Malware Analysis Report

2024-10-10 07:50

Sample ID 240615-x3k9ksscrf
Target OrangeRemover_protected_1.exe
SHA256 4a7491599332383fa223e844530e29335565655388c5502315cbd6d431ed6297
Tags
themida evasion execution trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

4a7491599332383fa223e844530e29335565655388c5502315cbd6d431ed6297

Threat Level: Likely malicious

The file OrangeRemover_protected_1.exe was found to be: Likely malicious.

Malicious Activity Summary

themida evasion execution trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Stops running service(s)

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 19:22

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 19:22

Reported

2024-06-15 19:40

Platform

win10v2004-20240611-en

Max time kernel

457s

Max time network

460s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OrangeRemover_protected_1.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\OrangeRemover_protected_1.exe N/A

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\OrangeRemover_protected_1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\OrangeRemover_protected_1.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\OrangeRemover_protected_1.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OrangeRemover_protected_1.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\OrangeRemover_protected_1.exe

"C:\Users\Admin\AppData\Local\Temp\OrangeRemover_protected_1.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe >nul

C:\Windows\system32\taskkill.exe

taskkill /f /im EasyAntiCheat.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat

C:\Windows\system32\sc.exe

sc stop EasyAntiCheat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete EasyAntiCheat

C:\Windows\system32\sc.exe

sc delete EasyAntiCheat

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/652-0-0x0000000140000000-0x0000000140719000-memory.dmp

memory/652-1-0x00007FFAA5CB0000-0x00007FFAA5EA5000-memory.dmp

memory/652-3-0x0000000140000000-0x0000000140719000-memory.dmp

memory/652-4-0x00007FFAA5CB0000-0x00007FFAA5EA5000-memory.dmp