1b475e95186ce2a8843516be389b66a6c53c6b77bdac33ffcf5d00af133e7570

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

8.4MB
MD5

d1833b094db1e4c4c11123282365a44a
SHA1

44ac20657fdab59a5ca47afbdd08443adc59b973
SHA256

341c5c573350df8f79d7f2152bb239305b3df4f87fe18f8eb2cf9dbbb7aea375
SHA512

da1d8d0fc174a53c38b21b000846a1b250df05759436769f4453f03313028d92204660e45c172770a7ca1d6755b0833c92b766114993b65bd6d95ae20f626cbf
SSDEEP

196608:8QCjP+Q3V+80miPUHtXmDO/Jxwxvrqz7xdLqIjS:SP+2VDKUNV/3MYxdLq/

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

loader.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ loader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	loader.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	loader.exe

Executes dropped EXE 1 IoCs

Processes:

loader.exe

pid process

2356 loader.exe
Loads dropped DLL 2 IoCs

Processes:

loader.exeloader.exe

pid process

1892 loader.exe
2356 loader.exe

pid	process
2356	loader.exe

pid	process
1892	loader.exe
2356	loader.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral11/memory/1892-0-0x000000013FD40000-0x0000000140B87000-memory.dmp	themida
behavioral11/memory/1892-3-0x000000013FD40000-0x0000000140B87000-memory.dmp	themida
behavioral11/memory/1892-5-0x000000013FD40000-0x0000000140B87000-memory.dmp	themida
behavioral11/memory/1892-6-0x000000013FD40000-0x0000000140B87000-memory.dmp	themida
behavioral11/memory/1892-1-0x000000013FD40000-0x0000000140B87000-memory.dmp	themida
behavioral11/memory/1892-4-0x000000013FD40000-0x0000000140B87000-memory.dmp	themida
behavioral11/memory/1892-2-0x000000013FD40000-0x0000000140B87000-memory.dmp	themida
behavioral11/memory/1892-111-0x000000013FD40000-0x0000000140B87000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

loader.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA loader.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	loader.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

loader.exe

description	pid	process	target process
PID 1892 wrote to memory of 2356	1892	loader.exe	loader.exe
PID 1892 wrote to memory of 2356	1892	loader.exe	loader.exe
PID 1892 wrote to memory of 2356	1892	loader.exe	loader.exe

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\AppData\Local\Temp\onefile_1892_133608371981372000\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_1892_133608371981372000\loader.exe

Filesize
8.5MB

MD5
ae323eb510b9ec30e6870c8fbb63baf1

SHA1
82c522170b4082b305fd093a470fe7dd8507b11d

SHA256
edea8540e67667aaf4fd6a964c026c76c9e8ef1934ac56295ddd8ffedbd2a2f3

SHA512
677ec613ac3a03e795804b10698e6408679dddc7e787df35b0ec4205c27701ebe66cd549b3fba8f79984c6452e07a70e108dd1403000928d09e58b730faf4084

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1892_133608371981372000\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
memory/1892-0-0x000000013FD40000-0x0000000140B87000-memory.dmp

Filesize
14.3MB

Download
memory/1892-3-0x000000013FD40000-0x0000000140B87000-memory.dmp

Filesize
14.3MB

Download
memory/1892-5-0x000000013FD40000-0x0000000140B87000-memory.dmp

Filesize
14.3MB

Download
memory/1892-6-0x000000013FD40000-0x0000000140B87000-memory.dmp

Filesize
14.3MB

Download
memory/1892-1-0x000000013FD40000-0x0000000140B87000-memory.dmp

Filesize
14.3MB

Download
memory/1892-4-0x000000013FD40000-0x0000000140B87000-memory.dmp

Filesize
14.3MB

Download
memory/1892-2-0x000000013FD40000-0x0000000140B87000-memory.dmp

Filesize
14.3MB

Download
memory/1892-111-0x000000013FD40000-0x0000000140B87000-memory.dmp

Filesize
14.3MB

Download