x00000000004E2000-memory.dmp	themida
behavioral1/memory/2232-54-0x0000000000400000-0x00000000004E2000-memory.dmp	themida
behavioral1/memory/2232-56-0x0000000000400000-0x00000000004E2000-memory.dmp	themida
behavioral1/memory/2232-58-0x0000000000400000-0x00000000004E2000-memory.dmp	themida
behavioral1/memory/2232-60-0x0000000000400000-0x00000000004E2000-memory.dmp	themida
behavioral1/memory/2232-62-0x0000000000400000-0x00000000004E2000-memory.dmp	themida
behavioral1/memory/2232-64-0x0000000000400000-0x00000000004E2000-memory.dmp	themida
behavioral1/memory/2232-66-0x0000000000400000-0x00000000004E2000-memory.dmp	themida
behavioral1/memory/2232-68-0x0000000000400000-0x00000000004E2000-memory.dmp	themida
behavioral1/memory/2232-70-0x0000000000400000-0x00000000004E2000-memory.dmp	themida

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015609-28.dat	upx
behavioral1/memory/2588-32-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2232-30-0x0000000004070000-0x000000000412A000-memory.dmp	upx
behavioral1/memory/2588-43-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2588	keygen_unpack.exe
2588	keygen_unpack.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2072	2232	09ae3b0a33f7880ee38c428d596de8ba.exe	28
PID 2232 wrote to memory of 2072	2232	09ae3b0a33f7880ee38c428d596de8ba.exe	28
PID 2232 wrote to memory of 2072	2232	09ae3b0a33f7880ee38c428d596de8ba.exe	28
PID 2232 wrote to memory of 2072	2232	09ae3b0a33f7880ee38c428d596de8ba.exe	28
PID 2232 wrote to memory of 2588	2232	09ae3b0a33f7880ee38c428d596de8ba.exe	29
PID 2232 wrote to memory of 2588	2232	09ae3b0a33f7880ee38c428d596de8ba.exe	29
PID 2232 wrote to memory of 2588	2232	09ae3b0a33f7880ee38c428d596de8ba.exe	29
PID 2232 wrote to memory of 2588	2232	09ae3b0a33f7880ee38c428d596de8ba.exe	29

C:\Users\Admin\AppData\Local\Temp\09ae3b0a33f7880ee38c428d596de8ba.exe
"C:\Users\Admin\AppData\Local\Temp\09ae3b0a33f7880ee38c428d596de8ba.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\Set_Lime.exe
  C:\Users\Admin\AppData\Local\Temp\Set_Lime.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Users\Admin\AppData\Local\Temp\keygen_unpack.exe
  C:\Users\Admin\AppData\Local\Temp\keygen_unpack.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Set_Lime.exe

Filesize
480KB

MD5
2cce3bcce36dcd8ae239ad5ea5f148a8

SHA1
5fe65595580aca2749ef15963a5bee09114061f5

SHA256
8b19661078452d526454d6bde304f7e2a4457826e8a0c97c8f69bd6e1c18f13f

SHA512
a0d39bb7a1896eb44f0e8d5500605dc1cab4803ef2b6f4d231614df67308b1b99ca289cc7295ad7390e7c44599ece64857f8ab7bd3d37d735e98763c48625d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen_unpack.exe

Filesize
254KB

MD5
3b1935e07d84f5139f6df03058f4eadb

SHA1
9ec7560352e9596cdad4ec2ccf89de0e92b77942

SHA256
2adde026ed14d955795069860b7e3e1ce391be036b9d1e04019fc32e4c4f6a5a

SHA512
37ec04e18747f545b87c7913a59cc306181926c901d716535ab6f772104842a9665a895bff306c4b9ec4f8bbf32b54f827dd06c9c911bb3008b4a1557e2d36e7

Download Submit
\Users\Admin\AppData\Local\Temp\zwt5F01.tmp

Filesize
256KB

MD5
3c974f25e43b4e1bd6559229446e3f4a

SHA1
475cdc890afe1201c80e6f40df856b8560b8f62b

SHA256
82a4a691e8a9a3d6f183992ec1557fd7357a74b62833b26e8b3e68f33ea6d5ec

SHA512
9573b0bce6d83678a433435a2fc4a3bd61fe4cbea233c3793325f0ca4c34f64e4a1341036f6e61740488aeba7ac0af5ab46da876e6fb0f0ba1623afe5348141f

Download Submit
\Users\Admin\AppData\Local\Temp\zwt5F60.tmp

Filesize
316KB

MD5
3ab7d4d54edcea1f19fa9f1d7e38fb44

SHA1
afed969c1d498cb0d0b93c31a437f278a118d928

SHA256
8a64b4ac30f910d99d6eae0931e6bc9469277391849980216fece45bffcb1f88

SHA512
89683e92cd1dad8bb82919bce450996d4bb4850e60b3d999285a45ceadf7ccd5b2786d099b6fde77b34768f5a3c534f6c9fd44b08b9228084a7fea8f1789daae

Download Submit
memory/2072-18-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2232-66-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2232-3-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

Filesize
4KB

Download
memory/2232-44-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2232-6-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2232-17-0x0000000003C00000-0x0000000003C01000-memory.dmp

Filesize
4KB

Download
memory/2232-7-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2232-2-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/2232-68-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2232-33-0x0000000004070000-0x000000000412A000-memory.dmp

Filesize
744KB

Download
memory/2232-30-0x0000000004070000-0x000000000412A000-memory.dmp

Filesize
744KB

Download
memory/2232-1-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2232-0-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2232-70-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2232-5-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2232-42-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2232-4-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2232-45-0x0000000004070000-0x000000000412A000-memory.dmp

Filesize
744KB

Download
memory/2232-46-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2232-48-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2232-50-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2232-52-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2232-54-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2232-56-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2232-58-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2232-60-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2232-62-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2232-64-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2588-39-0x0000000001E00000-0x0000000001E67000-memory.dmp

Filesize
412KB

Download
memory/2588-32-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2588-43-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing