Malware Analysis Report

2024-10-10 07:52

Sample ID 240615-czxszswfkb
Target gtr.exe
SHA256 b7f599d78c0a3943f299c67088fcb8821833a0fa62bf3f2ae760c85ebb326006
Tags
themida evasion ransomware trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b7f599d78c0a3943f299c67088fcb8821833a0fa62bf3f2ae760c85ebb326006

Threat Level: Likely malicious

The file gtr.exe was found to be: Likely malicious.

Malicious Activity Summary

themida evasion ransomware trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies boot configuration data using bcdedit

Themida packer

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 02:31

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 02:31

Reported

2024-06-15 02:31

Platform

win7-20240221-en

Max time kernel

15s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\gtr.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\gtr.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\gtr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\gtr.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gtr.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 284 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 284 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 284 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2940 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 2568 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 2568 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 2568 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\gtr.exe

"C:\Users\Admin\AppData\Local\Temp\gtr.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >nul 2>&1

C:\Windows\system32\bcdedit.exe

bcdedit /set hypervisorlaunchtype off

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown /r /f /t 0 >nul 2>&1

C:\Windows\system32\shutdown.exe

shutdown /r /f /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/2940-1-0x0000000077470000-0x0000000077472000-memory.dmp

memory/2940-0-0x000000013FFA0000-0x0000000140D6A000-memory.dmp

memory/2940-2-0x000000013FFA0000-0x0000000140D6A000-memory.dmp

memory/2940-4-0x000000013FFA0000-0x0000000140D6A000-memory.dmp

memory/2940-3-0x000000013FFA0000-0x0000000140D6A000-memory.dmp

memory/2940-6-0x000000013FFA0000-0x0000000140D6A000-memory.dmp

memory/2940-5-0x000000013FFA0000-0x0000000140D6A000-memory.dmp

memory/2940-7-0x000000013FFA0000-0x0000000140D6A000-memory.dmp

memory/2940-9-0x000000013FFA0000-0x0000000140D6A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 02:31

Reported

2024-06-15 02:32

Platform

win10v2004-20240508-en

Max time kernel

15s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\gtr.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\gtr.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\gtr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\gtr.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gtr.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1696 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 1696 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4452 wrote to memory of 940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1696 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 1696 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 1696 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 1696 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 1696 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 1696 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 1696 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 1696 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 1696 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 1696 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 1696 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 1696 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\gtr.exe C:\Windows\system32\cmd.exe
PID 3912 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 3912 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\gtr.exe

"C:\Users\Admin\AppData\Local\Temp\gtr.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >nul 2>&1

C:\Windows\system32\bcdedit.exe

bcdedit /set hypervisorlaunchtype off

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown /r /f /t 0 >nul 2>&1

C:\Windows\system32\shutdown.exe

shutdown /r /f /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39cf855 /state1:0x41c64e6d

Network

Files

memory/1696-0-0x00007FF60BA20000-0x00007FF60C7EA000-memory.dmp

memory/1696-1-0x00007FFE41AD0000-0x00007FFE41AD2000-memory.dmp

memory/1696-4-0x00007FF60BA20000-0x00007FF60C7EA000-memory.dmp

memory/1696-2-0x00007FF60BA20000-0x00007FF60C7EA000-memory.dmp

memory/1696-3-0x00007FF60BA20000-0x00007FF60C7EA000-memory.dmp

memory/1696-5-0x00007FF60BA20000-0x00007FF60C7EA000-memory.dmp

memory/1696-6-0x00007FF60BA20000-0x00007FF60C7EA000-memory.dmp

memory/1696-7-0x00007FF60BA20000-0x00007FF60C7EA000-memory.dmp

memory/1696-9-0x00007FF60BA20000-0x00007FF60C7EA000-memory.dmp