1485d1fbf81653d5e89778ebb6f8eba653db2e3e11b8263f42a87c32567c7e89

General

Target

hahahahahahahahahahahahah/login.exe
Size

429KB
MD5

b88444cf2c03ce4efe2a1608a379ee53
SHA1

68d9285ee72288656c258cf9db9c564226a48ddb
SHA256

d70e292a21ebc5ca1675ca585bcae52a51aad4bcee9bbbaf44b0a2cc635b64c7
SHA512

7c9e116a417f2a15d2ca3f70b61697c9e34b6131b12221032cde9d64c41993f6f8cfa34196ed99122aa34d59159955d6362827f0d4eee1688bce465539e8d633
SSDEEP

12288:Zt5NpMGK6Ia5Jr4IQAvq3eSKXvVZhuwxHvh:Zt5NGGzIo3QSqOS+VZhT

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

loader.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ loader.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	loader.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	loader.exe

Executes dropped EXE 1 IoCs

Processes:

loader.exe

pid process

4148 loader.exe

pid	process
4148	loader.exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe	themida
behavioral2/memory/4148-4-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp	themida
behavioral2/memory/4148-6-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp	themida
behavioral2/memory/4148-7-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp	themida
behavioral2/memory/4148-8-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp	themida
behavioral2/memory/4148-10-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp	themida
behavioral2/memory/4148-9-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp	themida
behavioral2/memory/4148-11-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp	themida
behavioral2/memory/4148-12-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp	themida
behavioral2/memory/4148-13-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp	themida
behavioral2/memory/4148-16-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp	themida
behavioral2/memory/4148-18-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

loader.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA loader.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

loader.exe

pid process

4148 loader.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

loader.exe

pid process

4148 loader.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

loader.exe

pid process

4148 loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	loader.exe

pid	process
4148	loader.exe

pid	process
4148	loader.exe

pid	process
4148	loader.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

login.execmd.exeloader.execmd.exe

description	pid	process	target process
PID 196 wrote to memory of 884	196	login.exe	cmd.exe
PID 196 wrote to memory of 884	196	login.exe	cmd.exe
PID 884 wrote to memory of 4148	884	cmd.exe	loader.exe
PID 884 wrote to memory of 4148	884	cmd.exe	loader.exe
PID 4148 wrote to memory of 3996	4148	loader.exe	cmd.exe
PID 4148 wrote to memory of 3996	4148	loader.exe	cmd.exe
PID 3996 wrote to memory of 4516	3996	cmd.exe	certutil.exe
PID 3996 wrote to memory of 4516	3996	cmd.exe	certutil.exe
PID 3996 wrote to memory of 2692	3996	cmd.exe	find.exe
PID 3996 wrote to memory of 2692	3996	cmd.exe	find.exe
PID 3996 wrote to memory of 600	3996	cmd.exe	find.exe
PID 3996 wrote to memory of 600	3996	cmd.exe	find.exe

C:\Users\Admin\AppData\Local\Temp\hahahahahahahahahahahahah\login.exe
"C:\Users\Admin\AppData\Local\Temp\hahahahahahahahahahahahah\login.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
4⤵
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD5
5⤵
PID:4516

C:\Windows\system32\find.exe
find /i /v "md5"
5⤵
PID:2692

C:\Windows\system32\find.exe
find /i /v "certutil"
5⤵
PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe

Filesize
4.1MB

MD5
9ecdc9ed1bea6c226f92d740d43400b9

SHA1
b5b5066cd4284733d8c3f3d7de3ca6653091ae10

SHA256
60c57f14c2e0e0df0bda16646b21dddceaee0159dafbbb8daba310d4e1b5be6c

SHA512
30bc705a2438288e3647d5adfc6119d751823970972b9c6b39a60384a2b7ac261986026b8d1c0b0ca7ee3d7e95363c97b873fdc5fad4096c903cb4e15bf57e43

Download Submit
memory/4148-4-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp

Filesize
10.6MB

Download
memory/4148-5-0x00007FFCFB900000-0x00007FFCFBADB000-memory.dmp

Filesize
1.9MB

Download
memory/4148-6-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp

Filesize
10.6MB

Download
memory/4148-7-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp

Filesize
10.6MB

Download
memory/4148-8-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp

Filesize
10.6MB

Download
memory/4148-10-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp

Filesize
10.6MB

Download
memory/4148-9-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp

Filesize
10.6MB

Download
memory/4148-11-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp

Filesize
10.6MB

Download
memory/4148-12-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp

Filesize
10.6MB

Download
memory/4148-13-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp

Filesize
10.6MB

Download
memory/4148-15-0x00007FFCFB900000-0x00007FFCFBADB000-memory.dmp

Filesize
1.9MB

Download
memory/4148-16-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp

Filesize
10.6MB

Download
memory/4148-18-0x00007FF6B6F00000-0x00007FF6B799F000-memory.dmp

Filesize
10.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads