Malware Analysis Report

2024-10-16 07:01

Sample ID 240609-n8wg3aac9x
Target loader_bluepill.exe
SHA256 25a4c8dc7c5db71d1a449ccf57e9d22467bd562446cb65a1b715670e87dfe6a7
Tags
themida evasion trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

25a4c8dc7c5db71d1a449ccf57e9d22467bd562446cb65a1b715670e87dfe6a7

Threat Level: Likely malicious

The file loader_bluepill.exe was found to be: Likely malicious.

Malicious Activity Summary

themida evasion trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks BIOS information in registry

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 12:04

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 12:04

Reported

2024-06-09 12:08

Platform

win10-20240404-en

Max time kernel

1s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe

"C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\Sx91w2O3.exe

"C:\Users\Admin\AppData\Local\Temp\Sx91w2O3.exe" --delete=C:\Users\Admin\AppData\Local\Temp\loader_bluepill.exe

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.gg udp
US 162.159.133.234:443 discord.gg tcp
US 162.159.133.234:443 discord.gg tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 minke.club udp
US 104.21.76.113:80 minke.club tcp
US 8.8.8.8:53 234.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 113.76.21.104.in-addr.arpa udp
US 104.21.76.113:80 minke.club tcp
US 104.21.76.113:80 minke.club tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4404-0-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp

memory/4404-1-0x00007FFC36C28000-0x00007FFC36C2A000-memory.dmp

memory/4404-2-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp

memory/4404-5-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp

memory/4404-4-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp

memory/4404-3-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp

memory/4404-6-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp

memory/4404-7-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp

memory/4404-9-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp

memory/4404-8-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp

memory/2184-26-0x0000026AC7B20000-0x0000026AC7B30000-memory.dmp

memory/2184-45-0x0000026AC6B50000-0x0000026AC6B52000-memory.dmp

memory/2184-10-0x0000026AC7A20000-0x0000026AC7A30000-memory.dmp

memory/2308-55-0x000002BA46E00000-0x000002BA46F00000-memory.dmp

memory/4888-69-0x000001A5E1000000-0x000001A5E1100000-memory.dmp

memory/4888-126-0x000001A5F25B0000-0x000001A5F25B2000-memory.dmp

memory/4888-124-0x000001A5F1FF0000-0x000001A5F1FF2000-memory.dmp

memory/4888-122-0x000001A5F1FD0000-0x000001A5F1FD2000-memory.dmp

memory/4888-177-0x000001A5F5A20000-0x000001A5F5B20000-memory.dmp

memory/2184-186-0x0000026ACE980000-0x0000026ACE981000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\USYYQCUR\favicon[1].ico

MD5 ec2c34cadd4b5f4594415127380a85e6
SHA1 e7e129270da0153510ef04a148d08702b980b679
SHA256 128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7
SHA512 c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

memory/2184-185-0x0000026ACE970000-0x0000026ACE971000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Sx91w2O3.exe

MD5 bb117b286c6a51a609736da848517f31
SHA1 a2395a808e491f83ffbbde92d3d5def4c9265490
SHA256 b2140c52260ada22da577685814e345353f7a9246204d999d3d8b286b07be267
SHA512 645f5c02d030ff9d2bad077663da875ab736af4b4c80086e024a38859d61fbe36fc7d3f5cd383d87689cb84e482e6f9947edaa45052dae13aad131cf8fbc9db5

C:\Users\Admin\AppData\Local\Temp\Sx91w2O3.exe

MD5 8802a6bd60a06811999b0bfe85c47e26
SHA1 36703f61c9c7fd78e377beccac7458914908926e
SHA256 f8d4b2256d5d396631b020adc8438eb18744211a9327cb128e2170bc736fb0c1
SHA512 33aba065fc26638d940eea2434ad796a358af09264ebd8a66ad7f64b646526055eaa4c79ef4ea06641337ff6d50ca74807970ffb3345d9a3c66aa8389c8a408d

memory/216-201-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp

memory/216-202-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp

memory/216-204-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp

memory/216-203-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp

memory/216-205-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp

memory/216-206-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp

memory/216-208-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp

memory/216-207-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp

memory/216-209-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp

memory/4404-210-0x00007FF60D800000-0x00007FF60EC1E000-memory.dmp

memory/216-211-0x00007FF75B860000-0x00007FF75CD83000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OHP8MVFQ\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFEA8D67BC41E3CF91.TMP

MD5 a9396f9c9c855dc00ed90a2f6d9810ea
SHA1 0ba4acd26a41669609bf3d373e3847b8e48a586a
SHA256 33ba1c7f1e9250db6461e88272591727de8673aef2f1bf05177e6375fb8a7811
SHA512 0c7557bce00dca7127b420336f86a1cf03d0041c139085add9126088b1e780e791081d79da59fbb0c303fe7e585f7904959adfabac6b83eec4dfbaaeaccfc97b