Malware Analysis Report

2024-10-16 07:00

Sample ID 240609-f6esjafa54
Target MWIII UPDATED AIO.exe
SHA256 546ba562b2d4d7c4889b713472ad571a39d898b579a99ee778ce489300b6a6c6
Tags
themida evasion ransomware trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

546ba562b2d4d7c4889b713472ad571a39d898b579a99ee778ce489300b6a6c6

Threat Level: Likely malicious

The file MWIII UPDATED AIO.exe was found to be: Likely malicious.

Malicious Activity Summary

themida evasion ransomware trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies boot configuration data using bcdedit

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 05:29

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 05:28

Reported

2024-06-09 05:29

Platform

win11-20240508-en

Max time kernel

16s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "191" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4552 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe C:\Windows\system32\cmd.exe
PID 4552 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe C:\Windows\system32\cmd.exe
PID 484 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 484 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4552 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe C:\Windows\system32\cmd.exe
PID 4552 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe C:\Windows\system32\cmd.exe
PID 4552 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe C:\Windows\system32\cmd.exe
PID 4552 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe C:\Windows\system32\cmd.exe
PID 4552 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe C:\Windows\system32\cmd.exe
PID 4552 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe C:\Windows\system32\cmd.exe
PID 4552 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe C:\Windows\system32\cmd.exe
PID 4552 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe C:\Windows\system32\cmd.exe
PID 4552 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe C:\Windows\system32\cmd.exe
PID 4552 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe C:\Windows\system32\cmd.exe
PID 4552 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe C:\Windows\system32\cmd.exe
PID 4552 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe C:\Windows\system32\cmd.exe
PID 4812 wrote to memory of 4356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 4812 wrote to memory of 4356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe

"C:\Users\Admin\AppData\Local\Temp\MWIII UPDATED AIO.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >nul 2>&1

C:\Windows\system32\bcdedit.exe

bcdedit /set hypervisorlaunchtype off

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown /r /f /t 0 >nul 2>&1

C:\Windows\system32\shutdown.exe

shutdown /r /f /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3a03855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
IE 52.111.236.21:443 tcp

Files

memory/4552-0-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp

memory/4552-1-0x00007FF96A7E7000-0x00007FF96A7E9000-memory.dmp

memory/4552-2-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp

memory/4552-3-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp

memory/4552-4-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp

memory/4552-7-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp

memory/4552-6-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp

memory/4552-8-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp

memory/4552-5-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp

memory/4552-10-0x00007FF7BD2E0000-0x00007FF7BE10B000-memory.dmp