Overview

overview

9

Static

static

7

VastGen.exe

windows7-x64

7

VastGen.exe

windows10-2004-x64

7

crack.dll

windows7-x64

9

crack.dll

windows10-2004-x64

9

data/usernames.vbs

windows7-x64

1

data/usernames.vbs

windows10-2004-x64

1

loader.exe

windows7-x64

9

loader.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    117s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31/05/2024, 12:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    loader.exe

  • Size

    8.5MB

  • MD5

    851dc1231b62cca3b63f7f2287dff84f

  • SHA1

    16915a97ff71586cb033319a3f81c18d8792e1b7

  • SHA256

    2019edf4b004995ed0cc16da5a8746a6154b16df7663cbe6d3fc7782ba5dbc17

  • SHA512

    507c6038f9b65ccb74fe6947ac9caeeef35dcc1b0d01fd68e10a7d2cc5cf6997bdd04cb10b1cc25fd2966b266c7ff471f91618da6021ef4cd0ba24803c7482f9

  • SSDEEP

    196608:lWU/XIK3djYTPtJyCAaws5WJqHqJLkSXNzeHrldm:lWU/4kU7tJy7DhJQyNSLl4

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Themida packer 8 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Users\Admin\AppData\Local\Temp\onefile_1624_133616326042186000\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\onefile_1624_133616326042186000\python311.dll
    Filesize

    5.5MB

    MD5

    9a24c8c35e4ac4b1597124c1dcbebe0f

    SHA1

    f59782a4923a30118b97e01a7f8db69b92d8382a

    SHA256

    a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

    SHA512

    9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\onefile_1624_133616326042186000\loader.exe
    Filesize

    8.5MB

    MD5

    49c7d8a33d1b2ff955d0730e84e8cd6c

    SHA1

    f1429fbe357102901cab5ba7d20673fb0fb7db6b

    SHA256

    ee42078cbd223280c0427036e5ae79ddfbe7dc2c7f4b5f7ea778bf12a5867fb1

    SHA512

    7b7fd45336ae246e488fd4b989e8bc4f40d8ee621cf75bcc722f7d6cde0556dddc8cc3b0375593d4e50d4566cbeb3f011c0865fef38d203cb0e1e9f20ee7be4f

    Download Submit

  • memory/1624-0-0x000000013F110000-0x000000013FF63000-memory.dmp

    Filesize

    14.3MB

    Download

  • memory/1624-2-0x000000013F110000-0x000000013FF63000-memory.dmp

    Filesize

    14.3MB

    Download

  • memory/1624-4-0x000000013F110000-0x000000013FF63000-memory.dmp

    Filesize

    14.3MB

    Download

  • memory/1624-5-0x000000013F110000-0x000000013FF63000-memory.dmp

    Filesize

    14.3MB

    Download

  • memory/1624-6-0x000000013F110000-0x000000013FF63000-memory.dmp

    Filesize

    14.3MB

    Download

  • memory/1624-3-0x000000013F110000-0x000000013FF63000-memory.dmp

    Filesize

    14.3MB

    Download

  • memory/1624-1-0x000000013F110000-0x000000013FF63000-memory.dmp

    Filesize

    14.3MB

    Download

  • memory/1624-112-0x000000013F110000-0x000000013FF63000-memory.dmp

    Filesize

    14.3MB

    Download