2019edf4b004995ed0cc16da5a8746a6154b16df7663cbe6d3fc7782ba5dbc17

Analysis

max time kernel
12s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
08/06/2024, 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

8.5MB
MD5

851dc1231b62cca3b63f7f2287dff84f
SHA1

16915a97ff71586cb033319a3f81c18d8792e1b7
SHA256

2019edf4b004995ed0cc16da5a8746a6154b16df7663cbe6d3fc7782ba5dbc17
SHA512

507c6038f9b65ccb74fe6947ac9caeeef35dcc1b0d01fd68e10a7d2cc5cf6997bdd04cb10b1cc25fd2966b266c7ff471f91618da6021ef4cd0ba24803c7482f9
SSDEEP

196608:lWU/XIK3djYTPtJyCAaws5WJqHqJLkSXNzeHrldm:lWU/4kU7tJy7DhJQyNSLl4

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	loader.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	loader.exe

Executes dropped EXE 1 IoCs

pid	Process
1336	loader.exe

Loads dropped DLL 9 IoCs

pid	Process
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/832-0-0x00007FF769B80000-0x00007FF76A9D3000-memory.dmp	themida
behavioral1/memory/832-1-0x00007FF769B80000-0x00007FF76A9D3000-memory.dmp	themida
behavioral1/memory/832-2-0x00007FF769B80000-0x00007FF76A9D3000-memory.dmp	themida
behavioral1/memory/832-5-0x00007FF769B80000-0x00007FF76A9D3000-memory.dmp	themida
behavioral1/memory/832-4-0x00007FF769B80000-0x00007FF76A9D3000-memory.dmp	themida
behavioral1/memory/832-3-0x00007FF769B80000-0x00007FF76A9D3000-memory.dmp	themida
behavioral1/memory/832-6-0x00007FF769B80000-0x00007FF76A9D3000-memory.dmp	themida
behavioral1/memory/832-77-0x00007FF769B80000-0x00007FF76A9D3000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	loader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe
1336	loader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1336	loader.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1336	832	loader.exe	78
PID 832 wrote to memory of 1336	832	loader.exe	78
PID 1336 wrote to memory of 1700	1336	loader.exe	79
PID 1336 wrote to memory of 1700	1336	loader.exe	79

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:832
- C:\Users\Admin\AppData\Local\Temp\onefile_832_133623437461345669\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start VastGen.exe"
    3⤵
    PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_832_133623437461345669\_ctypes.pyd

Filesize
120KB

MD5
6a9ca97c039d9bbb7abf40b53c851198

SHA1
01bcbd134a76ccd4f3badb5f4056abedcff60734

SHA256
e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535

SHA512
dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_832_133623437461345669\_socket.pyd

Filesize
76KB

MD5
8140bdc5803a4893509f0e39b67158ce

SHA1
653cc1c82ba6240b0186623724aec3287e9bc232

SHA256
39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

SHA512
d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_832_133623437461345669\libffi-8.dll

Filesize
34KB

MD5
32d36d2b0719db2b739af803c5e1c2f5

SHA1
023c4f1159a2a05420f68daf939b9ac2b04ab082

SHA256
128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c

SHA512
a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_832_133623437461345669\loader.exe

Filesize
8.5MB

MD5
49c7d8a33d1b2ff955d0730e84e8cd6c

SHA1
f1429fbe357102901cab5ba7d20673fb0fb7db6b

SHA256
ee42078cbd223280c0427036e5ae79ddfbe7dc2c7f4b5f7ea778bf12a5867fb1

SHA512
7b7fd45336ae246e488fd4b989e8bc4f40d8ee621cf75bcc722f7d6cde0556dddc8cc3b0375593d4e50d4566cbeb3f011c0865fef38d203cb0e1e9f20ee7be4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_832_133623437461345669\psutil\_psutil_windows.pyd

Filesize
76KB

MD5
ebefbc98d468560b222f2d2d30ebb95c

SHA1
ee267e3a6e5bed1a15055451efcccac327d2bc43

SHA256
67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478

SHA512
ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_832_133623437461345669\python3.dll

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_832_133623437461345669\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_832_133623437461345669\select.pyd

Filesize
28KB

MD5
97ee623f1217a7b4b7de5769b7b665d6

SHA1
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

SHA256
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

SHA512
20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_832_133623437461345669\vcruntime140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
memory/832-6-0x00007FF769B80000-0x00007FF76A9D3000-memory.dmp

Filesize
14.3MB

Download
memory/832-0-0x00007FF769B80000-0x00007FF76A9D3000-memory.dmp

Filesize
14.3MB

Download
memory/832-3-0x00007FF769B80000-0x00007FF76A9D3000-memory.dmp

Filesize
14.3MB

Download
memory/832-4-0x00007FF769B80000-0x00007FF76A9D3000-memory.dmp

Filesize
14.3MB

Download
memory/832-5-0x00007FF769B80000-0x00007FF76A9D3000-memory.dmp

Filesize
14.3MB

Download
memory/832-2-0x00007FF769B80000-0x00007FF76A9D3000-memory.dmp

Filesize
14.3MB

Download
memory/832-1-0x00007FF769B80000-0x00007FF76A9D3000-memory.dmp

Filesize
14.3MB

Download
memory/832-77-0x00007FF769B80000-0x00007FF76A9D3000-memory.dmp

Filesize
14.3MB

Download