a568e2a4d89ab76ab9ff11b30bf320dcc4413353660678c51abc79863ff3c1c4

General

Target

modest-menu.exe
Size

16.9MB
MD5

ce03d8db32b901caba01fa8b1beefe54
SHA1

76377cea7317bd28af0ccaab276bd49360936a9d
SHA256

a568e2a4d89ab76ab9ff11b30bf320dcc4413353660678c51abc79863ff3c1c4
SHA512

40ef98ee1dd411d3f634f9fe1ccdac0bc8fa5d13b1392ac5d045bf130db6efc5ebae48298d02a732fe634af953af10c004d54c3a4d5862b7f9cd6736f6ddbfca
SSDEEP

393216:YwOMvc42XGU57JO0OTOUbHvnqdLNZHgbATTT9:Yeh2Xb1Ra4LNibATv

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	modest-menu.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	modest-menu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	modest-menu.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2824-0-0x00007FF723980000-0x00007FF72638F000-memory.dmp	themida
behavioral1/memory/2824-2-0x00007FF723980000-0x00007FF72638F000-memory.dmp	themida
behavioral1/memory/2824-3-0x00007FF723980000-0x00007FF72638F000-memory.dmp	themida
behavioral1/memory/2824-4-0x00007FF723980000-0x00007FF72638F000-memory.dmp	themida
behavioral1/memory/2824-5-0x00007FF723980000-0x00007FF72638F000-memory.dmp	themida
behavioral1/memory/2824-6-0x00007FF723980000-0x00007FF72638F000-memory.dmp	themida
behavioral1/memory/2824-7-0x00007FF723980000-0x00007FF72638F000-memory.dmp	themida
behavioral1/memory/2824-8-0x00007FF723980000-0x00007FF72638F000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	modest-menu.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2824	modest-menu.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2824	modest-menu.exe
2824	modest-menu.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4884	MiniSearchHost.exe

C:\Users\Admin\AppData\Local\Temp\modest-menu.exe
"C:\Users\Admin\AppData\Local\Temp\modest-menu.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2824

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
5dd2e58c8cfaff1881ff7bc283ef1ddd

SHA1
0ae988c23106f1983d82c01cf135803a647a1697

SHA256
81aacd0916b4d7a8543a99621a36843406e301567f9248877efb1e804fe5ef71

SHA512
d509064e13ffcf45d2833a801195292a2ef0e0fa2f7065459023e8c778e30f1daa64382b9aef9eed5c2de3f0a229924b20d1b6246135c089e257d91bf714852f

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
d787e644a5c87ff0d529178be370af85

SHA1
1cc3e85b27bb7a602becada3674e2ca3f06cd674

SHA256
609b79e146732b2231318bde6338788a61124f8d22841566ed27d563200bbb32

SHA512
9386d7ef12d90ef90816a80b4c5f6f6f6a840a0745d81aa8bb4e8ec773ca852107d4ff3ae81e4165d2e6695813121aff836404e0c2d29ea44f063a6cd55a02d0

Download Submit
memory/2824-0-0x00007FF723980000-0x00007FF72638F000-memory.dmp

Filesize
42.1MB

Download
memory/2824-1-0x00007FFA07220000-0x00007FFA07429000-memory.dmp

Filesize
2.0MB

Download
memory/2824-2-0x00007FF723980000-0x00007FF72638F000-memory.dmp

Filesize
42.1MB

Download
memory/2824-3-0x00007FF723980000-0x00007FF72638F000-memory.dmp

Filesize
42.1MB

Download
memory/2824-4-0x00007FF723980000-0x00007FF72638F000-memory.dmp

Filesize
42.1MB

Download
memory/2824-5-0x00007FF723980000-0x00007FF72638F000-memory.dmp

Filesize
42.1MB

Download
memory/2824-6-0x00007FF723980000-0x00007FF72638F000-memory.dmp

Filesize
42.1MB

Download
memory/2824-7-0x00007FF723980000-0x00007FF72638F000-memory.dmp

Filesize
42.1MB

Download
memory/2824-8-0x00007FF723980000-0x00007FF72638F000-memory.dmp

Filesize
42.1MB

Download
memory/2824-12-0x00007FFA07220000-0x00007FFA07429000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads