Overview

overview

9

Static

static

3

699b5cbdb0...33.exe

windows7-x64

9

699b5cbdb0...33.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    153s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 04:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe

  • Size

    10.9MB

  • MD5

    9db421b3268349238e51c91c6c201f48

  • SHA1

    4f073f55089c4b0656a749533dcc58bbefa3d950

  • SHA256

    699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733

  • SHA512

    7f963ab690640bef60e6f4d7daa16d791244497bb8d8c4a2701eeb81fef93374b3b9a4876cb1f1cd2c1fece632f8f48286ee932159fe8c9757c6e1c74d0a596d

  • SSDEEP

    196608:chUC3fTTEi1xkEqJRDwcitpspw064ijZDOBDI/L72PLfVwe09oYA17/n5:chUs/cDwDs85jZgEHaee0hCr

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe
    "C:\Users\Admin\AppData\Local\Temp\699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Users\Admin\AppData\Local\Temp\699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe
      C:\Users\Admin\AppData\Local\Temp\699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733.exe -a -d
      2⤵
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Users\Admin\AppData\Local\Temp\699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe
        "C:\Users\Admin\AppData\Local\Temp\699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:1856
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3992 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1384

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\699b5cbdb04c84f15094d59929b94bcac1b615e726928679cd5c5bfde8b41733_app.exe
      Filesize

      7.5MB

      MD5

      eddb7d5bbc8dbc9aabc6becaf6a72493

      SHA1

      8f8cf7e9915c904f2cf28a06f8b9504de4502587

      SHA256

      d5d59bb06e467a56284a36eeff3718061b01a0c6a983b9173c89d1e6177d97e8

      SHA512

      96958aca72118c19a199213c2b53d305574ba92d826462ae185e5a6c9b34baf9955d506dda412fbe5db5302704a002f80ef4f9001082bff0e87c43856ea54350

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\cyyundun.dll
      Filesize

      332KB

      MD5

      8722259b998800a37c3991c58ce64f96

      SHA1

      d370272422272eaf9aca8bc17ba9bcba1b83df70

      SHA256

      b115d63bee020042256019ee14fa0570483180e29c4deb7ed5b8fab522b05244

      SHA512

      867872e22769ecdba19daca70d6ef2bbb9e310abd90ddd1c3ff5b9a3375ef11488f1f7ac021c579ab58b7e8125c8bada584a1e96bb15fcee5837307cb64a6857

      Download Submit
    • memory/532-28-0x0000000074650000-0x00000000746B7000-memory.dmp
      Filesize

      412KB

      Download
    • memory/532-9-0x0000000074650000-0x00000000746B7000-memory.dmp
      Filesize

      412KB

      Download
    • memory/1856-21-0x0000000000420000-0x000000000136E000-memory.dmp
      Filesize

      15.3MB

      Download
    • memory/1856-15-0x0000000000420000-0x000000000136E000-memory.dmp
      Filesize

      15.3MB

      Download
    • memory/1856-16-0x00007FFE00000000-0x00007FFE00002000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1856-17-0x00007FFE00030000-0x00007FFE00031000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1856-20-0x0000000000420000-0x000000000136E000-memory.dmp
      Filesize

      15.3MB

      Download
    • memory/1856-22-0x000001396E8A0000-0x000001396E8FC000-memory.dmp
      Filesize

      368KB

      Download
    • memory/1856-23-0x000001396E7D0000-0x000001396E7D8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1856-27-0x0000000000420000-0x000000000136E000-memory.dmp
      Filesize

      15.3MB

      Download
    • memory/4900-10-0x0000000074650000-0x00000000746B7000-memory.dmp
      Filesize

      412KB

      Download
    • memory/4900-4-0x0000000074650000-0x00000000746B7000-memory.dmp
      Filesize

      412KB

      Download