Malware Analysis Report

2024-10-10 07:59

Sample ID 240612-lp3e6ateml
Target ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf
SHA256 ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf
Tags
evasion themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf

Threat Level: Likely malicious

The file ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf was found to be: Likely malicious.

Malicious Activity Summary

evasion themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 09:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 09:43

Reported

2024-06-12 09:45

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf.exe

"C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 09:43

Reported

2024-06-12 09:45

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf.exe C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf\ITS SB App Switch.exe
PID 1800 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf.exe C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf\ITS SB App Switch.exe
PID 1800 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf.exe C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf\ITS SB App Switch.exe
PID 1800 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf.exe C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf\ITS SB App Switch.exe
PID 1800 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf.exe C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf\ITS SB App Switch.exe
PID 1800 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf.exe C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf\ITS SB App Switch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf.exe

"C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf.exe"

C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf\ITS SB App Switch.exe

"C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf\ITS SB App Switch.exe"

C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf\ITS SB App Switch.exe

"C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf\ITS SB App Switch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf\ITS SB App Switch.exe

MD5 437aac097c0c632e21c7b94ac365487a
SHA1 4bd403917d11cee5c660fe1487a3680392f1a873
SHA256 40c6e8c45fb03d0eaa00f3cce650a4dcc88011106675e3e40a9ea0840cae6d68
SHA512 65a6abf69cd94a77d8a532513b9d3799d09c30508a81ac49a5dc740f34346cc46753e03755c88a04933a5b462070d049e377f00e7e3c21f6ebe726e845bd1ed0

C:\Users\Admin\AppData\Local\Temp\ce8d14885bea19d74786c07b865930ff7cd02284bc4eca5741efdbf3126fbddf\TestSecurity.12.3.0.131.dll

MD5 a367cb9cdd35d61eafadc60bc354522f
SHA1 aa682e8b61330705a92c4bca08755ff10eafc7fb
SHA256 e98acd1c64272fecf000bf212ad1b7a976dc24a973bacaca80e1e6bd2709ebcc
SHA512 1966bea0476d53767eecfdce8459dcea7b80e29e61e6d8e9e9b23358861bd11b46f294b53a7cf543c8d055d056555200e06e5ef0c6a385070ba83ac36ee25e8a

memory/1800-16-0x0000000077B14000-0x0000000077B16000-memory.dmp

memory/1800-15-0x0000000073750000-0x000000007417A000-memory.dmp

memory/1800-18-0x0000000073750000-0x000000007417A000-memory.dmp

memory/1800-22-0x0000000073750000-0x000000007417A000-memory.dmp

memory/1800-23-0x0000000073750000-0x000000007417A000-memory.dmp

memory/1800-19-0x0000000073750000-0x000000007417A000-memory.dmp

memory/1800-24-0x0000000073750000-0x000000007417A000-memory.dmp

memory/1800-25-0x0000000073750000-0x000000007417A000-memory.dmp

memory/1800-26-0x0000000073750000-0x000000007417A000-memory.dmp

memory/1800-27-0x0000000073750000-0x000000007417A000-memory.dmp