Overview

overview

10

Static

static

10

5dcc5d510f...17.exe

windows7-x64

9

5dcc5d510f...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    8s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2024, 23:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5dcc5d510f14722cbeb96ed1c1ec4bf2cc36f6a3be6035255c2ff96df5b84917.exe

  • Size

    2.5MB

  • MD5

    0a3fbf74411cab9224a65126af7722ca

  • SHA1

    d4bd0d94475f7dd1fba9ca3f5939450a4ce896b0

  • SHA256

    5dcc5d510f14722cbeb96ed1c1ec4bf2cc36f6a3be6035255c2ff96df5b84917

  • SHA512

    21a78a2e3170d229506c4409c8b2f767aee018723a845b4e0fbbc2e50c913fc37b194ae4361d1708e60f87c808aa2abd0fe07e6d18954868a87d7d1e9a7c1a23

  • SSDEEP

    49152:MxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxC:Mxx9NUFkQx753uWuCyyxC

Score
9/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Detects executables packed with Themida 23 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Themida packer 23 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5dcc5d510f14722cbeb96ed1c1ec4bf2cc36f6a3be6035255c2ff96df5b84917.exe
    "C:\Users\Admin\AppData\Local\Temp\5dcc5d510f14722cbeb96ed1c1ec4bf2cc36f6a3be6035255c2ff96df5b84917.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3020
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2916
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2672
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2740
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:2560
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:33 /f
            5⤵
            • Creates scheduled task(s)
            PID:3040
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:34 /f
            5⤵
            • Creates scheduled task(s)
            PID:2064
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2456

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      917KB

      MD5

      fabf32870db3ff613fc04aa12ebf4845

      SHA1

      b3441e3575551bba7e9707bfb70cb77fe47ee105

      SHA256

      4a1142b9c66b0925676ccf394fadcdfb964dc86fe18a295be594149b4948ef9a

      SHA512

      9675d28dd4e749d9ecfd4e696052bff1804424039792261790143ba4fd03c2e40f9d164870edf6f44caa580aa1157637a2fae8ad09f4e09c5a245cedbb339bdf

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      405KB

      MD5

      e5a0509bc7513d0d4455264bb7fa0b17

      SHA1

      948abbd1e52a74e2f1ba727a415391280919c046

      SHA256

      a675516ed6fe8a706da5a148ca8b1f03adb42df0004269b9507df160d8b992b5

      SHA512

      37781962c7fa6d96ac5568d17c360b1cb3fdbf0d16b7daca3cd289b1be97594e9fdd8d753676b94d016ed2ec193d1a769f5cd593b6a01ae49ac6fd982e045221

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      448KB

      MD5

      3cb7e1af2519ea1779980c19f2ccd20b

      SHA1

      1eae61479e881b159b5826efc115f63654e5e323

      SHA256

      e0398af14e2f4547b1cda1867372014958d99226fe47fbb87322348113109af2

      SHA512

      764bef5440b461a24601b0f44c339ebdbd14e6dad036e4eb3ef70f04d8208e55a810062e1525c92c90ffb5424733dce5ada5c52596d3b8034d9062ad08b0d134

      Download Submit

    • C:\Windows\Resources\svchost.exe
      Filesize

      923KB

      MD5

      e05ad69e124b04897609b2965befd640

      SHA1

      b09079e7c74503741f26ee17da400b0f56c75ab5

      SHA256

      e99c46f5d8558c68fb38450782e76793ed832a2166b5c4ef82aa6d9c3e45ac79

      SHA512

      93ecb28a21e80d4efde22a8d1ea5558b42d77691095de1936bb82bbeb71cd0a89caf029526d747de0579d470f0f157f784c40d257e30b3583fb380f6be284e1c

      Download Submit

    • \??\c:\windows\resources\spoolsv.exe
      Filesize

      411KB

      MD5

      21a9a99193a4b8088cb354b8745e4c9d

      SHA1

      9a4b19b21f57f10dc7bf5ddaa5f608db20c10bb7

      SHA256

      206d5abcad5246547e7f56174f5af984bf4f0c6c1468d8eaa3e8ad2c8d7ec5cb

      SHA512

      2f217107781862c9635acfa3445f23d8ef2fcc3834b454dc93254c7ed6c76890ecbf0e6b17bdfe4723af898b88a5766e9eb7b08fb0949a1724afed572b53f95a

      Download Submit

    • \??\c:\windows\resources\svchost.exe
      Filesize

      648KB

      MD5

      9c693703a5a30bffb405da19dbb14457

      SHA1

      73e4efeeecb1757d70edd0d66571e9b2d08295f6

      SHA256

      aa7f38a3c5d312f31a6b8ec1901b1e60ed1d6d1a65d0ad0a75c44aad26171b46

      SHA512

      115774c9007a905599ba0186370cde9970b38d6ed7ba76e975d85cd631486005d19a5dbbdb4552606b1d1c0a5ee916870de0ddc40a08ce34d4e3756e55fb0aad

      Download Submit

    • \??\c:\windows\resources\themes\explorer.exe
      Filesize

      1.1MB

      MD5

      701b5043ce7be9ecdd3df218bae5ed9b

      SHA1

      50aefdd0cdcee24ece2944e8317c5ae381d8bbb1

      SHA256

      cf3bcc30d86dac5db4e0c3a673ceb17b0fdef0dc891afa9a388cab065393744a

      SHA512

      067618d2d9b9d0816ef1eb77bde3ac53d012f668813446bc6e6c01455009377413499debb4b2804d930b9edf8514cefada234a566ddfeaff3bf9b45083235212

      Download Submit

    • \Windows\Resources\Themes\explorer.exe
      Filesize

      898KB

      MD5

      7f272614648ccbb1069ecb9413c0d305

      SHA1

      6aef77b97491e1614fc0450d8845232a1a0d1c90

      SHA256

      adb226f14cc55a89f0a2fb13ff0886f1f2e3e80adb364bfe44d306a5f9b29354

      SHA512

      6d6fa2489b7203893c217a90bd8b5b7b6c11bc3a02cc4f9c8e156f0513e97635fd6d17dfd400de5be69a1761a302db7789ecabd39ab2c171236e4bc36e6640f1

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      615KB

      MD5

      16a125b51c1f21d7e029d2c2d15f8c8a

      SHA1

      d3456e64e2915581120908dba643a3c6d83e3917

      SHA256

      48755cef3c512801172f5538c60d574e0429bbbe70f04d8874c8b357b111ba36

      SHA512

      9f50b7bb97d496d352b7d7b7a406f8e776f46b5d47a6c5159c0e4089a60633d2bae19e579961de3e85196ccc911e989d2791aa817b299afbb9b64a03ec909430

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      411KB

      MD5

      fc65fbd8a2cef4cb12f34a9217479764

      SHA1

      bd4162dab84f41f9ac75ace77b2753bc700b48a2

      SHA256

      288cfbd88509a3a59c473a73a1e2f1d275f28357578d0a5cbf39eb8c33e3785b

      SHA512

      2a5f85582d7893e9d2da8127ee75eed25bbbba537a82399c81e8f62c4bfd4e1f95137139dfc75fb98a6b85084bd3df2b00b052fdd15769a85dbb2e3455ea06cb

      Download Submit

    • memory/2560-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2560-45-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2672-50-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2672-35-0x0000000003150000-0x000000000375E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2672-24-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2740-37-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2740-44-0x00000000032A0000-0x00000000038AE000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2740-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2916-23-0x00000000033D0000-0x00000000039DE000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2916-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2916-65-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2916-59-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2916-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3020-36-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3020-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3020-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3020-1-0x0000000076FE0000-0x0000000076FE2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3020-11-0x0000000003450000-0x0000000003A5E000-memory.dmp

      Filesize

      6.1MB

      Download