88417151070ccd5906c410061a2d27faf14473607c11eecc58fa56e60f3caf4b

Reason

Machine shutdown

General

Target

loxvanity.exe
Size

7.5MB
MD5

ae18d7298dbd5a2f9a1205155f9c03b6
SHA1

baf3d83ad8a391d36d0a0fdf3a0a510afa4ccc59
SHA256

88417151070ccd5906c410061a2d27faf14473607c11eecc58fa56e60f3caf4b
SHA512

a3988d5d1b8102bc1f074f6c4e1ada4db7bcf673fe81734b82b710c822698f55df5a4a6aaf3734f64cb6282b22eeb9a5eefce390bc1304cbcdff7ec0dbf0e2ef
SSDEEP

196608:Rdg6G0KaH2EGMII+QvlRXgh9OADa8k2mv899:1WEfIIDvlCiUCd899

Score

10^/10

agilenet evasion themida trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/4940-77-0x000000001BDB0000-0x000000001BDBE000-memory.dmp	disable_win_def

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

svchost.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

loxvanity.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	loxvanity.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

4940 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

4940 svchost.exe

pid	process
4940	svchost.exe

pid	process
4940	svchost.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\ProgramData\svchost.exe	agile_net
behavioral1/memory/4940-18-0x0000000000A20000-0x0000000001126000-memory.dmp	agile_net

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\989fcd0e-6abf-40ee-9e41-0c366f1c7108\AgileDotNetRT64.dll	themida
behavioral1/memory/4940-29-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmp	themida
behavioral1/memory/4940-33-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmp	themida
behavioral1/memory/4940-50-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmp	themida
behavioral1/memory/4940-75-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmp	themida
behavioral1/memory/4940-76-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

svchost.exe

pid process

4940 svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exesvchost.exe

pid process

4912 powershell.exe
4912 powershell.exe
1352 powershell.exe
1352 powershell.exe
4940 svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe

pid	process
4940	svchost.exe

pid	process
4912	powershell.exe
4912	powershell.exe
1352	powershell.exe
1352	powershell.exe
4940	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

svchost.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4940	svchost.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeShutdownPrivilege	4940	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

4940 svchost.exe

pid	process
4940	svchost.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

loxvanity.execmd.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 1816 wrote to memory of 4996	1816	loxvanity.exe	cmd.exe
PID 1816 wrote to memory of 4996	1816	loxvanity.exe	cmd.exe
PID 1816 wrote to memory of 4940	1816	loxvanity.exe	svchost.exe
PID 1816 wrote to memory of 4940	1816	loxvanity.exe	svchost.exe
PID 4996 wrote to memory of 396	4996	cmd.exe	chcp.com
PID 4996 wrote to memory of 396	4996	cmd.exe	chcp.com
PID 4996 wrote to memory of 1584	4996	cmd.exe	cmd.exe
PID 4996 wrote to memory of 1584	4996	cmd.exe	cmd.exe
PID 4996 wrote to memory of 3984	4996	cmd.exe	find.exe
PID 4996 wrote to memory of 3984	4996	cmd.exe	find.exe
PID 4996 wrote to memory of 1480	4996	cmd.exe	findstr.exe
PID 4996 wrote to memory of 1480	4996	cmd.exe	findstr.exe
PID 4996 wrote to memory of 2476	4996	cmd.exe	findstr.exe
PID 4996 wrote to memory of 2476	4996	cmd.exe	findstr.exe
PID 4996 wrote to memory of 1688	4996	cmd.exe	findstr.exe
PID 4996 wrote to memory of 1688	4996	cmd.exe	findstr.exe
PID 4996 wrote to memory of 1836	4996	cmd.exe	findstr.exe
PID 4996 wrote to memory of 1836	4996	cmd.exe	findstr.exe
PID 4996 wrote to memory of 652	4996	cmd.exe	find.exe
PID 4996 wrote to memory of 652	4996	cmd.exe	find.exe
PID 4996 wrote to memory of 4056	4996	cmd.exe	cmd.exe
PID 4996 wrote to memory of 4056	4996	cmd.exe	cmd.exe
PID 4996 wrote to memory of 1120	4996	cmd.exe	cmd.exe
PID 4996 wrote to memory of 1120	4996	cmd.exe	cmd.exe
PID 4996 wrote to memory of 1976	4996	cmd.exe	cmd.exe
PID 4996 wrote to memory of 1976	4996	cmd.exe	cmd.exe
PID 1120 wrote to memory of 5032	1120	cmd.exe	mshta.exe
PID 1120 wrote to memory of 5032	1120	cmd.exe	mshta.exe
PID 1976 wrote to memory of 2032	1976	cmd.exe	reg.exe
PID 1976 wrote to memory of 2032	1976	cmd.exe	reg.exe
PID 4940 wrote to memory of 4912	4940	svchost.exe	powershell.exe
PID 4940 wrote to memory of 4912	4940	svchost.exe	powershell.exe
PID 4940 wrote to memory of 1352	4940	svchost.exe	powershell.exe
PID 4940 wrote to memory of 1352	4940	svchost.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\loxvanity.exe
"C:\Users\Admin\AppData\Local\Temp\loxvanity.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\z.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\system32\chcp.com
chcp.com 437
3⤵
PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type tmp
3⤵
PID:1584

C:\Windows\system32\find.exe
fiNd
3⤵
PID:3984

C:\Windows\system32\findstr.exe
findstr /L /I set "C:\ProgramData\z.bat"
3⤵
PID:1480

C:\Windows\system32\findstr.exe
findstr /L /I goto "C:\ProgramData\z.bat"
3⤵
PID:2476

C:\Windows\system32\findstr.exe
findstr /L /I echo "C:\ProgramData\z.bat"
3⤵
PID:1688

C:\Windows\system32\findstr.exe
findstr /L /I pause "C:\ProgramData\z.bat"
3⤵
PID:1836

C:\Windows\system32\find.exe
fINd
3⤵
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type tmp
3⤵
PID:4056

C:\Windows\system32\cmd.exe
cmd.exe /c mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The instruction at 0x00000000771034FB referenced memory at 0x00000000771034FB. The required data was not placed into memory because of an I/O error status of 0x0000428. Click on OK to terminate the program', 0, 'Application Error', 0+16);close()"
3⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The instruction at 0x00000000771034FB referenced memory at 0x00000000771034FB. The required data was not placed into memory because of an I/O error status of 0x0000428. Click on OK to terminate the program', 0, 'Application Error', 0+16);close()"
4⤵
PID:5032

C:\Windows\system32\cmd.exe
cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- UAC bypass
PID:2032

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

1

T1562.001

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe
Filesize
7.0MB

MD5
37937d01536f14247bd0891acbaf3d62

SHA1
adfdbb97814c4cc30068ba86d5708e1d8dde6471

SHA256
4aea68aaf95feee335f0246e51132096409a11043efdc3d57e78f0a8803eb7b8

SHA512
803ad02fc353758fae35b1d1c976006328ec5e378697b37dcc7e8cab24613ec9ac0f3c794dce4a790de69ab26215df8ce5b8f963c061d528ffb80ffdcd0f45dd

Download Submit
C:\ProgramData\tmp
Filesize
14B

MD5
ce585c6ba32ac17652d2345118536f9c

SHA1
be0e41b3690c42e4c0cdb53d53fc544fb46b758d

SHA256
589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

SHA512
d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

Download Submit
C:\ProgramData\z.bat
Filesize
21KB

MD5
0902aa3eede3132fdd4d51152b75e07b

SHA1
b02df12e8acf84e5b156e6ad8ef9ba70c12b8498

SHA256
debbc8175a46379edba8658e437e58956a2ee54c0f8da5d1b62be82b6b9a6078

SHA512
88b2a2383f51f3f72a133acc4b67b47fef5062a1db4717aa3ac90df93e4c2a5c07cc2826320c8ac9bf3cca7f98f16911f8ad4c92c012c43b3a62a5fe31b77e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
14c4e65bf8c7c791a39fc3fe3e9b79fa

SHA1
cb8e103fb6d00fe60272e39605d356d4485c8f46

SHA256
bc42160231f353408b60e1f64d8f5224b82b895480f4a81fc68fcd23d6d2f8b6

SHA512
025a4558a75007291cb6e26bb1f9090f5784bda6ef7dcc7e9013e8cffadae323fd7975f6242adac85981e24bac673ac791dba6d981f180ee18a0c085a38d2ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\989fcd0e-6abf-40ee-9e41-0c366f1c7108\AgileDotNetRT64.dll
Filesize
4.2MB

MD5
05b012457488a95a05d0541e0470d392

SHA1
74f541d6a8365508c794ef7b4ac7c297457f9ce3

SHA256
1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

SHA512
6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3vk5fie4.fbx.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1352-70-0x000002E3715C0000-0x000002E3715D0000-memory.dmp

Filesize
64KB

Download
memory/1352-72-0x000002E3715C0000-0x000002E3715D0000-memory.dmp

Filesize
64KB

Download
memory/1352-59-0x000002E3715C0000-0x000002E3715D0000-memory.dmp

Filesize
64KB

Download
memory/1352-74-0x00007FFE6E060000-0x00007FFE6EB21000-memory.dmp

Filesize
10.8MB

Download
memory/1352-57-0x00007FFE6E060000-0x00007FFE6EB21000-memory.dmp

Filesize
10.8MB

Download
memory/4912-37-0x00007FFE6E060000-0x00007FFE6EB21000-memory.dmp

Filesize
10.8MB

Download
memory/4912-39-0x000001FBA4550000-0x000001FBA4560000-memory.dmp

Filesize
64KB

Download
memory/4912-40-0x000001FBA4550000-0x000001FBA4560000-memory.dmp

Filesize
64KB

Download
memory/4912-38-0x000001FB8C0D0000-0x000001FB8C0F2000-memory.dmp

Filesize
136KB

Download
memory/4912-51-0x000001FBA4550000-0x000001FBA4560000-memory.dmp

Filesize
64KB

Download
memory/4912-52-0x000001FBA4550000-0x000001FBA4560000-memory.dmp

Filesize
64KB

Download
memory/4912-55-0x00007FFE6E060000-0x00007FFE6EB21000-memory.dmp

Filesize
10.8MB

Download
memory/4940-31-0x00007FFE8C4D0000-0x00007FFE8C6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4940-50-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmp

Filesize
11.5MB

Download
memory/4940-58-0x00007FFE6E060000-0x00007FFE6EB21000-memory.dmp

Filesize
10.8MB

Download
memory/4940-36-0x00007FFE6C610000-0x00007FFE6C75E000-memory.dmp

Filesize
1.3MB

Download
memory/4940-33-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmp

Filesize
11.5MB

Download
memory/4940-29-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmp

Filesize
11.5MB

Download
memory/4940-71-0x00007FFE8C4D0000-0x00007FFE8C6C5000-memory.dmp

Filesize
2.0MB

Download
memory/4940-17-0x00007FFE6E060000-0x00007FFE6EB21000-memory.dmp

Filesize
10.8MB

Download
memory/4940-18-0x0000000000A20000-0x0000000001126000-memory.dmp

Filesize
7.0MB

Download
memory/4940-75-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmp

Filesize
11.5MB

Download
memory/4940-76-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmp

Filesize
11.5MB

Download
memory/4940-77-0x000000001BDB0000-0x000000001BDBE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads