Overview

overview

10

Static

static

7

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2024 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    721.0MB

  • MD5

    646f798c1a5eb86782cbbf04cba11e05

  • SHA1

    bd0cb120ac3b85bd1e9dbc72e4a31efe31a92cfb

  • SHA256

    1fe61c0e579f78c18d549c561581ab83cc6927ac18666b96e20f9bb3588ab72e

  • SHA512

    0bea0e8314c44d3dd92aac98ea179b5d32e05d7bdc430a1baf46138de728ecc724baba5fc50ee0261f7023a511ecac8c4add73bd45783f10bba9512eb9b3b1d6

  • SSDEEP

    49152:aWz0ly6XPtviJZlYcUCSWn59QZbuNhCNy5HFFeop4W4H7khMf2jTujMMa:rzT6w3YcVDn5Mu+Ny5+Bkh1wM

Score
10/10
evasionthemidatrojan

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 1 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Modifies firewall policy service
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4584
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
    1⤵
      PID:1320
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:4984

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4584-0-0x0000000140000000-0x000000014089E000-memory.dmp

        Filesize

        8.6MB

        Download

      • memory/4584-1-0x00007FFDA8284000-0x00007FFDA8285000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4584-2-0x00007FFDA8220000-0x00007FFDA84E9000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/4584-3-0x00007FFDA8220000-0x00007FFDA84E9000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/4584-11-0x00007FFDA8220000-0x00007FFDA84E9000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/4584-12-0x0000000140000000-0x000000014089E000-memory.dmp

        Filesize

        8.6MB

        Download

      • memory/4584-15-0x00007FFDA8220000-0x00007FFDA84E9000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/4584-14-0x00007FFDA8284000-0x00007FFDA8285000-memory.dmp

        Filesize

        4KB

        Download