eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60

General

Target

eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
Size

15.1MB
MD5

1f470c81a3ce621afd7a2cdc227e1257
SHA1

967fb1575a15192cd63c1a060ca5d2c536877309
SHA256

eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60
SHA512

c3856079f529f017ebbe8d1d010e3b8209c2af3fb377a45ccefad4ae33971d6af310035bafd35694514db9d6569a988e0a509d8c0efe79cf064c8589f9465f3e
SSDEEP

393216:dbKAn1QsCuCtot4YZRN8K1qqJLRL1Tt2/x0D4QwGy:MArCuCCi5zSDTt2JUfwB

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exeeaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exeeaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

Deletes itself 1 IoCs

Processes:

eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

pid process

4536 eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
Executes dropped EXE 1 IoCs

Processes:

eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

pid process

4536 eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

pid	process
4536	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

pid	process
4536	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

Loads dropped DLL 2 IoCs

Processes:

eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exeeaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

pid	process
2604	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
4536	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2604-0-0x0000000000400000-0x000000000155C000-memory.dmp	themida
behavioral2/memory/2604-2-0x0000000000400000-0x000000000155C000-memory.dmp	themida
behavioral2/memory/2604-3-0x0000000000400000-0x000000000155C000-memory.dmp	themida
behavioral2/memory/2604-4-0x0000000000400000-0x000000000155C000-memory.dmp	themida
behavioral2/memory/2604-7-0x0000000000400000-0x000000000155C000-memory.dmp	themida
C:\eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60\eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe	themida
behavioral2/memory/2604-102-0x0000000000400000-0x000000000155C000-memory.dmp	themida
behavioral2/memory/4536-104-0x0000000000400000-0x000000000155C000-memory.dmp	themida
behavioral2/memory/4536-105-0x0000000000400000-0x000000000155C000-memory.dmp	themida
behavioral2/memory/4536-106-0x0000000000400000-0x000000000155C000-memory.dmp	themida
behavioral2/memory/4536-107-0x0000000000400000-0x000000000155C000-memory.dmp	themida
behavioral2/memory/2604-170-0x0000000000400000-0x000000000155C000-memory.dmp	themida
behavioral2/memory/4536-177-0x0000000000400000-0x000000000155C000-memory.dmp	themida
behavioral2/memory/4536-178-0x0000000000400000-0x000000000155C000-memory.dmp	themida
behavioral2/memory/4536-179-0x0000000000400000-0x000000000155C000-memory.dmp	themida
behavioral2/memory/4536-180-0x0000000000400000-0x000000000155C000-memory.dmp	themida
behavioral2/memory/4536-182-0x0000000000400000-0x000000000155C000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exeeaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

description	ioc	process
File opened (read-only)	\??\M:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\N:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\S:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\T:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\U:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\V:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\A:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\K:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\X:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\Y:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\J:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\R:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\Z:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\B:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\I:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\H:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\L:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\P:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\Q:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\E:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\G:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\O:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
File opened (read-only)	\??\W:	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exeeaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

pid	process
2604	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
4536	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exeeaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

pid	process
2604	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
2604	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
4536	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
4536	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exeeaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

pid	process
2604	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
2604	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
2604	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
2604	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
2604	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
4536	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
4536	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
4536	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
4536	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
4536	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

description	pid	process	target process
PID 2604 wrote to memory of 4536	2604	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
PID 2604 wrote to memory of 4536	2604	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
PID 2604 wrote to memory of 4536	2604	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe	eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe

C:\Users\Admin\AppData\Local\Temp\eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
"C:\Users\Admin\AppData\Local\Temp\eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604

C:\eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60\eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
C:\eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60\eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3676 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4300b3cd3b18ba7efe1331756df433e0.txt
Filesize
68B

MD5
ce4a86307f09cd93bff417e80304a6a2

SHA1
e6dd65e76099565100a3ec6e2a491810c8dd82fe

SHA256
88f559c30e01b17c1a82d611327bd0ba9947e11d2fa503f4ca04391e09ec9389

SHA512
d2d9494b1c1fa331603d9949ca17a3756813e5cbc057959e84f08243dfb4983064d3d6666f52ecd1250a7f179a29fc5fad100b0f4b04740ad233e8f05a8baad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HPSocket4C.dll
Filesize
2.1MB

MD5
04869ada712c189caba4822be0e81ea5

SHA1
9c45486b30e6d3ccf0737c5766796baaf58232ab

SHA256
23078015adb0cf53ebf632a895a1a224b3718174e6c2887e1bbb2d28be5e2b8b

SHA512
16f98af15583c60da0cb947ea2230f759bfa27f86ef93ef5f7ffe2adcec6c5f115f52ffa74bae6cf8add94bb6a380fa276f391619256be7a45c53bb7421fdd9c

Download Submit
C:\Users\Admin\Documents\dz.ini
Filesize
171B

MD5
b2a1ce411f3c94364f4ffe8b850ca4e9

SHA1
aa62f4a86a0044b1b8beac55deecfb968b559e61

SHA256
d8011afd70bb3a01d5b09f910cc31c78eab186879f54eef302ff4e8bbed2e6b7

SHA512
78a184a6887ddf6cb74d2871a37c27cf4b681e6d77f0312f63d14779a073d79651298cc33235af2080bccab4dd52194e176f0acc983781884e3d2dba08e99b8c

Download Submit
C:\eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60\eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60.exe
Filesize
15.1MB

MD5
1f470c81a3ce621afd7a2cdc227e1257

SHA1
967fb1575a15192cd63c1a060ca5d2c536877309

SHA256
eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60

SHA512
c3856079f529f017ebbe8d1d010e3b8209c2af3fb377a45ccefad4ae33971d6af310035bafd35694514db9d6569a988e0a509d8c0efe79cf064c8589f9465f3e

Download Submit
C:\eaf59fdec51eed063096dd1d013fe81724d8ca97d69af416bf4fc14a17bffc60\ssl-cert.zip
Filesize
47KB

MD5
4013288c67a55944aa6ac38575f20622

SHA1
6f983f714828f6fcfe9c58927e97289a776a0c6e

SHA256
cd1ee91e2517363fb92a7d4928814695d045c5aa4c974c7ad6c2b940b7b73d06

SHA512
ceb3d94684ab2f3f151e1e9da1607218b6cfd3c38d8611cc7c4290742393c9300e92455ba40d7a4800f2d5b7f6b5d7e3bc50daf87bb70b1bf0cae62aceb9f9a3

Download Submit
memory/2604-170-0x0000000000400000-0x000000000155C000-memory.dmp

Filesize
17.4MB

Download
memory/2604-3-0x0000000000400000-0x000000000155C000-memory.dmp

Filesize
17.4MB

Download
memory/2604-4-0x0000000000400000-0x000000000155C000-memory.dmp

Filesize
17.4MB

Download
memory/2604-102-0x0000000000400000-0x000000000155C000-memory.dmp

Filesize
17.4MB

Download
memory/2604-1-0x0000000077A14000-0x0000000077A16000-memory.dmp

Filesize
8KB

Download
memory/2604-7-0x0000000000400000-0x000000000155C000-memory.dmp

Filesize
17.4MB

Download
memory/2604-108-0x00000000004BC000-0x00000000004BD000-memory.dmp

Filesize
4KB

Download
memory/2604-2-0x0000000000400000-0x000000000155C000-memory.dmp

Filesize
17.4MB

Download
memory/2604-0-0x0000000000400000-0x000000000155C000-memory.dmp

Filesize
17.4MB

Download
memory/4536-105-0x0000000000400000-0x000000000155C000-memory.dmp

Filesize
17.4MB

Download
memory/4536-107-0x0000000000400000-0x000000000155C000-memory.dmp

Filesize
17.4MB

Download
memory/4536-106-0x0000000000400000-0x000000000155C000-memory.dmp

Filesize
17.4MB

Download
memory/4536-104-0x0000000000400000-0x000000000155C000-memory.dmp

Filesize
17.4MB

Download
memory/4536-177-0x0000000000400000-0x000000000155C000-memory.dmp

Filesize
17.4MB

Download
memory/4536-178-0x0000000000400000-0x000000000155C000-memory.dmp

Filesize
17.4MB

Download
memory/4536-179-0x0000000000400000-0x000000000155C000-memory.dmp

Filesize
17.4MB

Download
memory/4536-180-0x0000000000400000-0x000000000155C000-memory.dmp

Filesize
17.4MB

Download
memory/4536-182-0x0000000000400000-0x000000000155C000-memory.dmp

Filesize
17.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads