7fe09e5889787ae38ef8f5242811a60ebe1526314eb08cc184b7e47051815e2b

General

Target

projectoyster.exe
Size

17.6MB
MD5

c2f6ec069ca587f732ee9107d9541ff4
SHA1

10a8985cc2f249ce143f97b26471426a95625ba2
SHA256

7fe09e5889787ae38ef8f5242811a60ebe1526314eb08cc184b7e47051815e2b
SHA512

b8c07ca5ece52fd6acc9a43d88216e6b57c0af908027099f0e2d3e48fcd19cbf4bde266c0cd3414233d0df2b7314fe801b12ee72804b31c5a7467f769f21e4d2
SSDEEP

393216:V5RM0d0EpEk/+4u8mwW+eGQRJ9jo7BGIGg3zOY:hMoDp3+RBwW+e5RJ9MnOY

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	projectoyster.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	projectoyster.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	projectoyster.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	projectoyster.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	projectoyster.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	projectoyster.exe

Loads dropped DLL 7 IoCs

pid	Process
2904	projectoyster.exe
2904	projectoyster.exe
2904	projectoyster.exe
2904	projectoyster.exe
2904	projectoyster.exe
2904	projectoyster.exe
2904	projectoyster.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2916-0-0x0000000140000000-0x00000001409BE000-memory.dmp	themida
behavioral1/memory/2916-2-0x0000000140000000-0x00000001409BE000-memory.dmp	themida
behavioral1/memory/2916-3-0x0000000140000000-0x00000001409BE000-memory.dmp	themida
behavioral1/memory/2916-4-0x0000000140000000-0x00000001409BE000-memory.dmp	themida
behavioral1/memory/2904-118-0x0000000140000000-0x00000001409BE000-memory.dmp	themida
behavioral1/memory/2904-119-0x0000000140000000-0x00000001409BE000-memory.dmp	themida
behavioral1/memory/2904-116-0x0000000140000000-0x00000001409BE000-memory.dmp	themida
behavioral1/memory/2916-135-0x0000000140000000-0x00000001409BE000-memory.dmp	themida
behavioral1/memory/2904-136-0x0000000140000000-0x00000001409BE000-memory.dmp	themida
behavioral1/memory/2916-243-0x0000000140000000-0x00000001409BE000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	projectoyster.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	projectoyster.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2916	projectoyster.exe
2904	projectoyster.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2904	2916	projectoyster.exe	28
PID 2916 wrote to memory of 2904	2916	projectoyster.exe	28
PID 2916 wrote to memory of 2904	2916	projectoyster.exe	28

C:\Users\Admin\AppData\Local\Temp\projectoyster.exe
"C:\Users\Admin\AppData\Local\Temp\projectoyster.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\projectoyster.exe
  "C:\Users\Admin\AppData\Local\Temp\projectoyster.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI29162\api-ms-win-core-file-l1-2-0.dll

Filesize
22KB

MD5
ed5be31d94e10df1af37fad4604770b5

SHA1
f6458eb3f290bbfa9a5f24e1754fb07a654885f6

SHA256
946d6143572774b4fa69804637064bfc209e06b43859d48ab4b001d7615eaae4

SHA512
f107a089b96ae0b62ed76b0b8d5be77a5756837859c4d31199a172fc3bc64de7bc2053175948af6c9e779af0a2483911627beaa9ed079526db2fa19292f986b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29162\api-ms-win-core-file-l2-1-0.dll

Filesize
22KB

MD5
0bac0d006e4fcc5aee4119fa4b52197a

SHA1
a6f1b4c9652ac92ba56e28bfe8877a3000d892ba

SHA256
0d290cf027a69595ec492a6a31bdc8d3743b75af8d3e2977852ee795730110ab

SHA512
6f5f1b891cde12c378f9c540497631f6187ec62da9d332774edfa42dcc7202b0d490e2965a24038099607f91cf6f8b4b72e41a087d0766d5177817cbe9cf4cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29162\api-ms-win-core-timezone-l1-1-0.dll

Filesize
22KB

MD5
50427f5c7ff2fd7498ffc1448ebbb842

SHA1
65273390f7a29293bab562f0960459889bb934ba

SHA256
583cf4c4303ed783ed295595d0dd2ae0ca6ca7927e9221dd0fb705aa5d0ee866

SHA512
7f6e5ff3e9486363fd57c6ad3e6bc37a4f5f6d579eef02725a83c210c0e4782ab1499d049fd288dae312724c1a509a48f0fc9c19ebb66bed6c7e3f588f817439

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29162\python312.dll

Filesize
6.6MB

MD5
5c5602cda7ab8418420f223366fff5db

SHA1
52f81ee0aef9b6906f7751fd2bbd4953e3f3b798

SHA256
e7890e38256f04ee0b55ac5276bbf3ac61392c3a3ce150bb5497b709803e17ce

SHA512
51c3b4f29781bb52c137ddb356e1bc5a37f3a25f0ed7d89416b14ed994121f884cb3e40ccdbb211a8989e3bd137b8df8b28e232f98de8f35b03965cfce4b424f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29162\ucrtbase.dll

Filesize
1.1MB

MD5
515421ddfb75fd1cd224edb6d765abb0

SHA1
9343f37828b2cf8f83b246e59681e635950c02d9

SHA256
1617fcbcf7da6373c49ea27075e879a06a05eaa2d523fc035aabb7daaeab7f27

SHA512
b7a3162a3473b668d26df1d4d28ceb12de61b671b05bacb42dfb45a17127698ed22281d244d2c13b232396dc01f1bf6d39d007b207444aed5fd3e0a45b813ca3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29162\api-ms-win-core-localization-l1-2-0.dll

Filesize
22KB

MD5
20bf471cb827deb38c05541295a34318

SHA1
4410909bc6fa6e88c30ee08f5fb03ea03afab22a

SHA256
57b447577c0dfbad077ff8439f4e3f00269824b2436bd2b3b228aa02e55f29f6

SHA512
5ec0e8612cdc4add68dad1c202adc190795e87c7c3e38d0a3ae25571c6a4f0bd47403e6f7f2f5f1c9fcaf30751226394a3265a4aa76d91f027a7c8e26d78e3aa

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29162\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
22KB

MD5
e5f624217aa3580fdd5e7873ea89ccc1

SHA1
5e32aea2cea67dbda98b635068a93a4e6665fbb9

SHA256
fc1636ec583b9444580d9037bc3120702abffef0d5c67390363e50ec6ea87d86

SHA512
3f4a237bf3fe4b3762acc99b3154426ce53e6de2ed46ed54ccfa0aeef2ec16b46b4f6491c166a5bb4ea1f52a29373d0448d141f48894aa7171da869056197aa3

Download Submit
memory/2904-116-0x0000000140000000-0x00000001409BE000-memory.dmp

Filesize
9.7MB

Download
memory/2904-121-0x00000000777D0000-0x0000000077979000-memory.dmp

Filesize
1.7MB

Download
memory/2904-119-0x0000000140000000-0x00000001409BE000-memory.dmp

Filesize
9.7MB

Download
memory/2904-137-0x00000000777D0000-0x0000000077979000-memory.dmp

Filesize
1.7MB

Download
memory/2904-118-0x0000000140000000-0x00000001409BE000-memory.dmp

Filesize
9.7MB

Download
memory/2904-136-0x0000000140000000-0x00000001409BE000-memory.dmp

Filesize
9.7MB

Download
memory/2916-3-0x0000000140000000-0x00000001409BE000-memory.dmp

Filesize
9.7MB

Download
memory/2916-2-0x0000000140000000-0x00000001409BE000-memory.dmp

Filesize
9.7MB

Download
memory/2916-0-0x0000000140000000-0x00000001409BE000-memory.dmp

Filesize
9.7MB

Download
memory/2916-135-0x0000000140000000-0x00000001409BE000-memory.dmp

Filesize
9.7MB

Download
memory/2916-4-0x0000000140000000-0x00000001409BE000-memory.dmp

Filesize
9.7MB

Download
memory/2916-1-0x0000000077820000-0x0000000077822000-memory.dmp

Filesize
8KB

Download
memory/2916-243-0x0000000140000000-0x00000001409BE000-memory.dmp

Filesize
9.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads