Analysis

  • max time kernel
    150s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2024 14:08

General

  • Target

    81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe

  • Size

    2.7MB

  • MD5

    ca9f5b0e85b54f7f3105277f0185de58

  • SHA1

    b8cc00043eb4bf6fad0636436980adf04918a930

  • SHA256

    81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4

  • SHA512

    60bbd25177b8415fd82e28f65bba5145bc50a4726c578f1045676417a88a6cf9a466cf8667ad67780ceb31de438d42b0c6ffd24a4080daff4798f793ab27f734

  • SSDEEP

    49152:VtzBOauT0i7ZSQcCG1+bLthSo9/ktjPf4EXzwgb+LquT05j:VtzaT00zcC8ahhSo9sRf44z1/5j

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Detects executables packed with Themida 16 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Themida packer 16 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe
    "C:\Users\Admin\AppData\Local\Temp\81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2984
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4984
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3904
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:668
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:1528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    2.7MB

    MD5

    6115989a77a0d4be919e321136e9b331

    SHA1

    249c3087913090044301c5027492121ce7b28fb1

    SHA256

    5a82a88f4022a16a13e3eaa9f56a40d1ce3ccfbf05829e3a8a27da0179673d2b

    SHA512

    7c54d87f572e98f63dc838e31490510c7f7a4836fac98674ea16f030ecb42eccda5c13cca94affbebf300266a9a23cae7c0c3f3466dc6ffd0faaec376055cd04

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    2.7MB

    MD5

    0f2a408b3088903b253e1912c58618e6

    SHA1

    700dc5ed11c8dbd0aa6c423f420955e1b590b294

    SHA256

    36ffbaa4e4752606a0f7d8630f4808324830d05cedb869fc69dd75aa16b16761

    SHA512

    9e2d4755bc7e5d1252926f7f69ad3a142765c7dd18a3dc9e381a9e176019c74e9ff8d60362453c38690e63a83874d7cdb2e2a988dc835f0458dd9470f3dd6bc4

  • C:\Windows\Resources\svchost.exe
    Filesize

    2.7MB

    MD5

    d01daea8a7b65c71f49e63eab47a3a40

    SHA1

    f3f2ee88bca5b800fdb5b2702e2784fd69405de8

    SHA256

    ce0b5f44b2dc30b36b3f8d9c6b4e539870e69e015dd0b3e291da54afaf659e46

    SHA512

    79e17b79d8201735ed9386f377e88cb85414c68a0344d014865ce77005754a79db95b552696fc1ddcad9df174202c6c96f51efd1b10e568652456d241a50748c

  • memory/668-44-0x0000000000400000-0x0000000000A60000-memory.dmp
    Filesize

    6.4MB

  • memory/668-66-0x0000000000400000-0x0000000000A60000-memory.dmp
    Filesize

    6.4MB

  • memory/668-28-0x0000000000400000-0x0000000000A60000-memory.dmp
    Filesize

    6.4MB

  • memory/1528-33-0x0000000000400000-0x0000000000A60000-memory.dmp
    Filesize

    6.4MB

  • memory/1528-40-0x0000000000400000-0x0000000000A60000-memory.dmp
    Filesize

    6.4MB

  • memory/2984-42-0x0000000000400000-0x0000000000A60000-memory.dmp
    Filesize

    6.4MB

  • memory/2984-1-0x0000000077BC4000-0x0000000077BC6000-memory.dmp
    Filesize

    8KB

  • memory/2984-0-0x0000000000400000-0x0000000000A60000-memory.dmp
    Filesize

    6.4MB

  • memory/3904-39-0x0000000000400000-0x0000000000A60000-memory.dmp
    Filesize

    6.4MB

  • memory/3904-19-0x0000000000400000-0x0000000000A60000-memory.dmp
    Filesize

    6.4MB

  • memory/4984-10-0x0000000000400000-0x0000000000A60000-memory.dmp
    Filesize

    6.4MB

  • memory/4984-43-0x0000000000400000-0x0000000000A60000-memory.dmp
    Filesize

    6.4MB

  • memory/4984-49-0x0000000000400000-0x0000000000A60000-memory.dmp
    Filesize

    6.4MB

  • memory/4984-55-0x0000000000400000-0x0000000000A60000-memory.dmp
    Filesize

    6.4MB