Malware Analysis Report

2024-10-10 08:04

Sample ID 240611-jgnkxsygrg
Target HV_x64_build.exe
SHA256 3800235b9c767007ae8bcea37cecc720d787a97b46d6adea7e73ac305c6cb192
Tags
themida evasion persistence trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

3800235b9c767007ae8bcea37cecc720d787a97b46d6adea7e73ac305c6cb192

Threat Level: Likely malicious

The file HV_x64_build.exe was found to be: Likely malicious.

Malicious Activity Summary

themida evasion persistence trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Sets service image path in registry

Themida packer

Executes dropped EXE

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 07:38

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 07:38

Reported

2024-06-11 08:21

Platform

win11-20240419-en

Max time kernel

2091s

Max time network

1994s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HV_x64_build.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\HV_x64_build.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nczCBjjdqtWnXeCidNiEBQabNL\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\nczCBjjdqtWnXeCidNiEBQabNL" C:\Windows\SoftwareDistribution\Download\QA6Ol.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\HV_x64_build.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\HV_x64_build.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SoftwareDistribution\Download\QA6Ol.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\HV_x64_build.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HV_x64_build.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SoftwareDistribution\Download\QA6Ol.exe C:\Users\Admin\AppData\Local\Temp\HV_x64_build.exe N/A

Enumerates physical storage devices

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SoftwareDistribution\Download\QA6Ol.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Windows\SoftwareDistribution\Download\QA6Ol.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HV_x64_build.exe

"C:\Users\Admin\AppData\Local\Temp\HV_x64_build.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cd C:\ProgramData

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\ProgramData\WindowsHook.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\ProgramData\updater.exe

C:\Windows\SoftwareDistribution\Download\QA6Ol.exe

"C:\Windows\SoftwareDistribution\Download\QA6Ol.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 havok.cc udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 havok.cc udp

Files

memory/3648-0-0x00007FF75BDD0000-0x00007FF75C6D1000-memory.dmp

memory/3648-1-0x00007FFEF6967000-0x00007FFEF6969000-memory.dmp

memory/3648-2-0x00007FF75BDD0000-0x00007FF75C6D1000-memory.dmp

memory/3648-4-0x00007FF75BDD0000-0x00007FF75C6D1000-memory.dmp

memory/3648-6-0x00007FF75BDD0000-0x00007FF75C6D1000-memory.dmp

memory/3648-5-0x00007FF75BDD0000-0x00007FF75C6D1000-memory.dmp

memory/3648-3-0x00007FF75BDD0000-0x00007FF75C6D1000-memory.dmp

memory/3648-7-0x00007FF75BDD0000-0x00007FF75C6D1000-memory.dmp

memory/3648-8-0x00007FF75BDD0000-0x00007FF75C6D1000-memory.dmp

memory/3648-12-0x00007FF75BDD0000-0x00007FF75C6D1000-memory.dmp

C:\Windows\SoftwareDistribution\Download\QA6Ol.exe

MD5 3f9af39f8b7e0d314824cb101054d0dd
SHA1 daf1a9f4dd262dc188d78c15d57a5baaf43569b1
SHA256 939e6bcde687d6ed9242f4c223b2d7255c767c0bfdae3a3521718766103629bd
SHA512 5f4e8c0ee6566c89894c07e9ef4edfcfb5b0913829a8796152b505e4d2e34372572064abace31d6b330ad333b80977ee2a3fa189267b84d3adc24ed44ba6d6bd

memory/3648-23-0x00007FF75BDD0000-0x00007FF75C6D1000-memory.dmp

memory/3648-28-0x00007FF75BDD0000-0x00007FF75C6D1000-memory.dmp

memory/3648-29-0x00007FF75BDD0000-0x00007FF75C6D1000-memory.dmp

memory/3648-53-0x00007FF75BDD0000-0x00007FF75C6D1000-memory.dmp