f77ad888887105bd7bd8fddc646e11445d0378a8d2443cd6f50fc00f3834af41

General

Target

sample.exe
Size

8.2MB
MD5

e7d9ee8f6f2118fc5b90ed77ac1803e9
SHA1

1c3b0135d62b1305e7fc0f392249b76ae3bb6d4a
SHA256

f77ad888887105bd7bd8fddc646e11445d0378a8d2443cd6f50fc00f3834af41
SHA512

5ad37843243bc7360ca88d56fb829b7f5219561d41e9f5befda24002796003dca5e18b41233d4c5ea0c70415e466ed76ac0018a032de5d300d04a31dd1d03550
SSDEEP

196608:fG3NU4pkOiBvZxLRJR99dwBMqFJ+hIESNxEc3m:sNUv5/NL99dwBMqOsY0m

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	sample.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sample.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sample.exe

Loads dropped DLL 1 IoCs

pid	Process
2540	sample.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2540-0-0x000000013FCA0000-0x0000000140F12000-memory.dmp	themida
behavioral1/memory/2540-5-0x000000013FCA0000-0x0000000140F12000-memory.dmp	themida
behavioral1/memory/2540-20-0x000000013FCA0000-0x0000000140F12000-memory.dmp	themida
behavioral1/memory/2540-19-0x000000013FCA0000-0x0000000140F12000-memory.dmp	themida
behavioral1/memory/2540-23-0x000000013FCA0000-0x0000000140F12000-memory.dmp	themida
behavioral1/memory/2540-22-0x000000013FCA0000-0x0000000140F12000-memory.dmp	themida
behavioral1/memory/2540-25-0x000000013FCA0000-0x0000000140F12000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sample.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs

pid	Process
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe
2540	sample.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 808	2540	sample.exe	29
PID 2540 wrote to memory of 808	2540	sample.exe	29
PID 2540 wrote to memory of 808	2540	sample.exe	29

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2540 -s 268
  2⤵
  PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ad2c294.dll

Filesize
10KB

MD5
2d7adffa791933d88f7e7b04558de0c2

SHA1
a5fc7751c7bbfcb038b86838fffede41255304c4

SHA256
9d1247485ba1865c4be7429580a5afb71e4ec8e656ee7a50bc565bf79def2880

SHA512
46d308c5370e5b7ad14d42fe26d1c86fe62535ba77ea7d29cfd046fb96be8b3c296c88cea38d1e67722b4201340d307787f70599e89c44b56583ba626f93b29b

Download Submit
memory/2540-5-0x000000013FCA0000-0x0000000140F12000-memory.dmp

Filesize
18.4MB

Download
memory/2540-21-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2540-4-0x000007FEFD9E0000-0x000007FEFDA4C000-memory.dmp

Filesize
432KB

Download
memory/2540-3-0x000007FEFD9E0000-0x000007FEFDA4C000-memory.dmp

Filesize
432KB

Download
memory/2540-1-0x000007FEFD9F4000-0x000007FEFD9F5000-memory.dmp

Filesize
4KB

Download
memory/2540-0-0x000000013FCA0000-0x0000000140F12000-memory.dmp

Filesize
18.4MB

Download
memory/2540-20-0x000000013FCA0000-0x0000000140F12000-memory.dmp

Filesize
18.4MB

Download
memory/2540-2-0x000007FEFD9E0000-0x000007FEFDA4C000-memory.dmp

Filesize
432KB

Download
memory/2540-19-0x000000013FCA0000-0x0000000140F12000-memory.dmp

Filesize
18.4MB

Download
memory/2540-23-0x000000013FCA0000-0x0000000140F12000-memory.dmp

Filesize
18.4MB

Download
memory/2540-22-0x000000013FCA0000-0x0000000140F12000-memory.dmp

Filesize
18.4MB

Download
memory/2540-25-0x000000013FCA0000-0x0000000140F12000-memory.dmp

Filesize
18.4MB

Download
memory/2540-28-0x000007FEFD9E0000-0x000007FEFDA4C000-memory.dmp

Filesize
432KB

Download
memory/2540-32-0x000007FEFD9F4000-0x000007FEFD9F5000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads