9a0db4898e6d87a8b484c695227dcf33a9dd099ef4f73740524476c182dd2f9e

General

Target

hanzowoofercracked/hanzowoofercracked/hanzopermspoofer.exe
Size

31.0MB
MD5

3efc3953bf361a6921855261d7db3ebc
SHA1

5800977eef27d3334b317857d888aa390095f4c4
SHA256

283a8086913fe4355ff9b17d5a0037563f078b09eb4b3b50952a9192a2e974ff
SHA512

9152865d4b7bf257675a314b3a6ca9101ba2f3d9b61140b0cb9fa5364a3f436e4e4365f8232bbc86189981d6f540bab3e1501cb0092b3879e58b85e7bccc00b9
SSDEEP

786432:4VytLBdFNfkdFpNCWwlInHkhK+2bjEZNokgBEPVj:OytnXkdFpbPktAo4BM5

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

hanzopermspoofer.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ hanzopermspoofer.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	hanzopermspoofer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

hanzopermspoofer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	hanzopermspoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	hanzopermspoofer.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/928-1-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp	themida
behavioral1/memory/928-2-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp	themida
behavioral1/memory/928-3-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp	themida
behavioral1/memory/928-4-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp	themida
behavioral1/memory/928-5-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp	themida
behavioral1/memory/928-6-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp	themida
behavioral1/memory/928-7-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp	themida
behavioral1/memory/928-8-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp	themida
behavioral1/memory/928-9-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp	themida
behavioral1/memory/928-10-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

hanzopermspoofer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hanzopermspoofer.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

hanzopermspoofer.exe

pid process

928 hanzopermspoofer.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1376 sc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hanzopermspoofer.exe

pid	process
1376	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2364 taskkill.exe
1616 taskkill.exe
1400 taskkill.exe
2772 taskkill.exe
5100 taskkill.exe

pid	process
2364	taskkill.exe
1616	taskkill.exe
1400	taskkill.exe
2772	taskkill.exe
5100	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

hanzopermspoofer.exe

pid	process
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe
928	hanzopermspoofer.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	5100	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	4984	taskmgr.exe
Token: SeSystemProfilePrivilege	4984	taskmgr.exe
Token: SeCreateGlobalPrivilege	4984	taskmgr.exe
Token: 33	4984	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4984	taskmgr.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

taskmgr.exe

pid	process
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe

Suspicious use of SendNotifyMessage 46 IoCs

Processes:

taskmgr.exe

pid	process
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe
4984	taskmgr.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

hanzopermspoofer.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 928 wrote to memory of 3216	928	hanzopermspoofer.exe	cmd.exe
PID 928 wrote to memory of 3216	928	hanzopermspoofer.exe	cmd.exe
PID 928 wrote to memory of 652	928	hanzopermspoofer.exe	cmd.exe
PID 928 wrote to memory of 652	928	hanzopermspoofer.exe	cmd.exe
PID 3216 wrote to memory of 1400	3216	cmd.exe	taskkill.exe
PID 3216 wrote to memory of 1400	3216	cmd.exe	taskkill.exe
PID 928 wrote to memory of 2660	928	hanzopermspoofer.exe	cmd.exe
PID 928 wrote to memory of 2660	928	hanzopermspoofer.exe	cmd.exe
PID 2660 wrote to memory of 2772	2660	cmd.exe	taskkill.exe
PID 2660 wrote to memory of 2772	2660	cmd.exe	taskkill.exe
PID 928 wrote to memory of 4084	928	hanzopermspoofer.exe	cmd.exe
PID 928 wrote to memory of 4084	928	hanzopermspoofer.exe	cmd.exe
PID 4084 wrote to memory of 1376	4084	cmd.exe	sc.exe
PID 4084 wrote to memory of 1376	4084	cmd.exe	sc.exe
PID 928 wrote to memory of 2096	928	hanzopermspoofer.exe	cmd.exe
PID 928 wrote to memory of 2096	928	hanzopermspoofer.exe	cmd.exe
PID 2096 wrote to memory of 5100	2096	cmd.exe	taskkill.exe
PID 2096 wrote to memory of 5100	2096	cmd.exe	taskkill.exe
PID 928 wrote to memory of 3940	928	hanzopermspoofer.exe	cmd.exe
PID 928 wrote to memory of 3940	928	hanzopermspoofer.exe	cmd.exe
PID 3940 wrote to memory of 2364	3940	cmd.exe	taskkill.exe
PID 3940 wrote to memory of 2364	3940	cmd.exe	taskkill.exe
PID 928 wrote to memory of 3300	928	hanzopermspoofer.exe	cmd.exe
PID 928 wrote to memory of 3300	928	hanzopermspoofer.exe	cmd.exe
PID 3300 wrote to memory of 1616	3300	cmd.exe	taskkill.exe
PID 3300 wrote to memory of 1616	3300	cmd.exe	taskkill.exe
PID 928 wrote to memory of 3896	928	hanzopermspoofer.exe	cmd.exe
PID 928 wrote to memory of 3896	928	hanzopermspoofer.exe	cmd.exe
PID 3896 wrote to memory of 2560	3896	cmd.exe	certutil.exe
PID 3896 wrote to memory of 2560	3896	cmd.exe	certutil.exe
PID 3896 wrote to memory of 1336	3896	cmd.exe	find.exe
PID 3896 wrote to memory of 1336	3896	cmd.exe	find.exe
PID 3896 wrote to memory of 1628	3896	cmd.exe	find.exe
PID 3896 wrote to memory of 1628	3896	cmd.exe	find.exe

C:\Users\Admin\AppData\Local\Temp\hanzowoofercracked\hanzowoofercracked\hanzopermspoofer.exe
"C:\Users\Admin\AppData\Local\Temp\hanzowoofercracked\hanzowoofercracked\hanzopermspoofer.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c CLS
2⤵
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\hanzowoofercracked\hanzowoofercracked\hanzopermspoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
2⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\hanzowoofercracked\hanzowoofercracked\hanzopermspoofer.exe" MD5
3⤵
PID:2560

C:\Windows\system32\find.exe
find /i /v "md5"
3⤵
PID:1336

C:\Windows\system32\find.exe
find /i /v "certutil"
3⤵
PID:1628

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/928-0-0x00007FFFC8590000-0x00007FFFC8785000-memory.dmp

Filesize
2.0MB

Download
memory/928-1-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp

Filesize
81.7MB

Download
memory/928-2-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp

Filesize
81.7MB

Download
memory/928-3-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp

Filesize
81.7MB

Download
memory/928-4-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp

Filesize
81.7MB

Download
memory/928-5-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp

Filesize
81.7MB

Download
memory/928-6-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp

Filesize
81.7MB

Download
memory/928-7-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp

Filesize
81.7MB

Download
memory/928-8-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp

Filesize
81.7MB

Download
memory/928-9-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp

Filesize
81.7MB

Download
memory/928-10-0x00007FF7B5E50000-0x00007FF7BB00A000-memory.dmp

Filesize
81.7MB

Download
memory/928-11-0x00007FFFC8590000-0x00007FFFC8785000-memory.dmp

Filesize
2.0MB

Download
memory/4984-12-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmp

Filesize
4KB

Download
memory/4984-13-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmp

Filesize
4KB

Download
memory/4984-14-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmp

Filesize
4KB

Download
memory/4984-18-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmp

Filesize
4KB

Download
memory/4984-19-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmp

Filesize
4KB

Download
memory/4984-20-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmp

Filesize
4KB

Download
memory/4984-21-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmp

Filesize
4KB

Download
memory/4984-22-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmp

Filesize
4KB

Download
memory/4984-23-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmp

Filesize
4KB

Download
memory/4984-24-0x000001E7B5DF0000-0x000001E7B5DF1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads