1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8

General

Target

1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8.exe
Size

3.6MB
MD5

864d1a4e41a56c8f2e7e7eec89a47638
SHA1

1f2cb906b92a945c7346c7139c7722230005c394
SHA256

1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8
SHA512

547a441369636e2548c7f8f94c3972269e04d80ee5a26803cc222942b28e457be908126fb4ff6bfde2a063ea1ef74ecba2aaceb58c68fba5c4fddcea5fbd91d3
SSDEEP

98304:nroESehXGx5IkVu1f/ihp+t49Rd3iG2dEsL:s3ehXzgiSvGiv3tEj

Score

9^/10

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 2 IoCs

resource	yara_rule
behavioral1/memory/2280-23-0x00000000001D0000-0x0000000000B28000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2280-24-0x00000000001D0000-0x0000000000B28000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables packed with Themida 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000000b309-3.dat	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2280-23-0x00000000001D0000-0x0000000000B28000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2280-24-0x00000000001D0000-0x0000000000B28000-memory.dmp	INDICATOR_EXE_Packed_Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	da_protected.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	da_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	da_protected.exe

Executes dropped EXE 1 IoCs

pid	Process
2280	da_protected.exe

Loads dropped DLL 4 IoCs

pid	Process
2188	1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8.exe
2188	1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8.exe
2188	1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8.exe
2188	1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000600000000b309-3.dat	themida
behavioral1/memory/2280-23-0x00000000001D0000-0x0000000000B28000-memory.dmp	themida
behavioral1/memory/2280-24-0x00000000001D0000-0x0000000000B28000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	da_protected.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2280	da_protected.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	da_protected.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2280	2188	1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8.exe	28
PID 2188 wrote to memory of 2280	2188	1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8.exe	28
PID 2188 wrote to memory of 2280	2188	1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8.exe	28
PID 2188 wrote to memory of 2280	2188	1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8.exe	28

C:\Users\Admin\AppData\Local\Temp\1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8.exe
"C:\Users\Admin\AppData\Local\Temp\1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\da_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\da_protected.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\da_protected.exe

Filesize
3.2MB

MD5
3d21c714fbb98a6a3c72919928c9525c

SHA1
bf628293920b8f0418de008acc8f3506eaeff3cb

SHA256
811be420db2f390e60a291018126a8aa45c8c5182c050b13076c80d3f80d153c

SHA512
3b21fda899cf197a740dd4f2844c99c772a16ffe20581fe78e801c193f29714fbfa23843059ee34baf6176e71434f0ed7506d75de91b87348bcf9cc4b999575a

Download Submit
memory/2188-14-0x0000000003E90000-0x00000000047E8000-memory.dmp

Filesize
9.3MB

Download
memory/2188-15-0x0000000003E90000-0x00000000047E8000-memory.dmp

Filesize
9.3MB

Download
memory/2188-16-0x0000000003E90000-0x00000000047E8000-memory.dmp

Filesize
9.3MB

Download
memory/2188-17-0x0000000003E90000-0x00000000047E8000-memory.dmp

Filesize
9.3MB

Download
memory/2280-19-0x00000000001D0000-0x0000000000B28000-memory.dmp

Filesize
9.3MB

Download
memory/2280-23-0x00000000001D0000-0x0000000000B28000-memory.dmp

Filesize
9.3MB

Download
memory/2280-24-0x00000000001D0000-0x0000000000B28000-memory.dmp

Filesize
9.3MB

Download
memory/2280-27-0x00000000001D0000-0x0000000000B28000-memory.dmp

Filesize
9.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads