d70e292a21ebc5ca1675ca585bcae52a51aad4bcee9bbbaf44b0a2cc635b64c7

Resubmissions

22-02-2024 23:12

240222-267dfagb9s 9

22-02-2024 04:28

240222-e3tlvabe7t 3

22-02-2024 04:25

240222-e19kaabe51 9

Analysis

max time kernel
8s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

login.exe
Size

429KB
MD5

b88444cf2c03ce4efe2a1608a379ee53
SHA1

68d9285ee72288656c258cf9db9c564226a48ddb
SHA256

d70e292a21ebc5ca1675ca585bcae52a51aad4bcee9bbbaf44b0a2cc635b64c7
SHA512

7c9e116a417f2a15d2ca3f70b61697c9e34b6131b12221032cde9d64c41993f6f8cfa34196ed99122aa34d59159955d6362827f0d4eee1688bce465539e8d633
SSDEEP

12288:Zt5NpMGK6Ia5Jr4IQAvq3eSKXvVZhuwxHvh:Zt5NGGzIo3QSqOS+VZhT

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	loader.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	loader.exe

Executes dropped EXE 1 IoCs

pid	Process
1364	loader.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0007000000023106-2.dat	themida
behavioral2/files/0x0007000000023106-3.dat	themida
behavioral2/memory/1364-4-0x00007FF788440000-0x00007FF788EDF000-memory.dmp	themida
behavioral2/memory/1364-6-0x00007FF788440000-0x00007FF788EDF000-memory.dmp	themida
behavioral2/memory/1364-7-0x00007FF788440000-0x00007FF788EDF000-memory.dmp	themida
behavioral2/memory/1364-8-0x00007FF788440000-0x00007FF788EDF000-memory.dmp	themida
behavioral2/memory/1364-9-0x00007FF788440000-0x00007FF788EDF000-memory.dmp	themida
behavioral2/memory/1364-10-0x00007FF788440000-0x00007FF788EDF000-memory.dmp	themida
behavioral2/memory/1364-11-0x00007FF788440000-0x00007FF788EDF000-memory.dmp	themida
behavioral2/memory/1364-12-0x00007FF788440000-0x00007FF788EDF000-memory.dmp	themida
behavioral2/memory/1364-13-0x00007FF788440000-0x00007FF788EDF000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1364	loader.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1364	loader.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1364	loader.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 2980	4440	login.exe	82
PID 4440 wrote to memory of 2980	4440	login.exe	82
PID 2980 wrote to memory of 1364	2980	cmd.exe	83
PID 2980 wrote to memory of 1364	2980	cmd.exe	83
PID 1364 wrote to memory of 536	1364	loader.exe	85
PID 1364 wrote to memory of 536	1364	loader.exe	85
PID 536 wrote to memory of 1220	536	cmd.exe	87
PID 536 wrote to memory of 1220	536	cmd.exe	87
PID 536 wrote to memory of 1388	536	cmd.exe	88
PID 536 wrote to memory of 1388	536	cmd.exe	88
PID 536 wrote to memory of 3568	536	cmd.exe	89
PID 536 wrote to memory of 3568	536	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\login.exe
"C:\Users\Admin\AppData\Local\Temp\login.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
    C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:536
    - - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD5
        5⤵
        
        PID:1220
    - - C:\Windows\system32\find.exe
        
        find /i /v "md5"
        5⤵
        
        PID:1388
    - - C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        5⤵
        
        PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe

Filesize
3.6MB

MD5
47f78f45c4b5e3f69cf46315cf3197e7

SHA1
c96dc273a0ac5719e2cb34b4e198eee29f0e33a5

SHA256
96af965a50a84fd351811654f2e90f8a94dce56146b36ef91ee2c0b9a7591bdb

SHA512
9386394443b9e86225dd87c6645554eca022e84fdec9037a680e410d825ac188b5bc5888fc056f2608f98aecd1a37a22966362ae54aa5517bc5f3c7b35670137

Download Submit
C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe

Filesize
3.6MB

MD5
475734d7d331976f34fb821159c1e15c

SHA1
ca9714ae17c0b41da1c8d654eb428b79f3800d24

SHA256
f5fdaf18bdd3fa5ffaf5e92d417c557a685b16155b55bf393ddbda804ef6248c

SHA512
7a7d186ea90d534615df7f9897197ca7a5286faf395cf03de6d72f82eb10ed4a6e71b74e86f2c416bb19c1de60edec1735e3717841ac47d2e249037a8e874e62

Download Submit
memory/1364-4-0x00007FF788440000-0x00007FF788EDF000-memory.dmp

Filesize
10.6MB

Download
memory/1364-5-0x00007FFEB0D50000-0x00007FFEB0F45000-memory.dmp

Filesize
2.0MB

Download
memory/1364-6-0x00007FF788440000-0x00007FF788EDF000-memory.dmp

Filesize
10.6MB

Download
memory/1364-7-0x00007FF788440000-0x00007FF788EDF000-memory.dmp

Filesize
10.6MB

Download
memory/1364-8-0x00007FF788440000-0x00007FF788EDF000-memory.dmp

Filesize
10.6MB

Download
memory/1364-9-0x00007FF788440000-0x00007FF788EDF000-memory.dmp

Filesize
10.6MB

Download
memory/1364-10-0x00007FF788440000-0x00007FF788EDF000-memory.dmp

Filesize
10.6MB

Download
memory/1364-11-0x00007FF788440000-0x00007FF788EDF000-memory.dmp

Filesize
10.6MB

Download
memory/1364-12-0x00007FF788440000-0x00007FF788EDF000-memory.dmp

Filesize
10.6MB

Download
memory/1364-13-0x00007FF788440000-0x00007FF788EDF000-memory.dmp

Filesize
10.6MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads