6235dcfcc025b267404345ac9cbab036edd2e17b7f1c3009374042204d380b21

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	lasservices_spoofer.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	lasservices_spoofer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lasservices_spoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lasservices_spoofer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 51 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/5060-10-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-11-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-12-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-13-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-14-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-16-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-18-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-19-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-20-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-22-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-24-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-26-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-27-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-28-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-29-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-30-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-31-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-32-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-33-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-37-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-48-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-49-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-50-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-51-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-53-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-54-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-55-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-56-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-57-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-58-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-59-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-60-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-61-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-62-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-63-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-64-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-65-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-66-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-67-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-68-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-69-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-70-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-71-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-72-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-73-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-74-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-75-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-76-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-77-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-78-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida
behavioral2/memory/5060-79-0x00007FF72B970000-0x00007FF72D503000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lasservices_spoofer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	lasservices_spoofer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe
5060	lasservices_spoofer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5060	lasservices_spoofer.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 2476	5060	lasservices_spoofer.exe	90
PID 5060 wrote to memory of 2476	5060	lasservices_spoofer.exe	90
PID 2476 wrote to memory of 2464	2476	cmd.exe	91
PID 2476 wrote to memory of 2464	2476	cmd.exe	91
PID 2476 wrote to memory of 1008	2476	cmd.exe	92
PID 2476 wrote to memory of 1008	2476	cmd.exe	92
PID 2476 wrote to memory of 4092	2476	cmd.exe	93
PID 2476 wrote to memory of 4092	2476	cmd.exe	93
PID 5060 wrote to memory of 2060	5060	lasservices_spoofer.exe	94
PID 5060 wrote to memory of 2060	5060	lasservices_spoofer.exe	94

C:\Users\Admin\AppData\Local\Temp\lasservices_spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\lasservices_spoofer.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\lasservices_spoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\lasservices_spoofer.exe" MD5
    3⤵
    PID:2464
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1008
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:4092
- C:\Users\Admin\AppData\Local\Temp\lasservices_spoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\lasservices_spoofer.exe"
  2⤵
  PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\lasservices_spoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  PID:4164
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\lasservices_spoofer.exe" MD5
    3⤵
    PID:4160
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:4992
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:4780

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2392

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion