Overview

overview

10

Static

static

7

main.exe

windows7-x64

10

main.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 05:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    main.exe

  • Size

    5.9MB

  • MD5

    3354496085a148bf84e4b9249d8ab9b2

  • SHA1

    7f5a53faa73edac8a2999bc8624b8c8ce943f06a

  • SHA256

    43cf51ea2ac2ea60017c077d196d9719c6217548510619aa8ac18c6657163c55

  • SHA512

    66c9f316002593745d1b7e141c5c0cc70695f50f140ac2b9b32753a89ac3c482a3ca57afa825a2bd6c6e72855ac4367eb0ea1b933974fc3592739b63a93c71df

  • SSDEEP

    98304:TXzhW148Pd+Tf1mpcOldJQ3/V5s18HdDo45ow3ONp2MTJs9wplordZNum6vukIP0:zFK4s0TfLOdo/bs1moU2N8AMmofNum6z

Score
10/10
evasionpersistencepyinstallerthemidatrojan

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Themida packer 18 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 5 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4976
    • \??\c:\users\admin\appdata\local\temp\main.exe 
      c:\users\admin\appdata\local\temp\main.exe 
      2⤵
      • Executes dropped EXE
      PID:1504
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5148
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:372
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:948
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in System32 directory
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4260
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetWindowsHookEx
              PID:6040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\main.exe 
    Filesize

    3.3MB

    MD5

    e168624c9f4fad11c86c25d583cefb04

    SHA1

    a556c2fdfad5c51aba45adc409eaf7338d23a428

    SHA256

    d0047a3ee6b59e8818d228ed777ca9b89d24704a434d27b81684024a413f3fbe

    SHA512

    4b4b96e7db991280e9bcf882ad5d693d7347343ebdf100f6710e034b7c0f410c6e67b19646b0904571eb0bc852e0137ee4d236af23463c89f1cbc48b419c404d

    Download Submit
  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    2.6MB

    MD5

    f5bdc0f31c9c63eebad2b9d73131c6e6

    SHA1

    c2aec1b45a89247dac379bba6fdb0d068f55af7b

    SHA256

    edc6fe56c1c59f15f5012f45ff126f02303397e7abb512d7fb3a4f73f9c9979b

    SHA512

    3bbbe2ae5864c6c55b4d9f7d652f0de75900dff8490c03ff1992466be4337a242e23f332ea6d6ba0dc6278da0830cbf9108749fac0cc79896524e6ecfde2c6a7

    Download Submit
  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    2.6MB

    MD5

    8fae25504ebef94f673e3c80794aebf2

    SHA1

    41c47bbb0df508aa7df176b341de0def27753bb5

    SHA256

    be5266e372e2a0a51e96f68b0d63399ec215b47424333846fa178dbfcf4c423f

    SHA512

    62ef06081c7f3bf5e1d197f804976479ce983203eb1001b5d9aaeb342d86b041711ad9075ef88952d37051bd2f3a22a391534543d9dd1340db801bde4b1c7aaa

    Download Submit
  • C:\Windows\Resources\spoolsv.exe
    Filesize

    2.6MB

    MD5

    0998013c8deab23ce6988c8218e60b5b

    SHA1

    3c7f549fc9e4fa1ce47d36959225207e7b270db6

    SHA256

    0c2fcd81abb7ca27e471a7243467bd5f867880f82dfb5ac2c4e766bfcc7f6777

    SHA512

    0a8a1d13bd8d601817105ef43eab4a692a669eae8f36e9c33773d5153699c1a66d9a6998da0a0f5fb4adeda043819b36c5cc3af6e5bb8d09f029ecfb78699234

    Download Submit
  • C:\Windows\Resources\svchost.exe
    Filesize

    2.6MB

    MD5

    beb74e679b08af1a99412a0b1a76996e

    SHA1

    54b4b093b74239a35fe8d71f81d2bfed9b4b6b91

    SHA256

    53bef16ecbe4d4a1ddef442d26aa781c36343445ef4a65cc712feec11d216cee

    SHA512

    fdfee6f2b50803a0a99bd91447b470a4b7b9e89e759438c7bcb82cfb73610713c669310bbc34a7f2a76151df48e99eaa38636bbd87d5af71615f3ee2dab04d74

    Download Submit
  • memory/372-56-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/372-78-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/372-22-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/372-74-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/372-68-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/948-31-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/948-52-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4260-57-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4260-40-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4976-1-0x00000000777D4000-0x00000000777D6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4976-0-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4976-55-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/5148-53-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/5148-12-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/6040-49-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download