Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
25-04-2024 04:20
General
-
Target
e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exe
-
Size
2.6MB
-
MD5
061703b95c263d223f9f39f827e5a129
-
SHA1
3e1d68bc26b3ca9f03e7421c27ecd0bd5b5a8d62
-
SHA256
e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9
-
SHA512
d64b1a3ddc8ee34161221b3ee4aec46ae446e8cdfeae28401d66b70398658a2ab49be267f73a70275e207669c59ba571dd4dbaef85eac3dcdd510dddcb0816b0
-
SSDEEP
49152:kr+2uK5YdMOMRhPtlRmTIIpMKo+GervVPMrG801uHBPbwwvRsfl:kr/vDRd1BrGMHVql
Malware Config
Signatures
-
Detects executables packed with Themida 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Modifies AppInit DLL entries 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Themida packer 5 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exe"C:\Users\Admin\AppData\Local\Temp\e03ca3c63a758e954e557211c13938d29bfb6506621826585a1fd053c42202e9.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\taskeng.exetaskeng.exe {4568BF9B-C749-40DC-9A20-07F42BCA0A62} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~3\Mozilla\wrvdfyg.exeC:\PROGRA~3\Mozilla\wrvdfyg.exe -hzyjzia2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\Mozilla\wrvdfyg.exeFilesize
2.6MB
MD523c3d39d09d31f979db5ff8c18862c2e
SHA1c769068af6709e1a1f0aaa0efe8024148da91a64
SHA256750ebd59757984571efe94a040ba3e62099b3b682ab9fa5b845cd252e1d6ee7c
SHA512ecad6953ed37a79e2174a5276c5a646d31cac86afaac9a65df736779c5ecb90ea9e427e3aeef8706bb22fafd9d1297bfa0cc5a8fd59c64d939543aa9b172de54
-
memory/2256-9-0x0000000000400000-0x0000000000AB4000-memory.dmpFilesize
6.7MB
-
memory/2256-10-0x0000000000400000-0x0000000000AB4000-memory.dmpFilesize
6.7MB
-
memory/2256-12-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2256-11-0x0000000000AC0000-0x0000000000B1B000-memory.dmpFilesize
364KB
-
memory/2256-14-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2856-0-0x0000000000400000-0x0000000000AB4000-memory.dmpFilesize
6.7MB
-
memory/2856-1-0x0000000000400000-0x0000000000AB4000-memory.dmpFilesize
6.7MB
-
memory/2856-2-0x00000000002E0000-0x000000000033B000-memory.dmpFilesize
364KB
-
memory/2856-3-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2856-5-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/2856-6-0x00000000002E0000-0x000000000033B000-memory.dmpFilesize
364KB