c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed

General

Target

c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
Size

6.6MB
MD5

02a7189dbb81604690c8bac9f0946557
SHA1

605863a7426bc3207ea2bf7d7b01ce06f0edfd8e
SHA256

c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed
SHA512

4c2812b2a1f73cc90fd3b86adf9533a0af2c1e86f282c8ca8ab977ff87fbb5ebdc36f4d3524022f447239fbb2045eb61e37c2f8ad3863edd2dedad1bc368c6e2
SSDEEP

98304:MAUH/O2fXSA57UpdRCufM4aJGTbbIl1+LxF7cg2CGABvoVPyuqyACXfTFY1uIb:MAUHl557ZucJI/xag9ckyRLmhb

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4856-0-0x0000000000400000-0x0000000001367000-memory.dmp	themida
behavioral2/memory/4856-1-0x0000000000400000-0x0000000001367000-memory.dmp	themida
behavioral2/memory/4856-3-0x0000000000400000-0x0000000001367000-memory.dmp	themida
behavioral2/memory/4856-30-0x0000000000400000-0x0000000001367000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe

pid process

4856 c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe

Drops file in Program Files directory 15 IoCs

Processes:

c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe

description	ioc	process
File created	C:\Program Files\JBridge\msvcr71.dll	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
File created	C:\Program Files\JBridge\mfk71.dll	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
File created	C:\Program Files\JBridge\plugin_name.64.dll	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
File created	C:\Program Files\JBridge\Proxy32.dll	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
File created	C:\Program Files\JBridge\Proxy64.dll	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
File created	C:\Program Files\JBridge\auxhost64.exe	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
File created	C:\Program Files\JBridge\Bridger32.dll	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
File created	C:\Program Files\JBridge\mfc71.dll	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
File created	C:\Program Files\JBridge\msvcp71.dll	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
File created	C:\Program Files\JBridge\README.txt	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
File created	C:\Program Files\JBridge\auxhost_default_settings.txt	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
File created	C:\Program Files\JBridge\Bridger64.dll	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
File created	C:\Program Files\JBridge\plugin_name.32.dll	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
File created	C:\Program Files\JBridge\auxhost.exe	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
File created	C:\Program Files\JBridge\JBridger.exe	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe

Runs regedit.exe 5 IoCs

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

pid process

4168 regedit.exe
3332 regedit.exe
4744 regedit.exe
3300 regedit.exe
3604 regedit.exe

pid	process
4168	regedit.exe
3332	regedit.exe
4744	regedit.exe
3300	regedit.exe
3604	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe

pid	process
4856	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
4856	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe

pid	process
4856	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
4856	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe

description	pid	process	target process
PID 4856 wrote to memory of 4168	4856	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe	regedit.exe
PID 4856 wrote to memory of 4168	4856	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe	regedit.exe
PID 4856 wrote to memory of 3332	4856	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe	regedit.exe
PID 4856 wrote to memory of 3332	4856	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe	regedit.exe
PID 4856 wrote to memory of 4744	4856	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe	regedit.exe
PID 4856 wrote to memory of 4744	4856	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe	regedit.exe
PID 4856 wrote to memory of 3300	4856	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe	regedit.exe
PID 4856 wrote to memory of 3300	4856	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe	regedit.exe
PID 4856 wrote to memory of 3604	4856	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe	regedit.exe
PID 4856 wrote to memory of 3604	4856	c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe	regedit.exe

C:\Users\Admin\AppData\Local\Temp\c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe
"C:\Users\Admin\AppData\Local\Temp\c6c57a03e14a28572a697f156f97ed5ac60663ec1271c754756dd335b21e9fed.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\regedit.exe
  regedit /s C:\Users\Admin\AppData\Local\Temp\e575b8d.tmp
  2⤵
  - Runs regedit.exe
  PID:4168
- C:\Windows\regedit.exe
  regedit /s C:\Users\Admin\AppData\Local\Temp\e575c2b.tmp
  2⤵
  - Runs regedit.exe
  PID:3332
- C:\Windows\regedit.exe
  regedit /s C:\Users\Admin\AppData\Local\Temp\e575c7a.tmp
  2⤵
  - Runs regedit.exe
  PID:4744
- C:\Windows\regedit.exe
  regedit /s C:\Users\Admin\AppData\Local\Temp\e575caa.tmp
  2⤵
  - Runs regedit.exe
  PID:3300
- C:\Windows\regedit.exe
  regedit /s C:\Users\Admin\AppData\Local\Temp\e575cca.tmp
  2⤵
  - Runs regedit.exe
  PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e575b8d.tmp

Filesize
132B

MD5
c3aa1676cadeb86b324cb568f72dbee3

SHA1
2948105c5b3e58c2775ae48fe658476f690bf414

SHA256
82a95e78751c28f29b330ddce4001fd0c77678a8b9292fb08b8c363acface50e

SHA512
8738e0ea5e9fd058e6577e566985e9666b16b7c56490814f95509faedbf89386b6f461ad96f821d8e08dc557e47a7b6c797b00973090d351e87da414e01b3ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\e575c2b.tmp

Filesize
98B

MD5
bcdf80e90522609d14fa19446bc17c87

SHA1
2f62ab90984ea0d4994d0e73c852521373c14a8d

SHA256
de790455179daf3ab96cfefa793f5d0eaca56b45da2fd2331b8df561fa8f08b0

SHA512
947a32cd6fb7b341a97d3ffc754c1037084c7f3e96e05edfe3179b58e0f3d23202e86ed5da91e6d6c8b93a1e2bd307fa0e5caf03dfb014df9f3fb7868fdf1957

Download Submit
C:\Users\Admin\AppData\Local\Temp\e575c7a.tmp

Filesize
144B

MD5
0c835aeeb5cc63779f4651746898d3fb

SHA1
af3b2c129bfc61beab16a11cc59fb98e7ff8c701

SHA256
515883317e4dbc4d5ecfc09b32c36d3ced53e3fd5db8ebbb151bb9e0fa3e7d74

SHA512
9bc848b2e94620f2af05093c81ac9d7b64603ee3259861ef03c38533f81b6741417c1b8c8cff4b09c925c0bc9db09526f9d76378c5b0cd0a42de14940ab784cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\e575caa.tmp

Filesize
110B

MD5
5c26168f481a99cac00c7fd8306da658

SHA1
485656263cf750d9505825ca6ba5afa4860a7103

SHA256
2a9e03ea107adb8542ac32b21c28864d9c6fcc651152f72c9959498baa865e9a

SHA512
b85aae30eb722a421078cb0e27f7701f128c5a4f201e948305aa23489e9868287f320eb1f72dce22f7687ac9f931744e9aa7fd0d7e335563ac8c88f000785294

Download Submit
C:\Users\Admin\AppData\Local\Temp\e575cca.tmp

Filesize
142B

MD5
3fda5d9eb00e8de27a67c26d1294b8c3

SHA1
7d50feb197ad5694e7ccdd8df72a4363e1bd3ecd

SHA256
6b95f1d6d06d31b850dd01ccb7f723bef3d6823b93c5feb4ff2bd9236630e3ec

SHA512
798db0157ddf577f27654a52b91a7c8956f3895da469f6352dc77081c83827660b0076da99c79719fe7ab5ef2013a44121dab5156292a4023e28c979d6db0302

Download Submit
memory/4856-0-0x0000000000400000-0x0000000001367000-memory.dmp

Filesize
15.4MB

Download
memory/4856-2-0x0000000077564000-0x0000000077566000-memory.dmp

Filesize
8KB

Download
memory/4856-1-0x0000000000400000-0x0000000001367000-memory.dmp

Filesize
15.4MB

Download
memory/4856-3-0x0000000000400000-0x0000000001367000-memory.dmp

Filesize
15.4MB

Download
memory/4856-30-0x0000000000400000-0x0000000001367000-memory.dmp

Filesize
15.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads