Malware Analysis Report

2024-10-10 07:51

Sample ID 240615-txchps1bkr
Target fix-injector.exe
SHA256 18c0bba23af8256a5f9e3de3038555a6a706dddd0c24123c011c1a8aa4d78156
Tags
themida evasion persistence trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

18c0bba23af8256a5f9e3de3038555a6a706dddd0c24123c011c1a8aa4d78156

Threat Level: Likely malicious

The file fix-injector.exe was found to be: Likely malicious.

Malicious Activity Summary

themida evasion persistence trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Sets service image path in registry

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 16:25

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 16:25

Reported

2024-06-15 16:28

Platform

win7-20240611-en

Max time kernel

141s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fix-injector.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\fix-injector.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ZCsnaWPyUxTkb\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ZCsnaWPyUxTkb" C:\Windows\SoftwareDistribution\Download\fXILX.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\fix-injector.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\fix-injector.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SoftwareDistribution\Download\fXILX.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fix-injector.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fix-injector.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fix-injector.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SoftwareDistribution\Download\fXILX.exe C:\Users\Admin\AppData\Local\Temp\fix-injector.exe N/A

Enumerates physical storage devices

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SoftwareDistribution\Download\fXILX.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Windows\SoftwareDistribution\Download\fXILX.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fix-injector.exe

"C:\Users\Admin\AppData\Local\Temp\fix-injector.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color 9

C:\Windows\SoftwareDistribution\Download\fXILX.exe

"C:\Windows\SoftwareDistribution\Download\fXILX.exe"

Network

N/A

Files

memory/2500-0-0x000000013F2B0000-0x000000013FC37000-memory.dmp

memory/2500-1-0x0000000077B10000-0x0000000077B12000-memory.dmp

memory/2500-2-0x000000013F2B0000-0x000000013FC37000-memory.dmp

memory/2500-4-0x000000013F2B0000-0x000000013FC37000-memory.dmp

memory/2500-7-0x000000013F2B0000-0x000000013FC37000-memory.dmp

memory/2500-5-0x000000013F2B0000-0x000000013FC37000-memory.dmp

memory/2500-3-0x000000013F2B0000-0x000000013FC37000-memory.dmp

memory/2500-6-0x000000013F2B0000-0x000000013FC37000-memory.dmp

\Windows\SoftwareDistribution\Download\fXILX.exe

MD5 03997b52220aa284bd6da2f39a82b002
SHA1 7aa87879a471cbda376914927a3b6b8274a6d642
SHA256 7873158c42440a31a986c1472c0982404f54325ccd0c8b3a6e63a707277945a2
SHA512 e7ccf9300166cb8c3d81153e9675240778a4910b2f503f8c2293c273f42eee6fe0841d66fe0baa91d9355392b06b85008921a75c90969d2b823d2092935efef9

memory/2500-16-0x000000013F2B0000-0x000000013FC37000-memory.dmp

memory/2500-17-0x000000013F2B0000-0x000000013FC37000-memory.dmp

memory/2500-18-0x000000013F2B0000-0x000000013FC37000-memory.dmp

memory/2500-19-0x000000013F2B0000-0x000000013FC37000-memory.dmp

memory/2500-21-0x000000013F2B0000-0x000000013FC37000-memory.dmp

memory/2500-26-0x000000013F2B0000-0x000000013FC37000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 16:25

Reported

2024-06-15 16:28

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fix-injector.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\fix-injector.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cPomyDaDVbRMgSwptXVZEa\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\cPomyDaDVbRMgSwptXVZEa" C:\Windows\SoftwareDistribution\Download\1fYxY.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\fix-injector.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\fix-injector.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fix-injector.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SoftwareDistribution\Download\1fYxY.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fix-injector.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fix-injector.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SoftwareDistribution\Download\1fYxY.exe C:\Users\Admin\AppData\Local\Temp\fix-injector.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SoftwareDistribution\Download\1fYxY.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Windows\SoftwareDistribution\Download\1fYxY.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fix-injector.exe

"C:\Users\Admin\AppData\Local\Temp\fix-injector.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color 9

C:\Windows\SoftwareDistribution\Download\1fYxY.exe

"C:\Windows\SoftwareDistribution\Download\1fYxY.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2860,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=3940 /prefetch:8

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4636-0-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp

memory/4636-1-0x00007FFF1EED0000-0x00007FFF1EED2000-memory.dmp

memory/4636-2-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp

memory/4636-3-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp

memory/4636-5-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp

memory/4636-6-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp

memory/4636-7-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp

memory/4636-4-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp

C:\Windows\SoftwareDistribution\Download\1fYxY.exe

MD5 03997b52220aa284bd6da2f39a82b002
SHA1 7aa87879a471cbda376914927a3b6b8274a6d642
SHA256 7873158c42440a31a986c1472c0982404f54325ccd0c8b3a6e63a707277945a2
SHA512 e7ccf9300166cb8c3d81153e9675240778a4910b2f503f8c2293c273f42eee6fe0841d66fe0baa91d9355392b06b85008921a75c90969d2b823d2092935efef9

memory/4636-18-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp

memory/4636-19-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp

memory/4636-20-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp

memory/4636-22-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp

memory/4636-23-0x00007FF6B1040000-0x00007FF6B19C7000-memory.dmp

memory/4216-26-0x000001847FC20000-0x000001847FC21000-memory.dmp

memory/4216-25-0x000001847FC20000-0x000001847FC21000-memory.dmp

memory/4216-24-0x000001847FC20000-0x000001847FC21000-memory.dmp

memory/4216-30-0x000001847FC20000-0x000001847FC21000-memory.dmp

memory/4216-31-0x000001847FC20000-0x000001847FC21000-memory.dmp

memory/4216-36-0x000001847FC20000-0x000001847FC21000-memory.dmp

memory/4216-35-0x000001847FC20000-0x000001847FC21000-memory.dmp

memory/4216-34-0x000001847FC20000-0x000001847FC21000-memory.dmp

memory/4216-33-0x000001847FC20000-0x000001847FC21000-memory.dmp

memory/4216-32-0x000001847FC20000-0x000001847FC21000-memory.dmp