Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
28-04-2024 05:25
General
-
Target
main.exe
-
Size
5.9MB
-
MD5
3354496085a148bf84e4b9249d8ab9b2
-
SHA1
7f5a53faa73edac8a2999bc8624b8c8ce943f06a
-
SHA256
43cf51ea2ac2ea60017c077d196d9719c6217548510619aa8ac18c6657163c55
-
SHA512
66c9f316002593745d1b7e141c5c0cc70695f50f140ac2b9b32753a89ac3c482a3ca57afa825a2bd6c6e72855ac4367eb0ea1b933974fc3592739b63a93c71df
-
SSDEEP
98304:TXzhW148Pd+Tf1mpcOldJQ3/V5s18HdDo45ow3ONp2MTJs9wplordZNum6vukIP0:zFK4s0TfLOdo/bs1moU2N8AMmofNum6z
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
Themida packer 19 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Drops file in Windows directory 5 IoCs
-
Detects Pyinstaller 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\main.exec:\users\admin\appdata\local\temp\main.exe2⤵
- Executes dropped EXE
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\main.exeFilesize
3.3MB
MD5e168624c9f4fad11c86c25d583cefb04
SHA1a556c2fdfad5c51aba45adc409eaf7338d23a428
SHA256d0047a3ee6b59e8818d228ed777ca9b89d24704a434d27b81684024a413f3fbe
SHA5124b4b96e7db991280e9bcf882ad5d693d7347343ebdf100f6710e034b7c0f410c6e67b19646b0904571eb0bc852e0137ee4d236af23463c89f1cbc48b419c404d
-
C:\Windows\Resources\Themes\explorer.exeFilesize
2.6MB
MD556b40d5815b1c6673dc2dd3ada5200eb
SHA1b304c00046dbc812bd3e071546f4559ae4b71963
SHA256b4e72fc62a612a6bf816e2e65edc0bbecb15f19310bdd9ad807495ca94571163
SHA512591f95c7e4b234ec54a72af0c5742dfe23835acac4b3dbf542ae17cd1da35538c73976d1f732485b82937ebe558db985e54e6fe1a21d880d0899bbfd14bda598
-
C:\Windows\Resources\Themes\icsys.icn.exeFilesize
2.6MB
MD58fae25504ebef94f673e3c80794aebf2
SHA141c47bbb0df508aa7df176b341de0def27753bb5
SHA256be5266e372e2a0a51e96f68b0d63399ec215b47424333846fa178dbfcf4c423f
SHA51262ef06081c7f3bf5e1d197f804976479ce983203eb1001b5d9aaeb342d86b041711ad9075ef88952d37051bd2f3a22a391534543d9dd1340db801bde4b1c7aaa
-
C:\Windows\Resources\spoolsv.exeFilesize
2.6MB
MD56adeccb29342517f69e9e208d3fe40ba
SHA18812209e5d1f843279214fda7d1e6bfeefda29c2
SHA256e12081185625d6902b7813fe2b3ca94ec8263c6e1a1e9eb62c6c47e915fc19ae
SHA512196ba6486ec68f62dcf9fe1339cb652fa1c08e7f43b5b39a89d6c0d020b9efc693d84f79c21af03b45a1078383202d095abba65d35a2fcad9068d863ef1c3cf9
-
C:\Windows\Resources\svchost.exeFilesize
2.6MB
MD5cd57d04edf327014fe52ed4290e7de22
SHA149cb8f3bdfb760897f56e49e5922453fba7b797f
SHA256f61af3aeee7ed1ced1fcf7a527ee6078a3a7a9e7544469843e8c7cfe907004e7
SHA5124c614dbdaf07813989a01cb332457bcbc1f1b3f08ca8d1011802081ecf2b08d620058a4aecf2637fd812d47962cf7d3047586b61886a323edcbae2cbd7cd1dc2
-
memory/1396-52-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/1396-31-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/3364-40-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/3364-58-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/3384-1-0x0000000077D34000-0x0000000077D36000-memory.dmpFilesize
8KB
-
memory/3384-0-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/3384-56-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/3972-54-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/3972-12-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4560-50-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4560-45-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4808-22-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4808-57-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4808-69-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4808-77-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/4808-81-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB