Analysis Overview
SHA256
25a4c8dc7c5db71d1a449ccf57e9d22467bd562446cb65a1b715670e87dfe6a7
Threat Level: Likely malicious
The file loader_bluepill.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Themida packer
Checks BIOS information in registry
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-09 12:04
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 12:04
Reported
2024-06-09 12:08
Platform
win10-20240404-en
Max time kernel
1s
Max time network
94s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe
"C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe"
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Users\Admin\AppData\Local\Temp\Sx91w2O3.exe
"C:\Users\Admin\AppData\Local\Temp\Sx91w2O3.exe" --delete=C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.gg | udp |
| US | 162.159.133.234:443 | discord.gg | tcp |
| US | 162.159.133.234:443 | discord.gg | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | minke.club | udp |
| US | 104.21.76.113:80 | minke.club | tcp |
| US | 8.8.8.8:53 | 234.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.76.21.104.in-addr.arpa | udp |
| US | 104.21.76.113:80 | minke.club | tcp |
| US | 104.21.76.113:80 | minke.club | tcp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/4404-0-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp
memory/4404-1-0x00007FFC36C28000-0x00007FFC36C2A000-memory.dmp
memory/4404-2-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp
memory/4404-5-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp
memory/4404-4-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp
memory/4404-3-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp
memory/4404-6-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp
memory/4404-7-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp
memory/4404-9-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp
memory/4404-8-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp
memory/2184-26-0x0000026AC7B20000-0x0000026AC7B30000-memory.dmp
memory/2184-45-0x0000026AC6B50000-0x0000026AC6B52000-memory.dmp
memory/2184-10-0x0000026AC7A20000-0x0000026AC7A30000-memory.dmp
memory/2308-55-0x000002BA46E00000-0x000002BA46F00000-memory.dmp
memory/4888-69-0x000001A5E1000000-0x000001A5E1100000-memory.dmp
memory/4888-126-0x000001A5F25B0000-0x000001A5F25B2000-memory.dmp
memory/4888-124-0x000001A5F1FF0000-0x000001A5F1FF2000-memory.dmp
memory/4888-122-0x000001A5F1FD0000-0x000001A5F1FD2000-memory.dmp
memory/4888-177-0x000001A5F5A20000-0x000001A5F5B20000-memory.dmp
memory/2184-186-0x0000026ACE980000-0x0000026ACE981000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\USYYQCUR\favicon[1].ico
| MD5 | ec2c34cadd4b5f4594415127380a85e6 |
| SHA1 | e7e129270da0153510ef04a148d08702b980b679 |
| SHA256 | 128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7 |
| SHA512 | c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c |
memory/2184-185-0x0000026ACE970000-0x0000026ACE971000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Sx91w2O3.exe
| MD5 | bb117b286c6a51a609736da848517f31 |
| SHA1 | a2395a808e491f83ffbbde92d3d5def4c9265490 |
| SHA256 | b2140c52260ada22da577685814e345353f7a9246204d999d3d8b286b07be267 |
| SHA512 | 645f5c02d030ff9d2bad077663da875ab736af4b4c80086e024a38859d61fbe36fc7d3f5cd383d87689cb84e482e6f9947edaa45052dae13aad131cf8fbc9db5 |
C:\Users\Admin\AppData\Local\Temp\Sx91w2O3.exe
| MD5 | 8802a6bd60a06811999b0bfe85c47e26 |
| SHA1 | 36703f61c9c7fd78e377beccac7458914908926e |
| SHA256 | f8d4b2256d5d396631b020adc8438eb18744211a9327cb128e2170bc736fb0c1 |
| SHA512 | 33aba065fc26638d940eea2434ad796a358af09264ebd8a66ad7f64b646526055eaa4c79ef4ea06641337ff6d50ca74807970ffb3345d9a3c66aa8389c8a408d |
memory/216-201-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp
memory/216-202-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp
memory/216-204-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp
memory/216-203-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp
memory/216-205-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp
memory/216-206-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp
memory/216-208-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp
memory/216-207-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp
memory/216-209-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp
memory/4404-210-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp
memory/216-211-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
| MD5 | 1bfe591a4fe3d91b03cdf26eaacd8f89 |
| SHA1 | 719c37c320f518ac168c86723724891950911cea |
| SHA256 | 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8 |
| SHA512 | 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OHP8MVFQ\edgecompatviewlist[1].xml
| MD5 | d4fc49dc14f63895d997fa4940f24378 |
| SHA1 | 3efb1437a7c5e46034147cbbc8db017c69d02c31 |
| SHA256 | 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1 |
| SHA512 | cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFEA8D67BC41E3CF91.TMP
| MD5 | a9396f9c9c855dc00ed90a2f6d9810ea |
| SHA1 | 0ba4acd26a41669609bf3d373e3847b8e48a586a |
| SHA256 | 33ba1c7f1e9250db6461e88272591727de8673aef2f1bf05177e6375fb8a7811 |
| SHA512 | 0c7557bce00dca7127b420336f86a1cf03d0041c139085add9126088b1e780e791081d79da59fbb0c303fe7e585f7904959adfabac6b83eec4dfbaaeaccfc97b |