70b154061120bf9243c35173b59e6a245536885c849d91dd74c6dc9eab160985

Analysis

max time kernel
138s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 02:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

GmloXpl6ivdM9LxS.exe
Size

3.9MB
MD5

f6ce0674c39383949e15b659c8814ddf
SHA1

96628729ba4d22e2fac8cc709fbf096ba2867515
SHA256

70b154061120bf9243c35173b59e6a245536885c849d91dd74c6dc9eab160985
SHA512

24c1d738f2f2c6e03daafc092ddce9f3629bb643c57730bbd445788c4b727d0107079481201dbad725c45b1020c86bd391e4de9b8ddc1656b586c3b9e0897f24
SSDEEP

98304:aMm8yEWuHI6WhzQMdrRCNyG54UA1T2vuzE:PgeH94zddQkpQuzE

Score

9^/10

evasion execution themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GmloXpl6ivdM9LxS.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GmloXpl6ivdM9LxS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GmloXpl6ivdM9LxS.exe

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/3244-0-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp	themida
behavioral2/memory/3244-3-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp	themida
behavioral2/memory/3244-1-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp	themida
behavioral2/memory/3244-4-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp	themida
behavioral2/memory/3244-6-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp	themida
behavioral2/memory/3244-5-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp	themida
behavioral2/memory/3244-7-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp	themida
behavioral2/memory/3244-8-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp	themida
behavioral2/memory/3244-9-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp	themida
behavioral2/memory/3244-10-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp	themida
behavioral2/memory/3244-11-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp	themida
behavioral2/memory/3244-12-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp	themida
behavioral2/memory/3244-32-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp	themida
behavioral2/memory/3244-33-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp	themida
behavioral2/memory/3244-34-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp	themida
behavioral2/memory/3244-35-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GmloXpl6ivdM9LxS.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3244	GmloXpl6ivdM9LxS.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
208	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe
3244	GmloXpl6ivdM9LxS.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	208	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 3772	3244	GmloXpl6ivdM9LxS.exe	83
PID 3244 wrote to memory of 3772	3244	GmloXpl6ivdM9LxS.exe	83
PID 3772 wrote to memory of 1808	3772	cmd.exe	84
PID 3772 wrote to memory of 1808	3772	cmd.exe	84
PID 3772 wrote to memory of 1096	3772	cmd.exe	85
PID 3772 wrote to memory of 1096	3772	cmd.exe	85
PID 3772 wrote to memory of 452	3772	cmd.exe	86
PID 3772 wrote to memory of 452	3772	cmd.exe	86
PID 3244 wrote to memory of 208	3244	GmloXpl6ivdM9LxS.exe	104
PID 3244 wrote to memory of 208	3244	GmloXpl6ivdM9LxS.exe	104

C:\Users\Admin\AppData\Local\Temp\GmloXpl6ivdM9LxS.exe
"C:\Users\Admin\AppData\Local\Temp\GmloXpl6ivdM9LxS.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\GmloXpl6ivdM9LxS.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\GmloXpl6ivdM9LxS.exe" MD5
    3⤵
    PID:1808
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1096
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Expand-Archive -Path 'Astral.zip' -DestinationPath ."
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:208

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Astral.zip

Filesize
243KB

MD5
63de7fa22b2472c85886a0d70979a534

SHA1
ebebb96981d08a1627d89a4f5f01a341d1669a9c

SHA256
37a384e4e4b81e1fbf2cce105f2d0e7a44185b6deb11b86e05c3c3810dce55d3

SHA512
96742df06b7ceece15a3a0adf1cf7653097201a402cd49be8b252a4a0cbddd1ea907dda00efc1681b94ecdabbfbf2b8aec8e47a50985496a0dfb07568f8e6881

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ih2rinj.3by.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/208-15-0x00007FFF68BB0000-0x00007FFF68DA5000-memory.dmp

Filesize
2.0MB

Download
memory/208-31-0x00007FFF68BB0000-0x00007FFF68DA5000-memory.dmp

Filesize
2.0MB

Download
memory/208-27-0x0000024CCE0C0000-0x0000024CCE0CA000-memory.dmp

Filesize
40KB

Download
memory/208-26-0x0000024CCE220000-0x0000024CCE232000-memory.dmp

Filesize
72KB

Download
memory/208-22-0x0000024CCE060000-0x0000024CCE082000-memory.dmp

Filesize
136KB

Download
memory/208-14-0x00007FFF68BB0000-0x00007FFF68DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3244-5-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp

Filesize
10.2MB

Download
memory/3244-4-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp

Filesize
10.2MB

Download
memory/3244-10-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp

Filesize
10.2MB

Download
memory/3244-11-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp

Filesize
10.2MB

Download
memory/3244-12-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp

Filesize
10.2MB

Download
memory/3244-8-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp

Filesize
10.2MB

Download
memory/3244-7-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp

Filesize
10.2MB

Download
memory/3244-0-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp

Filesize
10.2MB

Download
memory/3244-6-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp

Filesize
10.2MB

Download
memory/3244-9-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp

Filesize
10.2MB

Download
memory/3244-1-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp

Filesize
10.2MB

Download
memory/3244-3-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp

Filesize
10.2MB

Download
memory/3244-2-0x00007FFF68C50000-0x00007FFF68C52000-memory.dmp

Filesize
8KB

Download
memory/3244-32-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp

Filesize
10.2MB

Download
memory/3244-33-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp

Filesize
10.2MB

Download
memory/3244-34-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp

Filesize
10.2MB

Download
memory/3244-35-0x00007FF7A67C0000-0x00007FF7A71FA000-memory.dmp

Filesize
10.2MB

Download