Malware Analysis Report

2024-10-10 08:04

Sample ID 240611-xe1z5axcja
Target 103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b
SHA256 103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b

Threat Level: Known bad

The file 103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Detects executables packed with Themida

Modifies visiblity of hidden/system files in Explorer

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Themida packer

Checks BIOS information in registry

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 18:46

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 18:46

Reported

2024-06-11 18:49

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe \??\c:\windows\resources\themes\explorer.exe
PID 2008 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe \??\c:\windows\resources\themes\explorer.exe
PID 2008 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe \??\c:\windows\resources\themes\explorer.exe
PID 2008 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe \??\c:\windows\resources\themes\explorer.exe
PID 2308 wrote to memory of 2812 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2308 wrote to memory of 2812 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2308 wrote to memory of 2812 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2308 wrote to memory of 2812 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2812 wrote to memory of 832 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2812 wrote to memory of 832 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2812 wrote to memory of 832 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2812 wrote to memory of 832 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 832 wrote to memory of 2660 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 832 wrote to memory of 2660 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 832 wrote to memory of 2660 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 832 wrote to memory of 2660 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2308 wrote to memory of 2576 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2308 wrote to memory of 2576 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2308 wrote to memory of 2576 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2308 wrote to memory of 2576 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 832 wrote to memory of 2604 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 832 wrote to memory of 2604 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 832 wrote to memory of 2604 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 832 wrote to memory of 2604 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 832 wrote to memory of 896 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 832 wrote to memory of 896 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 832 wrote to memory of 896 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 832 wrote to memory of 896 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 832 wrote to memory of 2664 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 832 wrote to memory of 2664 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 832 wrote to memory of 2664 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 832 wrote to memory of 2664 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe

"C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 18:48 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 18:49 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 18:50 /f

Network

N/A

Files

memory/2008-0-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2008-1-0x0000000077D10000-0x0000000077D12000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 5a46b1c94255095a82e06a97546a228f
SHA1 647c1f823c97879a0a256708ab528774282fdfbc
SHA256 9cf04a02a4fa4a0b162e7a8dce10816d54ab3101af51da82fc35b34b81f394ec
SHA512 7157208f9f375bb1702b1dd80e5d9cc373c77b084d619170639276e08fd9167d3d4d2b01ade2f351493d7b45e4d774b9d3248a0b79a4400abc8b64c68bdd9198

memory/2008-11-0x0000000003370000-0x0000000003986000-memory.dmp

memory/2308-12-0x0000000000400000-0x0000000000A16000-memory.dmp

\Windows\Resources\spoolsv.exe

MD5 6c9de428bdd9ae87bda186209dbb4c89
SHA1 77bf851ba2954bdd151922dc013c7c7debbde7fa
SHA256 5a579cf27408492aa4e3a8fc68362234c5a80b6a7e97da411ecdbb013a98f970
SHA512 81d64c1e2094b7fd02b8eb634883fa190461ef855b2d6f4c1637a018a69e667b5d16db92de66d61a2fc9bf176aaecb4a873037dd903532f1e4dc31f8128ac708

memory/2308-23-0x0000000003350000-0x0000000003966000-memory.dmp

memory/2812-24-0x0000000000400000-0x0000000000A16000-memory.dmp

\Windows\Resources\svchost.exe

MD5 d1e82be943a75717f1c9a14d6ac75a25
SHA1 5cb64a16d6c2b322060393967730e1728e136cbf
SHA256 bc64d7d61b6e8b720aa8bd8a1e045d6dc27a9f639853d427e24dbe514217214e
SHA512 e146a842294712828d5b91c4ecfae6d2b4616af66844eb8e265bd0c2adf7855f04149c52d5313dec6a4a4485d23d02637f6b702dd7d77e106e1780c162c2373d

memory/2812-35-0x00000000035A0000-0x0000000003BB6000-memory.dmp

memory/832-36-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2008-43-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/832-44-0x0000000003380000-0x0000000003996000-memory.dmp

memory/2008-46-0x0000000003370000-0x0000000003986000-memory.dmp

memory/2660-45-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2812-51-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2660-50-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2008-53-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2308-54-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/832-56-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/832-62-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/832-64-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2308-65-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2308-67-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2308-73-0x0000000000400000-0x0000000000A16000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 18:46

Reported

2024-06-11 18:49

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2708 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe \??\c:\windows\resources\themes\explorer.exe
PID 2708 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe \??\c:\windows\resources\themes\explorer.exe
PID 2708 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe \??\c:\windows\resources\themes\explorer.exe
PID 4508 wrote to memory of 1248 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4508 wrote to memory of 1248 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4508 wrote to memory of 1248 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1248 wrote to memory of 876 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1248 wrote to memory of 876 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1248 wrote to memory of 876 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 876 wrote to memory of 2772 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 876 wrote to memory of 2772 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 876 wrote to memory of 2772 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe

"C:\Users\Admin\AppData\Local\Temp\103e581ae52052227ec9cc553142f46d380cbb9cc652222457666428626b828b.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Files

memory/2708-0-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2708-1-0x00000000772D4000-0x00000000772D6000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 679633035cde27767c87e5a2e27252f6
SHA1 6ff0f66997a2fe334f1301ddbb872e2ca2c03bc8
SHA256 740e75e95138fe66f0c18559c41b6cc86c0df5d7761c32ec2159214bce5c894f
SHA512 93e821ec9cedbaecc88e5c2fb810bc9a4f64dd6850e953d9e7ad248307e80d6b85ba708871ab9427058e8848f5a74b9203e6ec7ae2bbfa75de9c1a97ee82a9d0

memory/4508-10-0x0000000000400000-0x0000000000A16000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 fe5b11f2ad18d81fefc9e19bf390500f
SHA1 1a8dcfe8216b008fc48a180795c05f9c33c2c0ae
SHA256 e46af915cd34541396b359a62765f6cfb8735748ef46f60321a00509136b0b97
SHA512 9bcc27d9aaeb8d3b68c52d88dd528c203524a641c2c9f623aa8ebcdeb7317044bfdf2dd4782ba1b29629e3f2c5717269abef895e18b98728ebe0ad60f3f46714

memory/1248-19-0x0000000000400000-0x0000000000A16000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 7cf63afc853129b451b33d512d341204
SHA1 f118a7f85d4d3b3abe16765449c703af0de22ecb
SHA256 d57cacdd8c0d65d95b0e9b5c7b00f8f91b6ec84c71469881daa32ae1f76e40e3
SHA512 9ec2f9c8515035c91c16da3b09d61d7d42a5512fc7ca94e8302daf975fbe95657e03825d5444f179ee9ce621d51a7c41ca46a9640ec9cca7356bd663143a7f5c

memory/876-28-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2772-33-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2772-38-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2708-40-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/1248-42-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/4508-43-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/876-45-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/4508-56-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/876-63-0x0000000000400000-0x0000000000A16000-memory.dmp