Malware Analysis Report

2024-10-10 08:08

Sample ID 240611-bdfrxaxgjb
Target 00fe05de6b1f112a3e17659ec0bb2dd0.bin
SHA256 70b3b5426fea00573d7e5f93cd050357c1fcc3fa3ecfa5e41c5ffe71854ff2ce
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70b3b5426fea00573d7e5f93cd050357c1fcc3fa3ecfa5e41c5ffe71854ff2ce

Threat Level: Known bad

The file 00fe05de6b1f112a3e17659ec0bb2dd0.bin was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 01:01

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 01:01

Reported

2024-06-11 01:04

Platform

win7-20240220-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe \??\c:\windows\resources\themes\explorer.exe
PID 2064 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe \??\c:\windows\resources\themes\explorer.exe
PID 2064 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe \??\c:\windows\resources\themes\explorer.exe
PID 2064 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe \??\c:\windows\resources\themes\explorer.exe
PID 2884 wrote to memory of 2988 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2884 wrote to memory of 2988 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2884 wrote to memory of 2988 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2884 wrote to memory of 2988 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2988 wrote to memory of 2672 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2988 wrote to memory of 2672 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2988 wrote to memory of 2672 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2988 wrote to memory of 2672 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2672 wrote to memory of 2776 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2672 wrote to memory of 2776 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2672 wrote to memory of 2776 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2672 wrote to memory of 2776 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2884 wrote to memory of 2600 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2884 wrote to memory of 2600 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2884 wrote to memory of 2600 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2884 wrote to memory of 2600 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2672 wrote to memory of 2936 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2936 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2936 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2936 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1000 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1000 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1000 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1000 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2912 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2912 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2912 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2912 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe

"C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:03 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:04 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:05 /f

Network

N/A

Files

memory/2064-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2064-1-0x0000000077890000-0x0000000077892000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 7c63500e4a0fdfd3011a5889abf2c4b9
SHA1 da6382a17ebeaa614c6efe9ba4ed5743043dd288
SHA256 27bd7b4ec460f04a0fd86782158d37c453fc165809f2153d99b7dd5d490de347
SHA512 c8782d44c9bb34b75b2b425c406709bfefbce4510bd5c3d43f4aa065959d0d529a418d8511ac08d9764a6a170542107048c8c8692a602d71142a8cfffb8a5123

memory/2884-11-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 d997df8ec8f5f7d8f56cbc2eeed39be4
SHA1 45db32bb5b9c2acfdc1c8730f8aed38be124d75d
SHA256 2af230b805daf148758153fdf81061658a80d2d7a03fc24784c716c601f64648
SHA512 5c4430f84424d5bd1df5f43449fb50eddb386ff98a363ff9b0c4fbb04e4a3992515289f27523f3215ab56c9207e3cf43886fea8e3927c89bed1466c8e6a07961

memory/2884-21-0x0000000003820000-0x0000000003E2E000-memory.dmp

memory/2988-23-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\svchost.exe

MD5 c2bc525f451907b1cd4347e4c28dfe39
SHA1 88315dd3924280aa15fc5c8d0725a9e542cfe71f
SHA256 ffce71526b386f54ff70256626846437eaaa14f32bd7554a51ac82f70d2b2562
SHA512 40222eafd4ccd0515519b91abca70376c09d0f6f80a1def00e99da2be65292d9af5eb59af5b9fa33a99f18f4911a157fc6edb4d3fe6382b0388a23bb47b5603c

memory/2988-34-0x0000000003710000-0x0000000003D1E000-memory.dmp

memory/2672-35-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2064-44-0x00000000037B0000-0x0000000003DBE000-memory.dmp

memory/2776-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2064-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2776-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2988-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2064-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2884-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2884-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2672-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2884-67-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2672-74-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2672-76-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 01:01

Reported

2024-06-11 01:04

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4836 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe \??\c:\windows\resources\themes\explorer.exe
PID 4836 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe \??\c:\windows\resources\themes\explorer.exe
PID 4836 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe \??\c:\windows\resources\themes\explorer.exe
PID 4688 wrote to memory of 5116 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4688 wrote to memory of 5116 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4688 wrote to memory of 5116 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 5116 wrote to memory of 3468 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 5116 wrote to memory of 3468 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 5116 wrote to memory of 3468 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3468 wrote to memory of 4132 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3468 wrote to memory of 4132 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3468 wrote to memory of 4132 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe

"C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/4836-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4836-1-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4836-2-0x0000000077A44000-0x0000000077A46000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 eb955aaa6cadf28fa48df342acc48cda
SHA1 c14311d104288475c593ac5583655b33a08a132e
SHA256 083174c1440459cc75e3c654ddb71b931f740fd2842ad26a11896279d6b6ed5a
SHA512 703ce72afa2a22514fb19b690bfb90344e9433aa68b7d0bc5b4701571d9b67e8746076fc03750c76a8593a25e619cd1059b93e0c5ce86112e5eff6dcb52f8f41

memory/4688-11-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 6b05dea24879662bc67c23f4eb4b9a4a
SHA1 5327d2454a44686e1b669858eb586cafbe57978d
SHA256 0e12ec24e72b65fefdef85b4cf0e96f39783c030f08c15005959650a0feb84fa
SHA512 72facb106932eccdb12fd2734b573f21610a80c583fe27b9fedde84e036fff1ce4444b5bef20a24d7e63c2739fba21db36bbaff5a5087f49c69c3851f1338fa2

memory/5116-20-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 af37679e3f3f3b8917d1ddff46db0d5e
SHA1 28f1610cb6bb95a333108507f5ebcd0bf4fed0b6
SHA256 c51f9d2816cd805c4b293bae5993a78dfc0248543fc05a5db23ceb598bd23285
SHA512 45fa30345be513ba42fe4a19093bff57e392cfa76300a27361603615d357c07d73df72ae172ca030ba6e2d8e705a2ffbc6d09bca7c0776c6e0212671417d9026

memory/4836-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3468-29-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4132-35-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/5116-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4132-39-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4836-41-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4688-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3468-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3468-46-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4688-55-0x0000000000400000-0x0000000000A0E000-memory.dmp