9546700fdb4c1911a1a40b8359f2438d174d21d499887ef8cad63d39763759c1

Analysis

max time kernel
1800s
max time network
1171s
platform
windows10-2004_x64
resource
win10v2004-20231222-ja
resource tags

arch:x64arch:x86image:win10v2004-20231222-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
14/01/2024, 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zchairs Fully patched.exe
Size

11.0MB
MD5

b98542fb3bcb15a62b3d17c0def49329
SHA1

635eef3c1af558d461d6be3dde90622306956538
SHA256

9546700fdb4c1911a1a40b8359f2438d174d21d499887ef8cad63d39763759c1
SHA512

e6cee644feb57970c736ebd6c94e4198f44dd50be4b3bdde49522c53a0eb241973e6f30e5b7f4366db9de4e28d17c6ab5c4d890376becfa6f0bd5b911e274e4c
SSDEEP

196608:fn2/gyfWA3OnTHTTmx2aOHzKTo/lc2gg:v2/3WMOnTHTxRHz7G6

Score

7^/10

themida

Malware Config

Signatures

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/5476-0-0x00007FF628470000-0x00007FF628F81000-memory.dmp	themida
behavioral1/memory/5476-1-0x00007FF628470000-0x00007FF628F81000-memory.dmp	themida

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5476	Zchairs Fully patched.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3820	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5476 wrote to memory of 3640	5476	Zchairs Fully patched.exe	87
PID 5476 wrote to memory of 3640	5476	Zchairs Fully patched.exe	87
PID 3640 wrote to memory of 1656	3640	cmd.exe	89
PID 3640 wrote to memory of 1656	3640	cmd.exe	89
PID 3640 wrote to memory of 2612	3640	cmd.exe	90
PID 3640 wrote to memory of 2612	3640	cmd.exe	90
PID 3640 wrote to memory of 5388	3640	cmd.exe	91
PID 3640 wrote to memory of 5388	3640	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\Zchairs Fully patched.exe
"C:\Users\Admin\AppData\Local\Temp\Zchairs Fully patched.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:5476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Zchairs Fully patched.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Zchairs Fully patched.exe" MD5
    3⤵
    PID:1656
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2612
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:5388

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:5520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3820-50-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-56-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-2-0x000002755E790000-0x000002755E7A0000-memory.dmp

Filesize
64KB

Download
memory/3820-18-0x000002755E890000-0x000002755E8A0000-memory.dmp

Filesize
64KB

Download
memory/3820-34-0x0000027566C00000-0x0000027566C01000-memory.dmp

Filesize
4KB

Download
memory/3820-36-0x0000027566C50000-0x0000027566C51000-memory.dmp

Filesize
4KB

Download
memory/3820-37-0x0000027566C50000-0x0000027566C51000-memory.dmp

Filesize
4KB

Download
memory/3820-38-0x0000027566D60000-0x0000027566D61000-memory.dmp

Filesize
4KB

Download
memory/3820-39-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-40-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-41-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-42-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-43-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-44-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-45-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-47-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-46-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-65-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-59-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-49-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-51-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-52-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-53-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-54-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-55-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-48-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-57-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-58-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-66-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-60-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-61-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-62-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-63-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/3820-64-0x0000027566C60000-0x0000027566C61000-memory.dmp

Filesize
4KB

Download
memory/5476-0-0x00007FF628470000-0x00007FF628F81000-memory.dmp

Filesize
11.1MB

Download
memory/5476-1-0x00007FF628470000-0x00007FF628F81000-memory.dmp

Filesize
11.1MB

Download