d70e292a21ebc5ca1675ca585bcae52a51aad4bcee9bbbaf44b0a2cc635b64c7

General

Target

login.exe
Size

429KB
MD5

b88444cf2c03ce4efe2a1608a379ee53
SHA1

68d9285ee72288656c258cf9db9c564226a48ddb
SHA256

d70e292a21ebc5ca1675ca585bcae52a51aad4bcee9bbbaf44b0a2cc635b64c7
SHA512

7c9e116a417f2a15d2ca3f70b61697c9e34b6131b12221032cde9d64c41993f6f8cfa34196ed99122aa34d59159955d6362827f0d4eee1688bce465539e8d633
SSDEEP

12288:Zt5NpMGK6Ia5Jr4IQAvq3eSKXvVZhuwxHvh:Zt5NGGzIo3QSqOS+VZhT

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	loader.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	loader.exe

Executes dropped EXE 2 IoCs

pid	Process
2560	loader.exe
1232	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
1408	cmd.exe
1232	Process not Found

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000d0000000122a3-1.dat	themida
behavioral1/files/0x000d0000000122a3-3.dat	themida
behavioral1/memory/1408-4-0x000000013F2C0000-0x000000013FD5F000-memory.dmp	themida
behavioral1/memory/2560-5-0x000000013F2C0000-0x000000013FD5F000-memory.dmp	themida
behavioral1/files/0x000d0000000122a3-7.dat	themida
behavioral1/memory/2560-8-0x000000013F2C0000-0x000000013FD5F000-memory.dmp	themida
behavioral1/memory/2560-9-0x000000013F2C0000-0x000000013FD5F000-memory.dmp	themida
behavioral1/memory/2560-10-0x000000013F2C0000-0x000000013FD5F000-memory.dmp	themida
behavioral1/memory/2560-11-0x000000013F2C0000-0x000000013FD5F000-memory.dmp	themida
behavioral1/memory/2560-12-0x000000013F2C0000-0x000000013FD5F000-memory.dmp	themida
behavioral1/memory/2560-13-0x000000013F2C0000-0x000000013FD5F000-memory.dmp	themida
behavioral1/memory/2560-14-0x000000013F2C0000-0x000000013FD5F000-memory.dmp	themida
behavioral1/files/0x000d0000000122a3-16.dat	themida
behavioral1/files/0x000d0000000122a3-15.dat	themida
behavioral1/memory/2560-25-0x000000013F2C0000-0x000000013FD5F000-memory.dmp	themida
behavioral1/memory/2560-26-0x000000013F2C0000-0x000000013FD5F000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2560	loader.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2560	loader.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1408	2184	login.exe	29
PID 2184 wrote to memory of 1408	2184	login.exe	29
PID 2184 wrote to memory of 1408	2184	login.exe	29
PID 1408 wrote to memory of 2560	1408	cmd.exe	30
PID 1408 wrote to memory of 2560	1408	cmd.exe	30
PID 1408 wrote to memory of 2560	1408	cmd.exe	30
PID 2560 wrote to memory of 2508	2560	loader.exe	31
PID 2560 wrote to memory of 2508	2560	loader.exe	31
PID 2560 wrote to memory of 2508	2560	loader.exe	31
PID 2508 wrote to memory of 1272	2508	cmd.exe	33
PID 2508 wrote to memory of 1272	2508	cmd.exe	33
PID 2508 wrote to memory of 1272	2508	cmd.exe	33
PID 2508 wrote to memory of 2600	2508	cmd.exe	34
PID 2508 wrote to memory of 2600	2508	cmd.exe	34
PID 2508 wrote to memory of 2600	2508	cmd.exe	34
PID 2508 wrote to memory of 2544	2508	cmd.exe	35
PID 2508 wrote to memory of 2544	2508	cmd.exe	35
PID 2508 wrote to memory of 2544	2508	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\login.exe
"C:\Users\Admin\AppData\Local\Temp\login.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
    C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe" MD5
        5⤵
        
        PID:1272
    - - C:\Windows\system32\find.exe
        
        find /i /v "md5"
        5⤵
        
        PID:2600
    - - C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        5⤵
        
        PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe

Filesize
3.1MB

MD5
796f5d51241259c24fa85583c12c8dd3

SHA1
5c898128e46f5b71163977cc3ee7a7bc3796a924

SHA256
3f1e7579d4e1d27a5f9d362a41326d17187b07f1f066ed0d405f2ffddc6ea462

SHA512
e8d0c27a3a813bea45f7839bf8bfb3bd1be2fdcc097b92c9be41a7138335e9c1566ee7ef34222713cba5ca66fd33fe4f640c18f9f2ebdc4b65998d8efd7fb031

Download Submit
C:\Users\Admin\AppData\Roaming\celex-v2\loader.exe

Filesize
4.1MB

MD5
9ecdc9ed1bea6c226f92d740d43400b9

SHA1
b5b5066cd4284733d8c3f3d7de3ca6653091ae10

SHA256
60c57f14c2e0e0df0bda16646b21dddceaee0159dafbbb8daba310d4e1b5be6c

SHA512
30bc705a2438288e3647d5adfc6119d751823970972b9c6b39a60384a2b7ac261986026b8d1c0b0ca7ee3d7e95363c97b873fdc5fad4096c903cb4e15bf57e43

Download Submit
\Users\Admin\AppData\Roaming\celex-v2\loader.exe

Filesize
3.8MB

MD5
106997b8f664771c3d7bb8d96c0b5bf7

SHA1
2af8b1b632cca703b37cdb0dc4924fbcdb3ddcb5

SHA256
c2d1731cb94bbc52b66069f601744d8b38de6a7e29b2d0ad8f085d36727284e4

SHA512
4a280f2054da43268364d0ef57982e0a5fc1420edd21c40296bdb657d09e8fcab0bd65df69e6240ee6178dcee70f66c15c3a41c8e7dbdab01472faf78ce47704

Download Submit
\Users\Admin\AppData\Roaming\celex-v2\loader.exe

Filesize
1.5MB

MD5
c9297a25e21f891b31aa22b42aeece68

SHA1
b9b869528dee8c1d130f8c39a40e458d310a34d4

SHA256
cd0a6a597ca2d528d4acc0bde4c97b7a0c4a8c330ae1166258beee2534f69ff5

SHA512
7297b50bd0e380543ee590d7eaf99a72b2bb1cd25b4ef28237854d54a4f0bd22e8af35ce46e4e2148418bb0727643571b58e252830c00f74673e471e7188db3f

Download Submit
\Users\Admin\AppData\Roaming\celex-v2\loader.exe

Filesize
1.4MB

MD5
a0d35b04ef15dbf9330cd8512ab13dfa

SHA1
63f43484db2357b6f7b0fe1e7e75e92b577f86a7

SHA256
42fc2204b502eef6ca907002ba8f5703b557496b9009c69bd55388a479241219

SHA512
84d2c1974151670a9b10b6e076731582a2a4663ef4db5fb2619502d0712659de7485a616a1802e9fee3713bc39d392cb0d245e696a53d947480933604ded613b

Download Submit
memory/1408-4-0x000000013F2C0000-0x000000013FD5F000-memory.dmp

Filesize
10.6MB

Download
memory/2560-10-0x000000013F2C0000-0x000000013FD5F000-memory.dmp

Filesize
10.6MB

Download
memory/2560-9-0x000000013F2C0000-0x000000013FD5F000-memory.dmp

Filesize
10.6MB

Download
memory/2560-8-0x000000013F2C0000-0x000000013FD5F000-memory.dmp

Filesize
10.6MB

Download
memory/2560-11-0x000000013F2C0000-0x000000013FD5F000-memory.dmp

Filesize
10.6MB

Download
memory/2560-12-0x000000013F2C0000-0x000000013FD5F000-memory.dmp

Filesize
10.6MB

Download
memory/2560-13-0x000000013F2C0000-0x000000013FD5F000-memory.dmp

Filesize
10.6MB

Download
memory/2560-14-0x000000013F2C0000-0x000000013FD5F000-memory.dmp

Filesize
10.6MB

Download
memory/2560-6-0x0000000077020000-0x00000000771C9000-memory.dmp

Filesize
1.7MB

Download
memory/2560-5-0x000000013F2C0000-0x000000013FD5F000-memory.dmp

Filesize
10.6MB

Download
memory/2560-25-0x000000013F2C0000-0x000000013FD5F000-memory.dmp

Filesize
10.6MB

Download
memory/2560-26-0x000000013F2C0000-0x000000013FD5F000-memory.dmp

Filesize
10.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads