699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733

General

Target

699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe
Size

10.9MB
MD5

9db421b3268349238e51c91c6c201f48
SHA1

4f073f55089c4b0656a749533dcc58bbefa3d950
SHA256

699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733
SHA512

7f963ab690640bef60e6f4d7daa16d791244497bb8d8c4a2701eeb81fef93374b3b9a4876cb1f1cd2c1fece632f8f48286ee932159fe8c9757c6e1c74d0a596d
SSDEEP

196608:chUC3fTTEi1xkEqJRDwcitpspw064ijZDOBDI/L72PLfVwe09oYA17/n5:chUs/cDwDs85jZgEHaee0hCr

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe

Executes dropped EXE 2 IoCs

Processes:

699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe

pid process

2584 699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe
1276

pid	process
2584	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe
1276

Loads dropped DLL 4 IoCs

Processes:

699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe

pid	process
1372	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe
2936	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe
2936	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe
1276

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe	themida
behavioral1/memory/2584-22-0x0000000000D80000-0x0000000001CCE000-memory.dmp	themida
behavioral1/memory/2584-23-0x0000000000D80000-0x0000000001CCE000-memory.dmp	themida
behavioral1/memory/2584-29-0x0000000000D80000-0x0000000001CCE000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe

pid process

2584 699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe

pid	process
2584	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe

pid	process
2936	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe
2936	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe
2936	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe

pid	process
2936	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe
2936	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe
2936	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe

pid	process
1372	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe
2936	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe
2936	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe

description	pid	process	target process
PID 1372 wrote to memory of 2936	1372	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe
PID 1372 wrote to memory of 2936	1372	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe
PID 1372 wrote to memory of 2936	1372	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe
PID 1372 wrote to memory of 2936	1372	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe
PID 2936 wrote to memory of 2584	2936	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe
PID 2936 wrote to memory of 2584	2936	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe
PID 2936 wrote to memory of 2584	2936	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe
PID 2936 wrote to memory of 2584	2936	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe	699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe

C:\Users\Admin\AppData\Local\Temp\699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe
"C:\Users\Admin\AppData\Local\Temp\699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe
  C:\Users\Admin\AppData\Local\Temp\699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe -a -d
  2⤵
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe
    "C:\Users\Admin\AppData\Local\Temp\699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe

Filesize
7.5MB

MD5
eddb7d5bbc8dbc9aabc6becaf6a72493

SHA1
8f8cf7e9915c904f2cf28a06f8b9504de4502587

SHA256
d5d59bb06e467a56284a36eeff3718061b01a0c6a983b9173c89d1e6177d97e8

SHA512
96958aca72118c19a199213c2b53d305574ba92d826462ae185e5a6c9b34baf9955d506dda412fbe5db5302704a002f80ef4f9001082bff0e87c43856ea54350

Download Submit
\Users\Admin\AppData\Local\Temp\cyyundun.dll

Filesize
332KB

MD5
8722259b998800a37c3991c58ce64f96

SHA1
d370272422272eaf9aca8bc17ba9bcba1b83df70

SHA256
b115d63bee020042256019ee14fa0570483180e29c4deb7ed5b8fab522b05244

SHA512
867872e22769ecdba19daca70d6ef2bbb9e310abd90ddd1c3ff5b9a3375ef11488f1f7ac021c579ab58b7e8125c8bada584a1e96bb15fcee5837307cb64a6857

Download Submit
memory/1372-4-0x0000000074A30000-0x0000000074A97000-memory.dmp

Filesize
412KB

Download
memory/1372-5-0x0000000074A30000-0x0000000074A97000-memory.dmp

Filesize
412KB

Download
memory/2584-24-0x0000000000C60000-0x0000000000CBC000-memory.dmp

Filesize
368KB

Download
memory/2584-18-0x0000000000D80000-0x0000000001CCE000-memory.dmp

Filesize
15.3MB

Download
memory/2584-22-0x0000000000D80000-0x0000000001CCE000-memory.dmp

Filesize
15.3MB

Download
memory/2584-23-0x0000000000D80000-0x0000000001CCE000-memory.dmp

Filesize
15.3MB

Download
memory/2584-25-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/2584-29-0x0000000000D80000-0x0000000001CCE000-memory.dmp

Filesize
15.3MB

Download
memory/2936-17-0x0000000004ED0000-0x0000000005E1E000-memory.dmp

Filesize
15.3MB

Download
memory/2936-11-0x0000000074900000-0x0000000074967000-memory.dmp

Filesize
412KB

Download
memory/2936-30-0x0000000074900000-0x0000000074967000-memory.dmp

Filesize
412KB

Download
memory/2936-31-0x0000000004ED0000-0x0000000005E1E000-memory.dmp

Filesize
15.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads