Malware Analysis Report

2024-10-16 06:53

Sample ID 240617-ln7y9avere
Target Bypass.exe
SHA256 893b07a3803d12a3f68b7ba487ec3c89b832604880b08374b543913c68e181d3
Tags
themida evasion trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

893b07a3803d12a3f68b7ba487ec3c89b832604880b08374b543913c68e181d3

Threat Level: Likely malicious

The file Bypass.exe was found to be: Likely malicious.

Malicious Activity Summary

themida evasion trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Executes dropped EXE

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Launches sc.exe

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 09:41

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 09:41

Reported

2024-06-17 09:44

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bypass.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Bypass.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Bypass.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Bypass.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Bypass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\PsSuspend.exe C:\Users\Admin\AppData\Local\Temp\Bypass.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Bypass.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2544 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2544 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2544 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2544 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2544 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2544 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2544 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2936 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\WerFault.exe
PID 2936 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\WerFault.exe
PID 2936 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\WerFault.exe
PID 2936 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Bypass.exe

"C:\Users\Admin\AppData\Local\Temp\Bypass.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc queryex BrokerInfrastructure | findstr PID

C:\Windows\SysWOW64\sc.exe

sc queryex BrokerInfrastructure

C:\Windows\SysWOW64\findstr.exe

findstr PID

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 588

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

memory/2936-1-0x0000000075391000-0x0000000075392000-memory.dmp

memory/2936-0-0x00000000009F0000-0x00000000012B2000-memory.dmp

memory/2936-8-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-15-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-21-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-25-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-24-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-23-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-22-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-20-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-19-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-18-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-17-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-16-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-14-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-13-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-12-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-11-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-10-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-9-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-7-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-6-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-5-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-4-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-3-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-2-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-29-0x00000000009F0000-0x00000000012B2000-memory.dmp

memory/2936-30-0x00000000009F0000-0x00000000012B2000-memory.dmp

memory/2936-33-0x00000000009F0000-0x00000000012B2000-memory.dmp

memory/2936-34-0x0000000075380000-0x0000000075490000-memory.dmp

memory/2936-35-0x0000000075391000-0x0000000075392000-memory.dmp

memory/2936-39-0x00000000009F0000-0x00000000012B2000-memory.dmp

memory/2936-38-0x0000000075380000-0x0000000075490000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 09:41

Reported

2024-06-17 09:44

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bypass.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Bypass.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Bypass.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Bypass.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PsSuspend.exe N/A
N/A N/A C:\Windows\SysWOW64\PsSuspend.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Bypass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\PsSuspend.exe C:\Users\Admin\AppData\Local\Temp\Bypass.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4212 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 3632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1844 wrote to memory of 3632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1844 wrote to memory of 3632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1844 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1844 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1844 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4212 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\cmd.exe
PID 3820 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3820 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3820 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3820 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3820 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3820 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4212 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\PsSuspend.exe
PID 4212 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\PsSuspend.exe
PID 4212 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\PsSuspend.exe
PID 4212 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\PsSuspend.exe
PID 4212 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\PsSuspend.exe
PID 4212 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\Bypass.exe C:\Windows\SysWOW64\PsSuspend.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Bypass.exe

"C:\Users\Admin\AppData\Local\Temp\Bypass.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc queryex BrokerInfrastructure | findstr PID

C:\Windows\SysWOW64\sc.exe

sc queryex BrokerInfrastructure

C:\Windows\SysWOW64\findstr.exe

findstr PID

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc queryex LSM | findstr PID

C:\Windows\SysWOW64\sc.exe

sc queryex LSM

C:\Windows\SysWOW64\findstr.exe

findstr PID

C:\Windows\SysWOW64\PsSuspend.exe

"PsSuspend.exe" 808

C:\Windows\SysWOW64\PsSuspend.exe

"PsSuspend.exe" 956

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 81.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 80.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4212-0-0x00000000004E0000-0x0000000000DA2000-memory.dmp

memory/4212-1-0x0000000077840000-0x0000000077841000-memory.dmp

memory/4212-7-0x0000000077820000-0x0000000077910000-memory.dmp

memory/4212-6-0x0000000077820000-0x0000000077910000-memory.dmp

memory/4212-5-0x0000000077820000-0x0000000077910000-memory.dmp

memory/4212-4-0x0000000077820000-0x0000000077910000-memory.dmp

memory/4212-3-0x0000000077820000-0x0000000077910000-memory.dmp

memory/4212-2-0x0000000077820000-0x0000000077910000-memory.dmp

memory/4212-8-0x0000000077820000-0x0000000077910000-memory.dmp

memory/4212-11-0x00000000004E0000-0x0000000000DA2000-memory.dmp

memory/4212-12-0x00000000004E0000-0x0000000000DA2000-memory.dmp

memory/4212-15-0x00000000004E0000-0x0000000000DA2000-memory.dmp

memory/4212-16-0x0000000077820000-0x0000000077910000-memory.dmp

memory/4212-17-0x0000000077840000-0x0000000077841000-memory.dmp

memory/4212-18-0x0000000077820000-0x0000000077910000-memory.dmp

memory/4212-19-0x0000000077820000-0x0000000077910000-memory.dmp

memory/4212-21-0x0000000077820000-0x0000000077910000-memory.dmp

memory/4212-22-0x0000000077820000-0x0000000077910000-memory.dmp

C:\Windows\SysWOW64\PsSuspend.exe

MD5 1b9f1a75593dfc670fa7c54659ab5796
SHA1 c9f0c40e012f8cfe20b1e5cd6a9a7b078e89a00b
SHA256 95a922e178075fb771066db4ab1bd70c7016f794709d514ab1c7f11500f016cd
SHA512 ab7b26ce5487af2a337cabfa16908ddf72bf1f6942675760e7decee874dd0f72fd47aa42bc442fe11f71fab03106c75db0234199974c7de84d1ed3f12a9b4788