57e35a9db07b372120acd222627eba20e03d4baa88d5fc098e681ddd98b31e87

General

Target

file_x86x64_release/file.exe
Size

712.0MB
MD5

1b46efea69196395a3c449b51f34db34
SHA1

48f324b80cd0a99ae86b524ec87d0730b795829e
SHA256

ff5ef2b18f72873d947d56ff4d5e9ad98af122cd7260d9b2ae931f81df1fc4a7
SHA512

c92907ccd3ad05cd42ab34e71dfc4e45d5b4d6307411d880506197640210d82db726c467fb76bb773a96409a0d23484578c2825b1bc50103cc9b4636cbce2003
SSDEEP

98304:zTW+uIGD8foJWXlj+F2gMFqA/sOVfeS5zc4UcwqyB4qNGDPXRDCOBc4S5BTjGv0e:3QIGD8UyxfrRRfngGDqefMOBcxTg0lI

Score

10^/10

evasion themida trojan

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

file.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	file.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

file.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral4/memory/3316-0-0x0000000140000000-0x0000000140BAF000-memory.dmp	themida
behavioral4/memory/3316-8-0x0000000140000000-0x0000000140BAF000-memory.dmp	themida
behavioral4/memory/3316-9-0x0000000140000000-0x0000000140BAF000-memory.dmp	themida
behavioral4/memory/3316-10-0x0000000140000000-0x0000000140BAF000-memory.dmp	themida
behavioral4/memory/3316-7-0x0000000140000000-0x0000000140BAF000-memory.dmp	themida
behavioral4/memory/3316-19-0x0000000140000000-0x0000000140BAF000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

file.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 api.myip.com
18 api.myip.com
19 ipinfo.io
20 ipinfo.io

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file.exe

flow	ioc
17	api.myip.com
18	api.myip.com
19	ipinfo.io
20	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

file.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	file.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	file.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	file.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	file.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

file.exe

pid process

3316 file.exe
3316 file.exe

pid	process
3316	file.exe
3316	file.exe

C:\Users\Admin\AppData\Local\Temp\file_x86x64_release\file.exe
"C:\Users\Admin\AppData\Local\Temp\file_x86x64_release\file.exe"
1⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3316-2-0x00007FFB3E600000-0x00007FFB3E8C9000-memory.dmp

Filesize
2.8MB

Download
memory/3316-1-0x00007FFB3E664000-0x00007FFB3E665000-memory.dmp

Filesize
4KB

Download
memory/3316-3-0x00007FFB3E600000-0x00007FFB3E8C9000-memory.dmp

Filesize
2.8MB

Download
memory/3316-0-0x0000000140000000-0x0000000140BAF000-memory.dmp

Filesize
11.7MB

Download
memory/3316-5-0x00007FFB3E600000-0x00007FFB3E8C9000-memory.dmp

Filesize
2.8MB

Download
memory/3316-4-0x00007FFB3E600000-0x00007FFB3E8C9000-memory.dmp

Filesize
2.8MB

Download
memory/3316-6-0x00007FFB3E600000-0x00007FFB3E8C9000-memory.dmp

Filesize
2.8MB

Download
memory/3316-8-0x0000000140000000-0x0000000140BAF000-memory.dmp

Filesize
11.7MB

Download
memory/3316-9-0x0000000140000000-0x0000000140BAF000-memory.dmp

Filesize
11.7MB

Download
memory/3316-10-0x0000000140000000-0x0000000140BAF000-memory.dmp

Filesize
11.7MB

Download
memory/3316-7-0x0000000140000000-0x0000000140BAF000-memory.dmp

Filesize
11.7MB

Download
memory/3316-11-0x00007FFB3E600000-0x00007FFB3E8C9000-memory.dmp

Filesize
2.8MB

Download
memory/3316-19-0x0000000140000000-0x0000000140BAF000-memory.dmp

Filesize
11.7MB

Download
memory/3316-20-0x00007FFB3E600000-0x00007FFB3E8C9000-memory.dmp

Filesize
2.8MB

Download
memory/3316-21-0x00007FFB3E664000-0x00007FFB3E665000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads