Malware Analysis Report

2024-10-10 07:51

Sample ID 240615-nxdg4starr
Target mc.exe
SHA256 f774e2487887015f3ecd0065b03a7862aca9080143976652548972d9cc3e5a74
Tags
evasion themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

f774e2487887015f3ecd0065b03a7862aca9080143976652548972d9cc3e5a74

Threat Level: Likely malicious

The file mc.exe was found to be: Likely malicious.

Malicious Activity Summary

evasion themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Loads dropped DLL

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 11:46

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 11:46

Reported

2024-06-15 11:51

Platform

win10-20240404-en

Max time kernel

112s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\mc.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\mc.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\mc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\mc.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\mc.exe

"C:\Users\Admin\AppData\Local\Temp\mc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 machocheats.com udp
US 172.67.186.5:443 machocheats.com tcp
N/A 127.0.0.1:49800 tcp
US 8.8.8.8:53 5.186.67.172.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:49819 tcp
US 172.67.186.5:443 machocheats.com tcp

Files

memory/1448-0-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmp

memory/1448-2-0x00007FFEB7530000-0x00007FFEB75DE000-memory.dmp

memory/1448-1-0x00007FFEB754B000-0x00007FFEB754C000-memory.dmp

memory/1448-4-0x00000213072A0000-0x00000213074E0000-memory.dmp

memory/1448-5-0x00000213072A0000-0x00000213074E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\2f7d87ee.dll

MD5 e9220227f57e64dfc6e5491437461943
SHA1 ade5ca8c79862ff7cc3069be96d7b08701db7bb8
SHA256 4b2763e236905ef34b0aeca3a41de959ba2157a7cd8749dc09a06658a52bb0fe
SHA512 1847b2c4f39e061bca854a05c3e9523728157e6447531f7f14fe66dc4f294f374b3159e123fbf91fd2aee918ed68816c4fa3ead437844731d9e7a68012f6551b

memory/1448-3-0x0000000180000000-0x0000000180073000-memory.dmp

memory/1448-16-0x000002130A520000-0x000002130D5CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2f7d87ef.dll

MD5 11a0cd45d40d3cc6cfa3eaec36b23d76
SHA1 7d7370be4472323fa0c34ae2ff1a351967af62e3
SHA256 16619955f4bde1166112272dd23c27a9b9857fa442c51d77f952172f5e6a5d73
SHA512 780c6025449201083e173949a2fe13766c2a63d535556f475a9e522f9f5abc684caf95b449995d7aa192d6ae964fc8546941e7b33c5b87edb4475d9ecccfc087

memory/1448-26-0x0000000180000000-0x0000000180073000-memory.dmp

memory/1448-36-0x0000021306B80000-0x0000021306BBE000-memory.dmp

\Users\Admin\AppData\Local\Temp\2f7d87f0.dll

MD5 f8e73b07c6e73f964850a2efbf340cb8
SHA1 010fb949de293c47c567e09c54bfec57e5d92393
SHA256 279e97c51f082de39b2d83dfe6451e9bdda364d93ad74725fb56519f351c5352
SHA512 0b2a084aecd69c93cc3c7787ca74233de7fde047aafdb61ca37e0b847d1c1d737f706ce609df4376a348db19ce75bcd1d66366c3745443d5665ff6c00215765f

memory/1448-37-0x0000021306B80000-0x0000021306BBE000-memory.dmp

memory/1448-43-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmp

memory/1448-44-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmp

memory/1448-46-0x00007FFEB7530000-0x00007FFEB75DE000-memory.dmp

memory/1448-55-0x00007FF7A9070000-0x00007FF7AEF1B000-memory.dmp