Overview

overview

10

Static

static

7

3c2c546a7f...e4.exe

windows7-x64

10

3c2c546a7f...e4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    14s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/01/2024, 06:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c2c546a7fb0733c8c2f811a6ffe0ee4.exe

  • Size

    2.6MB

  • MD5

    3c2c546a7fb0733c8c2f811a6ffe0ee4

  • SHA1

    5d129016a637f83cafea880d0c4dc859a1dc4242

  • SHA256

    cdaab0439c5c3d992835a878b24ef0e6a361f400511cf7f8831893dbe8384286

  • SHA512

    e0917dbcf58ee068119cc69d3ed9bacbb4a212755dcb928a405adb9d41cfb26d0230185818b530824510a3a44b65befb5b5e38fd57a864dede8c1479b84fbe74

  • SSDEEP

    49152:tU/5M1X4Wl/YvzYCQR9RQs+C40yZpJaD99Gg:tKq4oEa9RQs+Cn4/UKg

Score
10/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Themida packer 21 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c2c546a7fb0733c8c2f811a6ffe0ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\3c2c546a7fb0733c8c2f811a6ffe0ee4.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4996
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1564
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4660
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5112
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:2852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    1.8MB

    MD5

    c4fc7cb8dd5a1ddcf87839a12e0e1612

    SHA1

    d7e840504c5e6aa3fdcfeb76ed1144bcc5b78753

    SHA256

    b9e37c92eaceb22cec54f48ef28f78d023079f3925453bebf6a36a6109a4e32e

    SHA512

    d12b5b898d7eb7854b4de331e412284eb7789933b14fc9496b8b62ede095c07b76dcd938a3298b1f837fd053c55f0cdcf52a2e3a388d1b618ab9d213770aaddf

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    381KB

    MD5

    2c9016390c6f11c08554e37475c91d17

    SHA1

    08d1a6afc6f25e66a03b46cca62a0eeced43edfe

    SHA256

    605fc04893629808457f5c2342fc386ceb9745dac71ea617a4ce472756ab0cda

    SHA512

    0e65e4d0193f35f3d70c77b0a66fe7436dfdff35bf98cfc39be24548923649e1e681b98c9d7456bccff32567bb75a1307dde054773124113f72f6d07295a22ee

    Download Submit

  • \??\c:\windows\resources\spoolsv.exe
    Filesize

    92KB

    MD5

    a1d653f7fb197cdf399e7e78aa5030fc

    SHA1

    9ac3e7243dd2c8486e80734888919a7ed4d615fc

    SHA256

    75a7f50a190f3f37e729bd518bd00f18705eb793fd8cdce9bd89003a505c7f80

    SHA512

    dacb7096f3173070bbaa881ec83f46e601103a81e7f0178668236409a25a35c309667240ccafd8d6250789a0998193f63971b7a14e646219a9bbf6d342790bc1

    Download Submit

  • \??\c:\windows\resources\themes\explorer.exe
    Filesize

    893KB

    MD5

    91f1058414fef792cd5f8252bc75f68b

    SHA1

    d3a570838d00093af7609641437c79f4fc6626e4

    SHA256

    b7dbaa2986f439d4948b9f5c56b36682abce67386eafbadb55f42675059c306b

    SHA512

    1b5fa23107a358917cc1be1708c749195996a4c0c9e8647b2793a59341dd65c097a0cfd5838034c697cebc77a90be4566792e4640b129c86ddb82059b6d82549

    Download Submit

  • memory/1564-41-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1564-47-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1564-53-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1564-10-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1564-45-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1564-40-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2852-37-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2852-33-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4660-38-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4660-19-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4996-39-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4996-0-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4996-1-0x00000000770C4000-0x00000000770C6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5112-42-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5112-28-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5112-50-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5112-52-0x0000000000400000-0x0000000000A17000-memory.dmp

    Filesize

    6.1MB

    Download