Malware Analysis Report

2024-10-16 06:53

Sample ID 240616-z3jf4ascmr
Target 501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c
SHA256 501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c

Threat Level: Known bad

The file 501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Detects executables packed with Themida

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detects executables packed with Themida

Themida packer

Executes dropped EXE

Loads dropped DLL

Checks BIOS information in registry

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 21:14

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 21:14

Reported

2024-06-16 21:17

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe \??\c:\windows\resources\themes\explorer.exe
PID 1924 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe \??\c:\windows\resources\themes\explorer.exe
PID 1924 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe \??\c:\windows\resources\themes\explorer.exe
PID 1924 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe \??\c:\windows\resources\themes\explorer.exe
PID 2572 wrote to memory of 2532 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2572 wrote to memory of 2532 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2572 wrote to memory of 2532 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2572 wrote to memory of 2532 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2532 wrote to memory of 2700 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2532 wrote to memory of 2700 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2532 wrote to memory of 2700 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2532 wrote to memory of 2700 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2700 wrote to memory of 2428 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2700 wrote to memory of 2428 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2700 wrote to memory of 2428 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2700 wrote to memory of 2428 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2572 wrote to memory of 2440 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2572 wrote to memory of 2440 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2572 wrote to memory of 2440 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2572 wrote to memory of 2440 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2700 wrote to memory of 2468 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2700 wrote to memory of 2468 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2700 wrote to memory of 2468 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2700 wrote to memory of 2468 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2700 wrote to memory of 1108 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2700 wrote to memory of 1108 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2700 wrote to memory of 1108 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2700 wrote to memory of 1108 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2700 wrote to memory of 1096 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2700 wrote to memory of 1096 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2700 wrote to memory of 1096 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2700 wrote to memory of 1096 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe

"C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:16 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:17 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:18 /f

Network

N/A

Files

memory/1924-0-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/1924-1-0x0000000077B50000-0x0000000077B52000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 d19680d7b18d660f55576cc3c5fcc53b
SHA1 3ee2adbbbb908a7902661dce4c9300a6108410fd
SHA256 ee2a2406a4eddf41af01f26ce7b07a898a23e9a4f9a4c4e4cab842094bb585a5
SHA512 208cf09436f88a8ce5d3c9c3cb72a1150b2f6d43df59e65f10ddd51e9c660e0b80da13a1aea1dd9896015d437bf74d9ffa11ad43f2eb7865678389153d763a5b

memory/2572-11-0x0000000000400000-0x0000000000A13000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 04d58acb6b29f466451939dcbdce13cf
SHA1 3aedfdf9c33e6f131efeda38bd90c2c298320ba8
SHA256 6e9c1e4819527233e57d87818b5db0ffeec819e757470f0d24e287ca8d20ade6
SHA512 139e6b224be94500132010214f8dc06780a7537f781ea40be190fe4d4aa6c60905e862c00485b5b97e2c76198349a02303ad287ae27e46029fe0f8a9d3e63465

memory/2532-23-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2572-22-0x0000000003700000-0x0000000003D13000-memory.dmp

\Windows\Resources\svchost.exe

MD5 db5bf47302a2121bcf3fa4d7334699a9
SHA1 cfe23a09ac00e8b201e895b94ad2350b6720704f
SHA256 44ef13ae00bdf366b1dd72054c865a7d9cca33e39bdca6a9fe14e6c13dea0c49
SHA512 5a4115fbc272587a94c339d5e9033ba8f49c42dccc005260b81a7aa05071257d0ccd7c0b965011003d197cf4fa1c0f31840b669a530bff661c27673e61f48154

memory/2700-35-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2532-34-0x0000000003790000-0x0000000003DA3000-memory.dmp

memory/2428-43-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2700-41-0x00000000031C0000-0x00000000037D3000-memory.dmp

memory/2532-50-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2428-49-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/1924-52-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2572-53-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2572-55-0x0000000003700000-0x0000000003D13000-memory.dmp

memory/2700-56-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2572-65-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2572-73-0x0000000000400000-0x0000000000A13000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 21:14

Reported

2024-06-16 21:17

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2592 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe \??\c:\windows\resources\themes\explorer.exe
PID 2592 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe \??\c:\windows\resources\themes\explorer.exe
PID 2592 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe \??\c:\windows\resources\themes\explorer.exe
PID 4916 wrote to memory of 4472 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4916 wrote to memory of 4472 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4916 wrote to memory of 4472 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4472 wrote to memory of 4456 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4472 wrote to memory of 4456 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4472 wrote to memory of 4456 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4456 wrote to memory of 3340 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4456 wrote to memory of 3340 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4456 wrote to memory of 3340 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe

"C:\Users\Admin\AppData\Local\Temp\501d237fd04daa729fd5f7bdad701ae7d720855db59165824ab00facedab251c.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Files

memory/2592-0-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2592-1-0x0000000077954000-0x0000000077956000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 cb96f0f358f3b0f12fa055c26810e1ff
SHA1 8fd060fe269c6be447263552a8e0b2bf99a1d31b
SHA256 305dc6b8dbe5f9c5d068c440c9231565f8e938031a4b3cbaa61201d23dd2f8bd
SHA512 62f22c884504d1ac86b4e41a497a3975cd55c7ede1e66c3934ac95bb505bab4d8ce6df063d57a74344ed155cf3d2e486c79c30008fa7c5a9d6bdabc224988b54

memory/4916-10-0x0000000000400000-0x0000000000A13000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 a3eba5e41287adfca86a3eaffea19beb
SHA1 12aff5bd5b150e9c73baa6cf57a5974e513a1e02
SHA256 266be4375d2f3241930cfb2633e2f578f22a9d1d01e8dfdc243df3a49b52a18f
SHA512 9f86aec53f3190aa1490a3a6d32f339567d4f0374f166827e3c6126def4d3133c84056d38cf646f4d8bfef6a6cabd4599947f6b723af053187caf03203268618

memory/4472-19-0x0000000000400000-0x0000000000A13000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 e87c00dbd4229cc31e9013a2d421d17b
SHA1 09b79925b25d284b71b8d5d8499727522363da54
SHA256 cfb335858ea1bbb52f88151e5bdef7072457fc3223b8dbae100874b9864e5a5c
SHA512 a988e591eb5cd266dcb222ea7823c1ee248638e5e5b655a77a81952861f7a591928abf434faaa4d3ef8c1ea9d39bd7cee8eb39ec46126ea4dd814548102c2fbd

memory/4456-28-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/3340-33-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2592-41-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/4472-40-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/3340-38-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/4916-42-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/4456-43-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/4456-53-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/4916-54-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/4456-63-0x0000000000400000-0x0000000000A13000-memory.dmp