Malware Analysis Report

2024-10-10 08:08

Sample ID 240610-qwfxysyanr
Target Phoenix v1.3.exe
SHA256 0db248dac7ab90d7f512d1be68237838fb3742e7a58d65c148fb9058bae1576f
Tags
themida evasion trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

0db248dac7ab90d7f512d1be68237838fb3742e7a58d65c148fb9058bae1576f

Threat Level: Likely malicious

The file Phoenix v1.3.exe was found to be: Likely malicious.

Malicious Activity Summary

themida evasion trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks BIOS information in registry

Looks up external IP address via web service

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 13:36

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 13:36

Reported

2024-06-10 13:39

Platform

win7-20240221-en

Max time kernel

142s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe

"C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe"

Network

N/A

Files

memory/1760-0-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1760-1-0x0000000076E40000-0x0000000076E42000-memory.dmp

memory/1760-2-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1760-4-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1760-5-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1760-3-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1760-6-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1760-7-0x0000000140000000-0x0000000140BD7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 13:36

Reported

2024-06-10 13:39

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ifconfig.me N/A N/A
N/A ifconfig.me N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe

"C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4172,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe

"C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe"

C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe

"C:\Users\Admin\AppData\Local\Temp\Phoenix v1.3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ifconfig.me udp
US 8.8.8.8:53 cxcs.microsoft.net udp
US 8.8.8.8:53 ifconfig.me udp

Files

memory/1784-0-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1784-1-0x00007FFFB0030000-0x00007FFFB0032000-memory.dmp

memory/1784-2-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1784-4-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1784-6-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1784-5-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1784-3-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1784-7-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1784-8-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1784-9-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1784-10-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1784-12-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1424-13-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1424-15-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1424-14-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1424-17-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1424-16-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1424-18-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/3632-19-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/3632-21-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/3632-23-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/3632-22-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/3632-20-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/3632-24-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1424-25-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/1424-26-0x0000000140000000-0x0000000140BD7000-memory.dmp

memory/3632-27-0x0000000140000000-0x0000000140BD7000-memory.dmp