Overview

overview

10

Static

static

10

5e1a3ab7b5...f9.exe

windows7-x64

10

5e1a3ab7b5...f9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e1a3ab7b5bb57aa471a9f3c55f00f2d480b8a913ef50bebd8dfef976a45acf9.exe

  • Size

    2.5MB

  • MD5

    bb5b3ef7f75abcbd428305aed454aaa1

  • SHA1

    1b03a86daabcba9c2ef9134cf3e9dcb4b5e4efeb

  • SHA256

    5e1a3ab7b5bb57aa471a9f3c55f00f2d480b8a913ef50bebd8dfef976a45acf9

  • SHA512

    67a1c4c8a0a6c163567cbb5a5974512c9a309be7184a19479bea7a75092dbdbba45169eaa312eea49ca1e850fb3bbd84da22146b545b5f747fc54654408bf13f

  • SSDEEP

    49152:MxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxJ:Mxx9NUFkQx753uWuCyyxJ

Score
10/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Detects executables packed with Themida 18 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Themida packer 18 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e1a3ab7b5bb57aa471a9f3c55f00f2d480b8a913ef50bebd8dfef976a45acf9.exe
    "C:\Users\Admin\AppData\Local\Temp\5e1a3ab7b5bb57aa471a9f3c55f00f2d480b8a913ef50bebd8dfef976a45acf9.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:848
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3396
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1636
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2536
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:1436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    2.5MB

    MD5

    5a1249c2a711f2564cf7192e877b06d6

    SHA1

    0294a1127cdaf3437e9db175ad581ca0918e7549

    SHA256

    c08a63b5afad7f3c613a883c5c378f3f3f888f5d970971488797757d5a0090f8

    SHA512

    300942f412546272a43752d5c677773f4774e26f7d8dbb22a987a7e1f29601bcd958d3d13b81a8af8f1667531f3f3d1ecf3ff9fcd532d1c1d0af754a9a7a47a2

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    2.5MB

    MD5

    2cfc95ee917709246d71b87c51b5b6df

    SHA1

    6f85b29a47aaa043e191bcbda985b3d34b1c7bab

    SHA256

    681d78b743bbf3c4fd5fa84ac97087b3d6a1d1b58747116abe26fc08dc002fe2

    SHA512

    69f95e6d924f20a90c0e16d5edeff7b2f2d9001307c61b1a537be4f52060c88b3d4643886576908e06cb201a3af80d549879a118da8d52f1374b8f34e2458b63

    Download Submit

  • \??\c:\windows\resources\svchost.exe
    Filesize

    2.5MB

    MD5

    cb74c1941f91078f920e8cb78827fddd

    SHA1

    036b8663643991471e75919ddc7f8c4f7cdf0e20

    SHA256

    1da489b0bb904ae45e9011c74b3de67ecc65550e5895e6efb96fc1c5b63e7c28

    SHA512

    12dd8e0b55431e3cafeabb5f352c29fb21a42c38b8428147ec325edc94b18dfe62c30ca1105eb9d382992e0766faa890feee36e92986abb3c1a5a7e29f758069

    Download Submit

  • memory/848-1-0x0000000077D34000-0x0000000077D36000-memory.dmp

    Filesize

    8KB

    Download

  • memory/848-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/848-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1436-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1436-38-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1636-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1636-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2536-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2536-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2536-62-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2536-64-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3396-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3396-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3396-47-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3396-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3396-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

    Filesize

    6.1MB

    Download