8970a16295267765ab6b690e7f0d4d1e9bd5cc0b7a51d2d048bf069fcc8adc02

General

Target

BakosFree2.exe
Size

3.9MB
MD5

19276837bca67381f2d4f6620114c5df
SHA1

06920810b84cd7cadcf963f8823917a2e77d5a49
SHA256

8970a16295267765ab6b690e7f0d4d1e9bd5cc0b7a51d2d048bf069fcc8adc02
SHA512

e4ea35848ba3877990e0379e599a8dd4ceff6ddaeaf8210194ac56ea305f2146da94e85af880984f5e8f1b5cc956243e17342ec6d22b341b90a940ac95c8be1d
SSDEEP

98304:JU1gK9p2E9TV1IqWQ6mPVmzBA7xSU1j1drhljm+RJ:AL9p2UV1ovwmu1drhc0

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BakosFree2.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BakosFree2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BakosFree2.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/3668-0-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp	themida
behavioral1/memory/3668-3-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp	themida
behavioral1/memory/3668-4-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp	themida
behavioral1/memory/3668-2-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp	themida
behavioral1/memory/3668-5-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp	themida
behavioral1/memory/3668-6-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp	themida
behavioral1/memory/3668-7-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp	themida
behavioral1/memory/3668-9-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BakosFree2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3668	BakosFree2.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2148	timeout.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 1620	3668	BakosFree2.exe	83
PID 3668 wrote to memory of 1620	3668	BakosFree2.exe	83
PID 3668 wrote to memory of 3568	3668	BakosFree2.exe	84
PID 3668 wrote to memory of 3568	3668	BakosFree2.exe	84
PID 3668 wrote to memory of 216	3668	BakosFree2.exe	85
PID 3668 wrote to memory of 216	3668	BakosFree2.exe	85
PID 216 wrote to memory of 1544	216	cmd.exe	86
PID 216 wrote to memory of 1544	216	cmd.exe	86
PID 216 wrote to memory of 1820	216	cmd.exe	87
PID 216 wrote to memory of 1820	216	cmd.exe	87
PID 216 wrote to memory of 4980	216	cmd.exe	88
PID 216 wrote to memory of 4980	216	cmd.exe	88
PID 3668 wrote to memory of 4968	3668	BakosFree2.exe	89
PID 3668 wrote to memory of 4968	3668	BakosFree2.exe	89
PID 4968 wrote to memory of 4924	4968	cmd.exe	90
PID 4968 wrote to memory of 4924	4968	cmd.exe	90
PID 4924 wrote to memory of 2148	4924	cmd.exe	95
PID 4924 wrote to memory of 2148	4924	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\BakosFree2.exe
"C:\Users\Admin\AppData\Local\Temp\BakosFree2.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 6
  2⤵
  PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\BakosFree2.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\BakosFree2.exe" MD5
    3⤵
    PID:1544
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1820
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:4980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\system32\cmd.exe
    cmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3668-0-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp

Filesize
10.3MB

Download
memory/3668-1-0x00007FF921990000-0x00007FF921992000-memory.dmp

Filesize
8KB

Download
memory/3668-3-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp

Filesize
10.3MB

Download
memory/3668-4-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp

Filesize
10.3MB

Download
memory/3668-2-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp

Filesize
10.3MB

Download
memory/3668-5-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp

Filesize
10.3MB

Download
memory/3668-6-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp

Filesize
10.3MB

Download
memory/3668-7-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp

Filesize
10.3MB

Download
memory/3668-9-0x00007FF6B1B20000-0x00007FF6B2573000-memory.dmp

Filesize
10.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads