Overview

overview

10

Static

static

7

setup.exe

windows10-1703-x64

10

setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1801s
  • max time network
    1214s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-04-2024 08:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    785.0MB

  • MD5

    6755776d1f19b3ed3ec620031c2e81da

  • SHA1

    96b6f2998ec6af205710e00f5e40beb727d440c3

  • SHA256

    699324d2d1bf2a07e459d770a2afc8ba5e0e5e34431647cf8aab656f548921bb

  • SHA512

    e13765b95290f1c13e52415d0041bc34e4ce36aeb164d9ff2ba11e811d3eedc31375798d35c114ac1b0932c8fa8f88e6ca8cd13a5dec2f927bacd0499c3b4429

  • SSDEEP

    98304:CcQJYvdLPMWB3hQaxefY7BqlWRrA8QixQiiorKRf:CcQJYvdDnB3iaxew7slWZCiicKRf

Score
10/10
evasionthemidatrojan

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 1 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 8 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Modifies firewall policy service
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1900
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
    1⤵
      PID:3016
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
      1⤵
        PID:1932
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
        1⤵
          PID:1996
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k UnistackSvcGroup
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3460

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\System32\GroupPolicy\gpt.ini
          Filesize

          127B

          MD5

          8ef9853d1881c5fe4d681bfb31282a01

          SHA1

          a05609065520e4b4e553784c566430ad9736f19f

          SHA256

          9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

          SHA512

          5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

          Download Submit

        • memory/1900-12-0x00007FF749F60000-0x00007FF74AAB1000-memory.dmp

          Filesize

          11.3MB

          Download

        • memory/1900-11-0x00007FF749F60000-0x00007FF74AAB1000-memory.dmp

          Filesize

          11.3MB

          Download

        • memory/1900-6-0x00007FFE00000000-0x00007FFE00002000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1900-8-0x00007FFE77CF0000-0x00007FFE77EE5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1900-13-0x00007FF749F60000-0x00007FF74AAB1000-memory.dmp

          Filesize

          11.3MB

          Download

        • memory/1900-9-0x00007FF749F60000-0x00007FF74AAB1000-memory.dmp

          Filesize

          11.3MB

          Download

        • memory/1900-7-0x00007FFE75410000-0x00007FFE756D9000-memory.dmp

          Filesize

          2.8MB

          Download

        • memory/1900-0-0x00007FF749F60000-0x00007FF74AAB1000-memory.dmp

          Filesize

          11.3MB

          Download

        • memory/1900-10-0x00007FFE00030000-0x00007FFE00031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1900-1-0x00007FF749F60000-0x00007FF74AAB1000-memory.dmp

          Filesize

          11.3MB

          Download

        • memory/1900-21-0x00007FF749F60000-0x00007FF74AAB1000-memory.dmp

          Filesize

          11.3MB

          Download

        • memory/1900-22-0x00007FF749F60000-0x00007FF74AAB1000-memory.dmp

          Filesize

          11.3MB

          Download

        • memory/1900-23-0x00007FFE00000000-0x00007FFE00002000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1900-24-0x00007FFE75410000-0x00007FFE756D9000-memory.dmp

          Filesize

          2.8MB

          Download

        • memory/1900-25-0x00007FFE77CF0000-0x00007FFE77EE5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3460-63-0x000001EEBDB80000-0x000001EEBDB90000-memory.dmp

          Filesize

          64KB

          Download