Malware Analysis Report

2024-10-10 07:58

Sample ID 240612-llngtszcnd
Target 46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099
SHA256 46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099
Tags
evasion themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099

Threat Level: Likely malicious

The file 46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099 was found to be: Likely malicious.

Malicious Activity Summary

evasion themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks computer location settings

Checks BIOS information in registry

Executes dropped EXE

Themida packer

Loads dropped DLL

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 09:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 09:37

Reported

2024-06-12 09:40

Platform

win7-20240220-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe
PID 1784 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe
PID 1784 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe
PID 1784 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe
PID 1784 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe
PID 1784 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe
PID 1784 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe
PID 1784 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe

"C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe"

C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe

"C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe"

C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe

"C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe

MD5 0c9f9d11c779968ac50d4052fc6df807
SHA1 9d003e4a3d34cddb53c3a5fc8b469fcaa55bd942
SHA256 97b8946f37962c8ef0426e37a6f05f0ed76d295e3a90113287b0be6cc1cb7a52
SHA512 31bd36377f062bd2b49f714cc6abf2eb64b61cd345c09bfc2bb45e612748f45f8f98db6c60974fcd716744c6c6ba293c0d79788e5760d437a3b416b6a77acbb7

\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\TestSecurity.12.1.0.57.dll

MD5 bc274a77f8ace1b449ee0e518f140440
SHA1 23eb8a8122907ffaf384dc2a67247ebdc1259b37
SHA256 6638b4f24fef8f14f3037c41670d2d77e3c72cd75e0a0cda96abfd5cd81d2d75
SHA512 aed4857c054e58b8614722b47e98d7e75487862f86011a4017e87899a675261ec068704eed78c4ad78d1be87d518bfeca27d800936c8e21a67a458b4790ec6e3

memory/1784-15-0x0000000071CB0000-0x0000000072647000-memory.dmp

memory/1784-17-0x0000000071CB0000-0x0000000072647000-memory.dmp

memory/1784-19-0x0000000071CB0000-0x0000000072647000-memory.dmp

memory/1784-20-0x0000000071CB0000-0x0000000072647000-memory.dmp

memory/1784-18-0x0000000071CB0000-0x0000000072647000-memory.dmp

memory/1784-23-0x0000000071CB0000-0x0000000072647000-memory.dmp

memory/1784-22-0x0000000071CB0000-0x0000000072647000-memory.dmp

memory/1784-21-0x0000000071CB0000-0x0000000072647000-memory.dmp

memory/1784-24-0x0000000071CB0000-0x0000000072647000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 09:37

Reported

2024-06-12 09:40

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 960 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe
PID 960 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe
PID 960 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe
PID 960 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe
PID 960 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe
PID 960 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe

"C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099.exe"

C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe

"C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe"

C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe

"C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe"

Network

Files

C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\ITS SB App Switch.exe

MD5 0c9f9d11c779968ac50d4052fc6df807
SHA1 9d003e4a3d34cddb53c3a5fc8b469fcaa55bd942
SHA256 97b8946f37962c8ef0426e37a6f05f0ed76d295e3a90113287b0be6cc1cb7a52
SHA512 31bd36377f062bd2b49f714cc6abf2eb64b61cd345c09bfc2bb45e612748f45f8f98db6c60974fcd716744c6c6ba293c0d79788e5760d437a3b416b6a77acbb7

C:\Users\Admin\AppData\Local\Temp\46e721c2a45232116a98d0a6dfa4503626c1c454ba26c3d30944672cfba87099\TestSecurity.12.1.0.57.dll

MD5 bc274a77f8ace1b449ee0e518f140440
SHA1 23eb8a8122907ffaf384dc2a67247ebdc1259b37
SHA256 6638b4f24fef8f14f3037c41670d2d77e3c72cd75e0a0cda96abfd5cd81d2d75
SHA512 aed4857c054e58b8614722b47e98d7e75487862f86011a4017e87899a675261ec068704eed78c4ad78d1be87d518bfeca27d800936c8e21a67a458b4790ec6e3

memory/960-18-0x0000000072FE0000-0x0000000073977000-memory.dmp

memory/960-19-0x0000000077564000-0x0000000077566000-memory.dmp

memory/960-21-0x0000000072FE0000-0x0000000073977000-memory.dmp

memory/960-22-0x0000000072FE0000-0x0000000073977000-memory.dmp

memory/960-23-0x0000000072FE0000-0x0000000073977000-memory.dmp

memory/960-24-0x0000000072FE0000-0x0000000073977000-memory.dmp

memory/960-25-0x0000000072FE0000-0x0000000073977000-memory.dmp

memory/960-26-0x0000000072FE0000-0x0000000073977000-memory.dmp

memory/960-27-0x0000000072FE0000-0x0000000073977000-memory.dmp

memory/960-28-0x0000000072FE0000-0x0000000073977000-memory.dmp