Malware Analysis Report

2025-08-11 01:05

Sample ID 240302-t8bqjsfd96
Target Build.exe
SHA256 8eeda0849b8bffc5d26ee56f02162f2e75e4271c4257c309197f3645fac47c03
Tags
themida evasion persistence trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

8eeda0849b8bffc5d26ee56f02162f2e75e4271c4257c309197f3645fac47c03

Threat Level: Likely malicious

The file Build.exe was found to be: Likely malicious.

Malicious Activity Summary

themida evasion persistence trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Creates new service(s)

Drops file in Drivers directory

Stops running service(s)

Checks BIOS information in registry

Themida packer

Executes dropped EXE

Checks whether UAC is enabled

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:43

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:43

Reported

2024-03-02 16:50

Platform

win11-20240221-en

Max time kernel

23s

Max time network

17s

Command Line

winlogon.exe

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Build.exe N/A

Creates new service(s)

persistence

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Build.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Updater.exe N/A
N/A N/A C:\ProgramData\hmtufamemhvn\kvkinxkledtt.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Build.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4224 set thread context of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\dialer.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\Build.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Updater.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4916 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4916 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4916 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Users\Admin\AppData\Local\Temp\Updater.exe
PID 4916 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Users\Admin\AppData\Local\Temp\Updater.exe
PID 4916 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Users\Admin\AppData\Local\Temp\Updater.exe
PID 2656 wrote to memory of 4124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2656 wrote to memory of 4124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 4224 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\dialer.exe
PID 4224 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\dialer.exe
PID 4224 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\dialer.exe
PID 4224 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\dialer.exe
PID 4224 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\dialer.exe
PID 4224 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\dialer.exe
PID 4224 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\dialer.exe
PID 3968 wrote to memory of 608 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\winlogon.exe
PID 3968 wrote to memory of 692 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\lsass.exe
PID 3968 wrote to memory of 992 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 692 wrote to memory of 2692 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 692 wrote to memory of 2692 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 692 wrote to memory of 2692 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 3968 wrote to memory of 424 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\dwm.exe
PID 692 wrote to memory of 2692 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 692 wrote to memory of 2692 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 3968 wrote to memory of 548 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 692 wrote to memory of 2692 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 692 wrote to memory of 2692 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 692 wrote to memory of 2692 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 3968 wrote to memory of 420 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 692 wrote to memory of 2692 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 692 wrote to memory of 2692 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 692 wrote to memory of 2692 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 3968 wrote to memory of 1040 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Users\Admin\AppData\Local\Temp\Build.exe

"C:\Users\Admin\AppData\Local\Temp\Build.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Updater.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "WindowsComplite"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "WindowsComplite" binpath= "C:\ProgramData\hmtufamemhvn\kvkinxkledtt.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WindowsComplite"

C:\ProgramData\hmtufamemhvn\kvkinxkledtt.exe

C:\ProgramData\hmtufamemhvn\kvkinxkledtt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/4916-0-0x0000000000400000-0x000000000141D000-memory.dmp

memory/4916-1-0x0000000076F36000-0x0000000076F38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 c97018b83acc1099cdd171647a50ec1f
SHA1 1acdb17298ee25d9042c79346cc53f72767e6607
SHA256 e49aec48358a65ac8d93539528d239cf5b9346e83efe7e67a8fa434283fa2d25
SHA512 02c64c328a2fff1292c82ce270fcd173af85edf6db699b0d6a757c0ac233966d521f37d819c2a0a5f4ceeb44b9035914012548c28066fcfcdfd2a3942449f07b

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 5c3b30d8ade126aa1cd2d4f95bb5e659
SHA1 ba84942c79082c9a5b2515c0d68fa36c863f85e7
SHA256 592b8a235160a8d998f488130bc2a7aeaf347932bac7ef5e11fd737dd9848f14
SHA512 e682a38d5d5a3251b62c9feedec442e78a2f23a1b6c7b8de40a33615eabdd90a1da8f1cfbc080b0b2c6cc71d090c48f11ff4e87934357fc6164544d0e5d3c2e3

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 a477518f3287d7e8aa1f977593474522
SHA1 228448f0d6ba5898c89db2f52950459dd9cff996
SHA256 e7f7bdcbd8ea7cf8c4ff603967c92b8aa3959bede14f2e9dde0238fdca1222bc
SHA512 cc8f7cab346fcc2d3a5d15e266a373edf99b31364824fbb1d857ca3aa70be1febb13e72a28e8cce3a6896b72764705d558621454e90c667fb0780397172b07ed

C:\Users\Admin\AppData\Local\Temp\Updater.exe

MD5 119381127de6ea7afbf03ee691fb77a0
SHA1 ad93c9fe7bb1552ea7b67d9449adceebd8b3e243
SHA256 c5bbcc2198bb876454a436f5e3a574e2b1ed5fac90e0afa34b23fccb4fe319a0
SHA512 70a1ae0c09d31126516d08d0c0d62e0419a6c318728d995300f11a7090fbd1e5b17b3fbf9690e0d1d60af47395ceaf91402f4297953cd7e8b4606fe03fbf1465

C:\Users\Admin\AppData\Local\Temp\Updater.exe

MD5 d5ea67d392c23f20921d26cba0fdf284
SHA1 572013524756c6323a198810cf63c32d90044f46
SHA256 2e5a498e9299a5a6d7ca9d36def6d2f546812a34db0fe91528ab586dd9d07a18
SHA512 d5159344dd389c18f2d6ec9911a4a5a9b1240cefb88ab8bf8099f9ce3918915ccd39466ef750f3b3cafab2096e550e7fd07a8680780b7383f45c601603b49b7d

memory/4916-82-0x0000000000400000-0x000000000141D000-memory.dmp

memory/4224-83-0x00007FF6EDF50000-0x00007FF6EF487000-memory.dmp

memory/4224-84-0x00007FF454680000-0x00007FF454A51000-memory.dmp

memory/2336-86-0x0000000000220000-0x000000000031C000-memory.dmp

memory/2336-88-0x0000000074330000-0x0000000074AE1000-memory.dmp

memory/4224-91-0x00007FF6EDF50000-0x00007FF6EF487000-memory.dmp

memory/2336-90-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/2336-92-0x0000000004DE0000-0x0000000004DFC000-memory.dmp

memory/2336-89-0x0000000004DC0000-0x0000000004DDA000-memory.dmp

memory/2336-87-0x0000000004D40000-0x0000000004DA4000-memory.dmp

memory/2336-93-0x0000000004EA0000-0x0000000004F32000-memory.dmp

memory/2336-94-0x0000000006090000-0x00000000060AE000-memory.dmp

memory/2336-95-0x0000000006210000-0x0000000006292000-memory.dmp

memory/2336-96-0x0000000006290000-0x00000000062B6000-memory.dmp

memory/2336-97-0x00000000062C0000-0x00000000062C8000-memory.dmp

memory/2336-98-0x00000000062F0000-0x00000000062F8000-memory.dmp

memory/2336-99-0x0000000006300000-0x000000000630A000-memory.dmp

memory/2336-100-0x0000000006340000-0x0000000006356000-memory.dmp

memory/2336-101-0x0000000006360000-0x000000000636A000-memory.dmp

memory/2336-102-0x0000000006390000-0x00000000063AE000-memory.dmp

memory/2336-103-0x0000000006480000-0x00000000064E6000-memory.dmp

memory/2336-104-0x0000000006D60000-0x0000000007306000-memory.dmp

memory/2336-106-0x00000000067B0000-0x00000000067BA000-memory.dmp

memory/2336-107-0x0000000006970000-0x0000000006A20000-memory.dmp

memory/2336-108-0x0000000006A50000-0x0000000006A72000-memory.dmp

memory/2336-109-0x0000000007310000-0x0000000007667000-memory.dmp

memory/2336-112-0x0000000074330000-0x0000000074AE1000-memory.dmp

memory/4224-113-0x00007FF6EDF50000-0x00007FF6EF487000-memory.dmp

memory/3360-119-0x00000243C77C0000-0x00000243C77E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lpax4tbk.qqt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3360-123-0x00007FF934570000-0x00007FF935032000-memory.dmp

memory/3360-124-0x00000243DFD10000-0x00000243DFD20000-memory.dmp

memory/3360-125-0x00000243DFD10000-0x00000243DFD20000-memory.dmp

memory/3360-126-0x00000243DFD10000-0x00000243DFD20000-memory.dmp

memory/4224-127-0x00007FF6EDF50000-0x00007FF6EF487000-memory.dmp

memory/3968-131-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3968-132-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3968-133-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3968-134-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3968-136-0x0000000140000000-0x000000014002B000-memory.dmp

memory/4224-138-0x00007FF454680000-0x00007FF454A51000-memory.dmp

memory/3968-137-0x00007FF955720000-0x00007FF955929000-memory.dmp

memory/3968-140-0x00007FF953C10000-0x00007FF953CCD000-memory.dmp

memory/3968-141-0x0000000140000000-0x000000014002B000-memory.dmp

memory/608-144-0x000001AF6DCF0000-0x000001AF6DD14000-memory.dmp

memory/692-147-0x000002AABEDD0000-0x000002AABEDFB000-memory.dmp

memory/608-146-0x000001AF6DD20000-0x000001AF6DD4B000-memory.dmp

memory/692-151-0x000002AABEDD0000-0x000002AABEDFB000-memory.dmp

memory/608-154-0x00007FF9557C4000-0x00007FF9557C5000-memory.dmp

memory/692-150-0x00007FF9157B0000-0x00007FF9157C0000-memory.dmp

memory/4224-153-0x00007FF6EDF50000-0x00007FF6EF487000-memory.dmp

memory/424-157-0x00000140812F0000-0x000001408131B000-memory.dmp

memory/992-160-0x00007FF9157B0000-0x00007FF9157C0000-memory.dmp

memory/992-156-0x0000027C20500000-0x0000027C2052B000-memory.dmp

memory/692-159-0x00007FF9557C3000-0x00007FF9557C4000-memory.dmp

memory/692-161-0x00007FF9557C4000-0x00007FF9557C5000-memory.dmp

memory/692-164-0x00007FF9557C6000-0x00007FF9557C7000-memory.dmp

memory/548-165-0x00007FF9157B0000-0x00007FF9157C0000-memory.dmp

memory/548-163-0x000002EAD0150000-0x000002EAD017B000-memory.dmp

memory/992-166-0x0000027C20500000-0x0000027C2052B000-memory.dmp

memory/424-168-0x00000140812F0000-0x000001408131B000-memory.dmp

memory/424-169-0x00007FF9557C3000-0x00007FF9557C4000-memory.dmp