Malware Analysis Report

2025-08-11 03:50

Sample ID 240409-qbjs4sff93
Target files.zip
SHA256 a23ecb9d07a0b5a9a01a03243d7dd8d4f65226c6e66345d145583332e7ebd26a
Tags
themida
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a23ecb9d07a0b5a9a01a03243d7dd8d4f65226c6e66345d145583332e7ebd26a

Threat Level: Shows suspicious behavior

The file files.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

themida

Themida packer

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 13:08

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 13:05

Reported

2024-04-09 13:10

Platform

win10v2004-20240319-en

Max time kernel

11s

Max time network

35s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe"

Network

Country Destination Domain Proto
US 13.107.246.64:443 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 172.217.168.234:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp

Files

memory/3412-0-0x00000153A7BE0000-0x00000153A82E8000-memory.dmp

memory/3412-1-0x00007FFB9AD60000-0x00007FFB9B821000-memory.dmp

memory/3412-2-0x00000153C2A00000-0x00000153C2A10000-memory.dmp

memory/3412-3-0x00000153A8710000-0x00000153A8734000-memory.dmp

memory/3412-4-0x00000153C2C30000-0x00000153C2D16000-memory.dmp

memory/3412-5-0x00000153C2D20000-0x00000153C2EE1000-memory.dmp

memory/3412-7-0x00000153C2EF0000-0x00000153C3EF0000-memory.dmp

memory/3412-8-0x00007FFB9AD60000-0x00007FFB9B821000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 13:05

Reported

2024-04-09 13:12

Platform

win11-20240221-en

Max time kernel

128s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/872-0-0x000002422DFE0000-0x000002422E6E8000-memory.dmp

memory/872-1-0x00007FF992430000-0x00007FF992EF2000-memory.dmp

memory/872-2-0x0000024248CE0000-0x0000024248CF0000-memory.dmp

memory/872-3-0x0000024230300000-0x0000024230324000-memory.dmp

memory/872-4-0x0000024248FD0000-0x00000242490B6000-memory.dmp

memory/872-5-0x00000242490C0000-0x0000024249281000-memory.dmp

memory/872-7-0x00007FF992430000-0x00007FF992EF2000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-09 13:05

Reported

2024-04-09 13:12

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

160s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe.config

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe.config

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-09 13:05

Reported

2024-04-09 13:12

Platform

win11-20240221-en

Max time kernel

84s

Max time network

94s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe.config

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe.config

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A