bab0af44c41ebaf4ba8ae3209d852247e9b443154e626dbdf003a076c1e88abc

Resubmissions

03/01/2024, 14:58

240103-scdplafcfk 9

03/01/2024, 14:52

240103-r88zyafbgn 9

Analysis

max time kernel
54s
max time network
58s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/01/2024, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MatSploit.exe
Size

5.5MB
MD5

9e0513f49b3bb36ea8e2021114c05cc4
SHA1

48f8a10ef94aaab148226deee2fd648814732317
SHA256

bab0af44c41ebaf4ba8ae3209d852247e9b443154e626dbdf003a076c1e88abc
SHA512

2d93d1579dd2324d854971bafe5c7ae0ed79df45b551c18d238e05f2b2d9fed70d696f9b145ac30db7abea7565a4196d2a6726ae00771341f1f898a785767123
SSDEEP

98304:O/G5xtyMrU1eOyjaG8uOJQToGRtVtmNh6/wfi2dxIkbyFQ0g/QjESYaBheEBrbiD:+wOK8uRTLvtmUwfxtWQ0gkbhcjSW

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MatSploit.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MatSploit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MatSploit.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1264-23-0x00000000010C0000-0x0000000001E14000-memory.dmp	themida
behavioral1/memory/1264-24-0x00000000010C0000-0x0000000001E14000-memory.dmp	themida
behavioral1/memory/1264-45-0x00000000010C0000-0x0000000001E14000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MatSploit.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1264	MatSploit.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2096	1264	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1264	MatSploit.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 2096	1264	MatSploit.exe	30
PID 1264 wrote to memory of 2096	1264	MatSploit.exe	30
PID 1264 wrote to memory of 2096	1264	MatSploit.exe	30
PID 1264 wrote to memory of 2096	1264	MatSploit.exe	30

C:\Users\Admin\AppData\Local\Temp\MatSploit.exe
"C:\Users\Admin\AppData\Local\Temp\MatSploit.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 1392
  2⤵
  - Program crash
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1264-0-0x00000000010C0000-0x0000000001E14000-memory.dmp

Filesize
13.3MB

Download
memory/1264-1-0x0000000077480000-0x0000000077590000-memory.dmp

Filesize
1.1MB

Download
memory/1264-2-0x0000000077480000-0x0000000077590000-memory.dmp

Filesize
1.1MB

Download
memory/1264-3-0x0000000077480000-0x0000000077590000-memory.dmp

Filesize
1.1MB

Download
memory/1264-4-0x0000000077480000-0x0000000077590000-memory.dmp

Filesize
1.1MB

Download
memory/1264-5-0x0000000077480000-0x0000000077590000-memory.dmp

Filesize
1.1MB

Download
memory/1264-6-0x0000000075CF0000-0x0000000075D37000-memory.dmp

Filesize
284KB

Download
memory/1264-7-0x0000000077480000-0x0000000077590000-memory.dmp

Filesize
1.1MB

Download
memory/1264-9-0x0000000077480000-0x0000000077590000-memory.dmp

Filesize
1.1MB

Download
memory/1264-12-0x0000000077480000-0x0000000077590000-memory.dmp

Filesize
1.1MB

Download
memory/1264-14-0x0000000077480000-0x0000000077590000-memory.dmp

Filesize
1.1MB

Download
memory/1264-16-0x0000000077480000-0x0000000077590000-memory.dmp

Filesize
1.1MB

Download
memory/1264-18-0x0000000077480000-0x0000000077590000-memory.dmp

Filesize
1.1MB

Download
memory/1264-20-0x0000000077480000-0x0000000077590000-memory.dmp

Filesize
1.1MB

Download
memory/1264-19-0x0000000077BD0000-0x0000000077BD2000-memory.dmp

Filesize
8KB

Download
memory/1264-17-0x0000000075CF0000-0x0000000075D37000-memory.dmp

Filesize
284KB

Download
memory/1264-15-0x0000000077480000-0x0000000077590000-memory.dmp

Filesize
1.1MB

Download
memory/1264-23-0x00000000010C0000-0x0000000001E14000-memory.dmp

Filesize
13.3MB

Download
memory/1264-22-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/1264-24-0x00000000010C0000-0x0000000001E14000-memory.dmp

Filesize
13.3MB

Download
memory/1264-25-0x00000000057E0000-0x0000000005820000-memory.dmp

Filesize
256KB

Download
memory/1264-26-0x0000000075CF0000-0x0000000075D37000-memory.dmp

Filesize
284KB

Download
memory/1264-27-0x0000000077480000-0x0000000077590000-memory.dmp

Filesize
1.1MB

Download
memory/1264-28-0x0000000077480000-0x0000000077590000-memory.dmp

Filesize
1.1MB

Download
memory/1264-30-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/1264-29-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/1264-31-0x00000000057E0000-0x0000000005820000-memory.dmp

Filesize
256KB

Download
memory/1264-32-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/1264-35-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/1264-36-0x00000000057E0000-0x0000000005820000-memory.dmp

Filesize
256KB

Download
memory/1264-37-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/1264-38-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/1264-40-0x00000000057E0000-0x0000000005820000-memory.dmp

Filesize
256KB

Download
memory/1264-41-0x00000000057E0000-0x0000000005820000-memory.dmp

Filesize
256KB

Download
memory/1264-42-0x00000000057E0000-0x0000000005820000-memory.dmp

Filesize
256KB

Download
memory/1264-44-0x0000000077480000-0x0000000077590000-memory.dmp

Filesize
1.1MB

Download
memory/1264-45-0x00000000010C0000-0x0000000001E14000-memory.dmp

Filesize
13.3MB

Download
memory/1264-46-0x0000000075CF0000-0x0000000075D37000-memory.dmp

Filesize
284KB

Download
memory/1264-48-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads