mirai | 5dcfac410a8ac5371ec25cbf19002209f1d52c7429ea992e2efd965ff55d4fa9

Resubmissions

23-02-2024 03:45

240223-ea6qpsaf9t 10

23-02-2024 02:03

240223-cg4htahg5x 10

Analysis

max time kernel
130s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe
Size

4.3MB
MD5

ae2b1b79c7579bb64b1640303f88c05f
SHA1

aca79755589eaaaffb9d8beb477b0d3df50982c4
SHA256

e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f
SHA512

b5bad1bb105f85edb7389d1e2914e54468e7871aa46baf8395f985cbe2e8d9cda1da24dc2245c4bcf6de28ca8fc176b35be6af4a489c8f2cef4c4cb1b595aa27
SSDEEP

98304:oHj/GBkxFCBLVvr/jsfLy+y/rk3zw/EZk9oaE9AyiR2BWoA:w/ciFQVvXsOqdZydH20oA

Score

10^/10

mirai botnet evasion themida trojan

Malware Config

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe

Loads dropped DLL 1 IoCs

Processes:

e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe

pid process

948 e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral4/memory/948-11-0x0000000000160000-0x0000000000A1A000-memory.dmp	themida
behavioral4/memory/948-51-0x0000000000160000-0x0000000000A1A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe

pid process

948 e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe

description	pid	process	target process
PID 948 set thread context of 1564	948	e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe

pid	process
948	e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe
948	e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1564 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1564	RegAsm.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe

description	pid	process	target process
PID 948 wrote to memory of 3172	948	e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe	RegAsm.exe
PID 948 wrote to memory of 3172	948	e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe	RegAsm.exe
PID 948 wrote to memory of 3172	948	e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe	RegAsm.exe
PID 948 wrote to memory of 1564	948	e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe	RegAsm.exe
PID 948 wrote to memory of 1564	948	e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe	RegAsm.exe
PID 948 wrote to memory of 1564	948	e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe	RegAsm.exe
PID 948 wrote to memory of 1564	948	e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe	RegAsm.exe
PID 948 wrote to memory of 1564	948	e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe	RegAsm.exe
PID 948 wrote to memory of 1564	948	e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe	RegAsm.exe
PID 948 wrote to memory of 1564	948	e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe	RegAsm.exe
PID 948 wrote to memory of 1564	948	e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe
"C:\Users\Admin\AppData\Local\Temp\e046c5e3f0ead64c214eaa411189b0001bdc5431f3a942d0e6fff1ba87fadb9f.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
PID:3172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
memory/948-32-0x0000000005E50000-0x0000000005F50000-memory.dmp

Filesize
1024KB

Download
memory/948-19-0x0000000076DA0000-0x0000000076E90000-memory.dmp

Filesize
960KB

Download
memory/948-3-0x0000000076DA0000-0x0000000076E90000-memory.dmp

Filesize
960KB

Download
memory/948-4-0x0000000076DA0000-0x0000000076E90000-memory.dmp

Filesize
960KB

Download
memory/948-5-0x0000000076DA0000-0x0000000076E90000-memory.dmp

Filesize
960KB

Download
memory/948-6-0x0000000076DA0000-0x0000000076E90000-memory.dmp

Filesize
960KB

Download
memory/948-7-0x0000000077704000-0x0000000077706000-memory.dmp

Filesize
8KB

Download
memory/948-11-0x0000000000160000-0x0000000000A1A000-memory.dmp

Filesize
8.7MB

Download
memory/948-12-0x0000000005580000-0x000000000561C000-memory.dmp

Filesize
624KB

Download
memory/948-14-0x0000000000160000-0x0000000000A1A000-memory.dmp

Filesize
8.7MB

Download
memory/948-15-0x0000000076DA0000-0x0000000076E90000-memory.dmp

Filesize
960KB

Download
memory/948-17-0x0000000076DA0000-0x0000000076E90000-memory.dmp

Filesize
960KB

Download
memory/948-18-0x0000000076DA0000-0x0000000076E90000-memory.dmp

Filesize
960KB

Download
memory/948-51-0x0000000000160000-0x0000000000A1A000-memory.dmp

Filesize
8.7MB

Download
memory/948-21-0x0000000005990000-0x0000000005B22000-memory.dmp

Filesize
1.6MB

Download
memory/948-1-0x0000000076DA0000-0x0000000076E90000-memory.dmp

Filesize
960KB

Download
memory/948-35-0x0000000006620000-0x0000000006BC4000-memory.dmp

Filesize
5.6MB

Download
memory/948-28-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/948-29-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/948-30-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/948-31-0x0000000005E50000-0x0000000005F50000-memory.dmp

Filesize
1024KB

Download
memory/948-0-0x0000000000160000-0x0000000000A1A000-memory.dmp

Filesize
8.7MB

Download
memory/948-53-0x0000000076DA0000-0x0000000076E90000-memory.dmp

Filesize
960KB

Download
memory/948-2-0x0000000076DA0000-0x0000000076E90000-memory.dmp

Filesize
960KB

Download
memory/948-27-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/1564-64-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/1564-39-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/1564-43-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1564-41-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/1564-40-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1564-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1564-44-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1564-45-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1564-48-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1564-50-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1564-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1564-52-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1564-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1564-56-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1564-58-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1564-59-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1564-61-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1564-62-0x00000000058A0000-0x0000000005932000-memory.dmp

Filesize
584KB

Download
memory/1564-63-0x0000000005880000-0x000000000588A000-memory.dmp

Filesize
40KB

Download
memory/1564-33-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1564-65-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download