Overview

overview

9

Static

static

7

bb642e4d8f...e8.exe

windows7-x64

9

bb642e4d8f...e8.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 19:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb642e4d8f8e9b0151d3e830dc453f0c2d321acd46baef7ca9476d2543ad85e8.exe

  • Size

    5.4MB

  • MD5

    c53a2570ddcfdbd96f1eca0efb65afb3

  • SHA1

    84e52665eb4f458ee145fb1ebfa422cd5fedc611

  • SHA256

    bb642e4d8f8e9b0151d3e830dc453f0c2d321acd46baef7ca9476d2543ad85e8

  • SHA512

    f314289acbaa782eb4113928e6a07faca9c1bbb0ee72562f316a0656f89dce9ff39dcf1182fbc914e962968428676337c6077079443999f4d2ee0af8b7bd93e8

  • SSDEEP

    98304:VfOY8AXs2F3LBZJHZKWrfpLp97maUL5uFu3zoo668uSP10mJP6WnytQlkHvbp9Ey:R3D82J9LHZKWjpF97ma3azop68FPTZ65

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb642e4d8f8e9b0151d3e830dc453f0c2d321acd46baef7ca9476d2543ad85e8.exe
    "C:\Users\Admin\AppData\Local\Temp\bb642e4d8f8e9b0151d3e830dc453f0c2d321acd46baef7ca9476d2543ad85e8.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:3060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\Documents\CCStudio\HpSocket4C.dll
    Filesize

    2.8MB

    MD5

    4bc970a97300b1a725d44bba23d8697a

    SHA1

    6f1eb181153692814e038e2f851d0734646f78f8

    SHA256

    c9d8fb5311ae6018dc1ca72774cb7efeba5c115c827a5cfb795b3580499e323d

    SHA512

    03968ca876b7e584de0a1418cca1dd2036fd0b4744f86d69aee5691a42061e284f8d9577293ef3f656be332f7da5ca276f85c6393bd6d8eb7de181baec0285f8

    Download Submit
  • memory/3060-0-0x0000000000400000-0x000000000114B000-memory.dmp
    Filesize

    13.3MB

    Download
  • memory/3060-1-0x0000000077970000-0x0000000077972000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3060-2-0x0000000000400000-0x000000000114B000-memory.dmp
    Filesize

    13.3MB

    Download
  • memory/3060-3-0x0000000000400000-0x000000000114B000-memory.dmp
    Filesize

    13.3MB

    Download
  • memory/3060-4-0x0000000000400000-0x000000000114B000-memory.dmp
    Filesize

    13.3MB

    Download
  • memory/3060-6-0x0000000001150000-0x00000000011A9000-memory.dmp
    Filesize

    356KB

    Download
  • memory/3060-5-0x0000000010000000-0x0000000010059000-memory.dmp
    Filesize

    356KB

    Download
  • memory/3060-11-0x0000000000400000-0x000000000114B000-memory.dmp
    Filesize

    13.3MB

    Download
  • memory/3060-12-0x0000000000400000-0x000000000114B000-memory.dmp
    Filesize

    13.3MB

    Download