Malware Analysis Report

2024-10-16 06:46

Sample ID 240616-kmarpa1brn
Target modest-menu_v1.0.0_[unknowncheats.me]__[unknowncheats.me]_.zip
SHA256 75a3295f8c688359fcb7555b80e3f71ee42c5ac1d4525a39b2571107acf06a45
Tags
themida evasion trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

75a3295f8c688359fcb7555b80e3f71ee42c5ac1d4525a39b2571107acf06a45

Threat Level: Likely malicious

The file modest-menu_v1.0.0_[unknowncheats.me]__[unknowncheats.me]_.zip was found to be: Likely malicious.

Malicious Activity Summary

themida evasion trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 08:42

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\modest-menu_v1.0.0_[unknowncheats.me]__[unknowncheats.me]_.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\modest-menu_v1.0.0_[unknowncheats.me]__[unknowncheats.me]_.zip

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

148s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\config.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\config.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3776 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\Readme.api

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\Readme.api

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\demo.lua

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\lua_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\lua_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\lua_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\lua_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\lua_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.lua C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.lua\ = "lua_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\lua_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\demo.lua

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\scripts\demo.lua

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\scripts\demo.lua"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 751b8e952fbaf444d8a261047d1f84fa
SHA1 dc96fe300b87a93aee819ed462b459bd6db2ff72
SHA256 e2526a69817a8b9e56cc89408166bed4684840b1b3493741daa8c2c8be26f71f
SHA512 0c694961a625aa8e66039b1f4b73f03427dc1f61c831b3a32869a3e781665d2fbf24109f728f8f0bedb7a5d2f13da981e7120335a5e4b6ecc8bacaa959b1c5f1

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\menu.lua

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\lua_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\lua_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.lua\ = "lua_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\lua_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\lua_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\lua_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\lua_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.lua C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\menu.lua

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\scripts\menu.lua

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\scripts\menu.lua"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 7a2436ee27d17f7c4be22a972049741d
SHA1 c27897fd9f92228f282142ac261238c28257db46
SHA256 a9a9932977d66db9f8b5f78601cff0538a3cfde16cd8f80fc5e1a36debf319de
SHA512 42345f682bf8228cf3dbd57556c7710644185a2fde9506d9227e5afb97613f6231ca4c5e6dc192d6288a27640d9537616c90ddb48a2229e123a0b5e5b918db3f

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\sirius.lua.example

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\example_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\example_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.example C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\example_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\example_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\example_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\example_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.example\ = "example_auto_file" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\sirius.lua.example

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\scripts\sirius.lua.example

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\scripts\sirius.lua.example"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 bbf2a9fdd5318b10d2e840390dcc3144
SHA1 ca03882547db2b260d61b0ba354608c008fe97b7
SHA256 9ed95c599659bfa4f7505b70d13e543da4b4ecea1a04a5cd56353eea12c5d319
SHA512 e571f054db6b4ae43f0af25c2ac8a5b8eb6e9612aab601e2a0aa20df5ef1eb79f0ff1a0555f68c01d2cd3071f48d58e2eb534d1ae2e87cc4e3248706259e6e26

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win7-20240611-en

Max time kernel

119s

Max time network

121s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\modest-menu_v1.0.0_[unknowncheats.me]__[unknowncheats.me]_.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\modest-menu_v1.0.0_[unknowncheats.me]__[unknowncheats.me]_.zip

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\Readme.api

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\Readme.api

Network

N/A

Files

memory/1952-25-0x00000000001E0000-0x00000000001E1000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win10v2004-20240611-en

Max time kernel

114s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\vehicle.lua

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\vehicle.lua

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=4648 /prefetch:8

Network

Country Destination Domain Proto
GB 87.248.205.0:80 tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 20.189.173.15:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\weapon.lua

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\weapon.lua

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\themes.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\themes.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\themes.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\themes.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 25b27fc5243dc19d851ed8a808449858
SHA1 e39f8bfb4cf680be9554abe3fdd54580d4f3834d
SHA256 cfffc2bd99d26c8a6307e31c0cb7240eecca7d5e3463f97df22fad98be0ecaed
SHA512 40e89b5584d21f80ae1f63ddbaee0e7eecc9c95499e01a3b64daa35e7bb5d101767b6d99a6d7d1e20365e5097f0c0d1c09d0362f6e630484fef8f543386a7f32

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\modest-menu.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\modest-menu.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\modest-menu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\modest-menu.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\modest-menu.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\modest-menu.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\modest-menu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\modest-menu.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\modest-menu.exe

"C:\Users\Admin\AppData\Local\Temp\modest-menu.exe"

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

memory/1920-1-0x00007FF99EFB0000-0x00007FF99EFB2000-memory.dmp

memory/1920-0-0x00007FF7C4390000-0x00007FF7C6D9F000-memory.dmp

memory/1920-2-0x00007FF7C4390000-0x00007FF7C6D9F000-memory.dmp

memory/1920-3-0x00007FF7C4390000-0x00007FF7C6D9F000-memory.dmp

memory/1920-4-0x00007FF7C4390000-0x00007FF7C6D9F000-memory.dmp

memory/1920-5-0x00007FF7C4390000-0x00007FF7C6D9F000-memory.dmp

memory/1920-6-0x00007FF7C4390000-0x00007FF7C6D9F000-memory.dmp

memory/1920-7-0x00007FF7C4390000-0x00007FF7C6D9F000-memory.dmp

memory/1920-8-0x00007FF7C4390000-0x00007FF7C6D9F000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win10v2004-20240611-en

Max time kernel

126s

Max time network

128s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\demo.lua

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\demo.lua

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4228,i,3833046924978547022,12404847742964713612,262144 --variations-seed-version --mojo-platform-channel-handle=3780 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 97.242.123.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\menu.lua

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\menu.lua

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

148s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\sirius.lua.example

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\sirius.lua.example

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win7-20240220-en

Max time kernel

117s

Max time network

118s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\vehicle.lua

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\lua_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.lua C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.lua\ = "lua_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\lua_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\lua_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\lua_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\lua_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\lua_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\vehicle.lua

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\scripts\vehicle.lua

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\scripts\vehicle.lua"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 3f346d24a6263a58ae7ffae622437fb7
SHA1 89c6a96b67ff913a07d8fa339b7f94198d739fbe
SHA256 a119f4243013007b26cfa4975bc60c20185216610a54da741f7e84036e44a927
SHA512 0e668f7f12f04e0bfba3c296e5b9a52b2d238eaae75b3c2b214c8f2c6d7aef8151ef8d350b6a8c0311de7ce8bdebe243c6a545ffca75bd56d3ec44f19347e290

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\weapon.lua

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\lua_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.lua C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\lua_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.lua\ = "lua_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\lua_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\lua_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\lua_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\lua_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\scripts\weapon.lua

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\scripts\weapon.lua

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\scripts\weapon.lua"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 dfd8134def7c1bbdc3a6a3d4e6c93164
SHA1 0627f96e95bcb1ce728f6f51a4506521cfef9788
SHA256 4db379d4af497835a6f77525e99059132c2480c19367f5c06a4c8137a6bbefb0
SHA512 a250c91005c714f81388e57446b084b759b3c429054eeec21e43f354e582f30c094800178279f92ce243b57e6c714bd69a536ad50b0098a866ae6686488bb6fe

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win7-20240611-en

Max time kernel

119s

Max time network

125s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\config.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\config.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\config.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\config.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 8206500035670ad6438fb83fc80c1cf5
SHA1 97f73a65813f42c8bd0fd381cb5b6190485e1ed4
SHA256 e8d9d0754a35e09b99d055407e3f7b4d500843e0759944ba3a05b093b8f06a19
SHA512 cb5b489c4b6061ee552bf8c3f2599d20f133e90ec0a996d1b65b05062c3c407b2a2859aa1882c13e4f24f7dd7ac04aa2122f18b20637f95fde3531193ec56b2e

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win7-20240611-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\modest-menu.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\modest-menu.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\modest-menu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\modest-menu.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\modest-menu.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\modest-menu.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\modest-menu.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\modest-menu.exe

"C:\Users\Admin\AppData\Local\Temp\modest-menu.exe"

Network

N/A

Files

memory/2148-0-0x000000013F570000-0x0000000141F7F000-memory.dmp

memory/2148-1-0x0000000077000000-0x0000000077002000-memory.dmp

memory/2148-3-0x000000013F570000-0x0000000141F7F000-memory.dmp

memory/2148-4-0x000000013F570000-0x0000000141F7F000-memory.dmp

memory/2148-2-0x000000013F570000-0x0000000141F7F000-memory.dmp

memory/2148-5-0x000000013F570000-0x0000000141F7F000-memory.dmp

memory/2148-7-0x000000013F570000-0x0000000141F7F000-memory.dmp

memory/2148-6-0x000000013F570000-0x0000000141F7F000-memory.dmp

memory/2148-9-0x000000013F570000-0x0000000141F7F000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-16 08:42

Reported

2024-06-16 08:46

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\themes.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\themes.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A