8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913

General

Target

8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913.exe
Size

389KB
MD5

d6078bbecc15a333c6171debc4488498
SHA1

ca57a639ec0fc1a6489b69278478c5845a4c046b
SHA256

8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913
SHA512

912f67baa141bb846a12568c94d5dfbd6d6cdefe0a036a9249accd83e9ee460bc8863758c8bd5cdac7a0af3f481194b57ef414378ebb400967579ba6d736469e
SSDEEP

6144:vLFJaFBq+TaKqqrlBLSIOHGt8i3/gmjX/RBdRP2gjycIeVMO+ZyeR:vOlldCGt//gmjXjdR+KjFVMPZN

Score

8^/10

execution themida

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4792	powershell.exe

Downloads MZ/PE file

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000700000001ac05-115.dat	themida
behavioral2/memory/4892-116-0x0000000140000000-0x000000014097B000-memory.dmp	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
4	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	ipinfo.io
39	ipinfo.io
36	api.myip.com
37	api.myip.com

C:\Users\Admin\AppData\Local\Temp\8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913.exe
"C:\Users\Admin\AppData\Local\Temp\8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913.exe"
1⤵
PID:4184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:1032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:2284
- - C:\Users\Admin\Pictures\bdavfZZFicdbKI1ZiLxprwnq.exe
    "C:\Users\Admin\Pictures\bdavfZZFicdbKI1ZiLxprwnq.exe"
    3⤵
    PID:4420
- - C:\Users\Admin\Pictures\gcpmGhkakEXvIsjTVKXaehng.exe
    "C:\Users\Admin\Pictures\gcpmGhkakEXvIsjTVKXaehng.exe"
    3⤵
    PID:3896
- - C:\Users\Admin\Pictures\mFQc9BZffjGz2LnGCGzJWet2.exe
    "C:\Users\Admin\Pictures\mFQc9BZffjGz2LnGCGzJWet2.exe"
    3⤵
    PID:4720
- - C:\Users\Admin\Pictures\GCaJ5trckTwylOM9nXyJfmn6.exe
    "C:\Users\Admin\Pictures\GCaJ5trckTwylOM9nXyJfmn6.exe"
    3⤵
    PID:428
- - C:\Users\Admin\Pictures\LLdz0x5IMmw28muvo7o710FW.exe
    "C:\Users\Admin\Pictures\LLdz0x5IMmw28muvo7o710FW.exe"
    3⤵
    PID:3932
- - C:\Users\Admin\Pictures\UCZGqLya6o9l5652wuXzUnPP.exe
    "C:\Users\Admin\Pictures\UCZGqLya6o9l5652wuXzUnPP.exe"
    3⤵
    PID:4572
- - C:\Users\Admin\Pictures\FchBkh5BUJxrYdaCfzpA4Oxq.exe
    "C:\Users\Admin\Pictures\FchBkh5BUJxrYdaCfzpA4Oxq.exe"
    3⤵
    PID:4892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3632

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0mjondcn.5mi.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Pictures\BpKtAJmpkL8ilJcrPdppZ15u.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\FchBkh5BUJxrYdaCfzpA4Oxq.exe

Filesize
2.8MB

MD5
d41fd1ea6e0ca0032be2174317f60fd8

SHA1
60f001b9d201259aa333e9b202e4ab5648d16bf3

SHA256
3c56d175e67df7e1664bbedd95abee57cf93a7aceaf80374ede4ce1fc4a30990

SHA512
a4ce799f1ce9157d053dcb1694dcb127d98e994eb55cecb484ace1c192cf80a1fbfb7b8de94851a49e915cafebc568f70ce07b912e5901387ed90639c692c16e

Download Submit
C:\Users\Admin\Pictures\GCaJ5trckTwylOM9nXyJfmn6.exe

Filesize
213KB

MD5
718455b384af2a8caa79eca4c64b7d78

SHA1
84993e856abe4c3c90a61f95f02252dfbe94b356

SHA256
1e418b3dae341f3196b5c3c23cb11eb071dbb82c77ebef9badfd74e3ddea1aac

SHA512
46f51aa5f2fa32f597bbc6e6d375d8d0b9baa2fae2ec68a76fdba63e0d831a514658aa26c137657b8ad1ec653b1f4f5c728b3a61a40f0ba3e0b67a381d02537f

Download Submit
C:\Users\Admin\Pictures\LLdz0x5IMmw28muvo7o710FW.exe

Filesize
4.1MB

MD5
f6156b63d313f7247432a693de39daef

SHA1
bff890bf23551db49d04af57779630bea35356a9

SHA256
f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620

SHA512
54c61e755d5661da14ebfef93b9fa61d02f59fb43edc1310cf21c0780479bc54be973836286f0d5104a946e9d511e94162d38e2a5471f0f386b7b7e396e7f759

Download Submit
C:\Users\Admin\Pictures\bdavfZZFicdbKI1ZiLxprwnq.exe

Filesize
384KB

MD5
f969256486cae8c6c357924481ec86ee

SHA1
95f91c8a6539700b4dd6077ba3a778c13bc72d4d

SHA256
d719fb243a6d2ad33a76aa78ee66f4763a36c78a2373a01de223fb5c27b722da

SHA512
106959ab072744ae5ce79cbc627040dbd32bb416407ca7d1f848ae49dbb609f900c0f34696fc5e30c5418d889b5c07b35d5a0f9b4f1be1e662621ba2c4491e16

Download Submit
C:\Users\Admin\Pictures\gcpmGhkakEXvIsjTVKXaehng.exe

Filesize
4.1MB

MD5
0ed8d071deae90ff638cb070d0b9559d

SHA1
9b39b4703ccd78d9ca56bbf2f4c168d71a7bcfda

SHA256
691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99

SHA512
960a5a4e2b4f82bb7273cbab8bf622933c6e603cdc44b59b409c285b62c3a2c741bca7692ed77864520aa95c85a2f3fc31ddc9383caada588828d953346c2729

Download Submit
memory/2284-49-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4184-0-0x00007FFBE0F83000-0x00007FFBE0F84000-memory.dmp

Filesize
4KB

Download
memory/4184-3-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

Filesize
9.9MB

Download
memory/4184-2-0x0000026AF92E0000-0x0000026AF933E000-memory.dmp

Filesize
376KB

Download
memory/4184-1-0x0000026ADED50000-0x0000026ADED5A000-memory.dmp

Filesize
40KB

Download
memory/4792-13-0x0000023BCF9F0000-0x0000023BCFA66000-memory.dmp

Filesize
472KB

Download
memory/4792-27-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

Filesize
9.9MB

Download
memory/4792-46-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

Filesize
9.9MB

Download
memory/4792-55-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

Filesize
9.9MB

Download
memory/4792-14-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

Filesize
9.9MB

Download
memory/4792-11-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

Filesize
9.9MB

Download
memory/4792-8-0x0000023BCED20000-0x0000023BCED42000-memory.dmp

Filesize
136KB

Download
memory/4892-116-0x0000000140000000-0x000000014097B000-memory.dmp

Filesize
9.5MB

Download

Analysis

Sharing