Overview

overview

9

Static

static

7

V11.exe

windows7-x64

9

V11.exe

windows10-1703-x64

9

V11.exe

windows10-2004-x64

9

V11.exe

windows11-21h2-x64

9

Analysis

  • max time kernel
    22s
  • max time network
    23s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15/03/2024, 16:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    V11.exe

  • Size

    5.7MB

  • MD5

    6dec3abddfaf34018ac336abca4ce973

  • SHA1

    1beb12de1349f0dceec10399e68e51d0f0fb2084

  • SHA256

    ac85979eb90883a77eb0faa528e324002b0c014da188fcda30131be7ca84459d

  • SHA512

    c1a052b01e1cc31011c1cb22a7cb70b2eabbc5f2312ff5142b064584dcfcfa64498f1e167780e01caa6473e66b38bf4cf196ace12323063a12b8ed63944932e9

  • SSDEEP

    98304:wkmqs1yBGCwU+s1db5ZKgptSY4B3RHIlkhnERsnRkAeHFCCIpUYrvIn:Xs1yBJ7dbZtSY4JRoeinVCtVjIn

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 10 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\V11.exe
    "C:\Users\Admin\AppData\Local\Temp\V11.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /C Get-Service -Name WpnUserService* | Restart-Service -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:396

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v1aytooa.4oa.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/396-11-0x00007FF9BE5A0000-0x00007FF9BF062000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/396-27-0x00007FF9BE5A0000-0x00007FF9BF062000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/396-24-0x000001F53CA20000-0x000001F53CA30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/396-15-0x000001F555140000-0x000001F555162000-memory.dmp

          Filesize

          136KB

          Download

        • memory/396-13-0x000001F53CA20000-0x000001F53CA30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/396-12-0x000001F53CA20000-0x000001F53CA30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/964-8-0x00007FF6AA840000-0x00007FF6AB788000-memory.dmp

          Filesize

          15.3MB

          Download

        • memory/964-0-0x00007FF6AA840000-0x00007FF6AB788000-memory.dmp

          Filesize

          15.3MB

          Download

        • memory/964-7-0x00007FF6AA840000-0x00007FF6AB788000-memory.dmp

          Filesize

          15.3MB

          Download

        • memory/964-6-0x00007FF6AA840000-0x00007FF6AB788000-memory.dmp

          Filesize

          15.3MB

          Download

        • memory/964-5-0x00007FF6AA840000-0x00007FF6AB788000-memory.dmp

          Filesize

          15.3MB

          Download

        • memory/964-14-0x00007FF6AA840000-0x00007FF6AB788000-memory.dmp

          Filesize

          15.3MB

          Download

        • memory/964-4-0x00007FF6AA840000-0x00007FF6AB788000-memory.dmp

          Filesize

          15.3MB

          Download

        • memory/964-3-0x00007FF6AA840000-0x00007FF6AB788000-memory.dmp

          Filesize

          15.3MB

          Download

        • memory/964-2-0x00007FF6AA840000-0x00007FF6AB788000-memory.dmp

          Filesize

          15.3MB

          Download

        • memory/964-1-0x00007FF9DFCC0000-0x00007FF9DFEC9000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/964-33-0x00007FF6AA840000-0x00007FF6AB788000-memory.dmp

          Filesize

          15.3MB

          Download