e2cadb0766cf2fc20a527c917f4475388ef3fbd73b8e0c6d071b695afbb1dba3

Resubmissions

04-07-2024 17:22

240704-vxyavazeql 10

04-07-2024 17:19

240704-vv7rhazenr 10

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[DemonArchives]1e0dc068677f96c9da7f43cf4d4acd92.exe
Size

2.9MB
MD5

1e0dc068677f96c9da7f43cf4d4acd92
SHA1

3380fbe838c36e7934c827f5d124d54062d57d2c
SHA256

fe2ee4ca2b7147816a8ff12129d5b57334fa6eb45e545ac6fc2f9bd4b7c618d1
SHA512

a5469ad819002d28d588d1a62f869cefe19590432c7416170a19d5b4ed96b7f7867622d17ad5f31e61e959ea13fa98c4054158f5df9c87144d685e5e3a667ca2
SSDEEP

49152:0R+xVzz7guptUHuMKmSFGUgAI3kgYEL8S28UReDZdUoB/oissH4Rn3r3ZxCgSfZr:/igt2u7FGP7Ic+eD3nBjnYRnnnqES

Score

9^/10

evasion persistence privilege_escalation themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	[DemonArchives]1e0dc068677f96c9da7f43cf4d4acd92.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	gugcane.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	[DemonArchives]1e0dc068677f96c9da7f43cf4d4acd92.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	[DemonArchives]1e0dc068677f96c9da7f43cf4d4acd92.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gugcane.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gugcane.exe

Executes dropped EXE 1 IoCs

pid	Process
2924	gugcane.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral15/memory/1744-0-0x0000000000400000-0x0000000000AB4000-memory.dmp	themida
behavioral15/memory/1744-1-0x0000000000400000-0x0000000000AB4000-memory.dmp	themida
behavioral15/files/0x00330000000164a9-7.dat	themida
behavioral15/memory/2924-8-0x0000000000400000-0x0000000000AB4000-memory.dmp	themida
behavioral15/memory/2924-9-0x0000000000400000-0x0000000000AB4000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	[DemonArchives]1e0dc068677f96c9da7f43cf4d4acd92.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gugcane.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\gugcane.exe	[DemonArchives]1e0dc068677f96c9da7f43cf4d4acd92.exe
File created	C:\PROGRA~3\Mozilla\zynbtfl.dll	gugcane.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1744	[DemonArchives]1e0dc068677f96c9da7f43cf4d4acd92.exe
2924	gugcane.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2924	2956	taskeng.exe	29
PID 2956 wrote to memory of 2924	2956	taskeng.exe	29
PID 2956 wrote to memory of 2924	2956	taskeng.exe	29
PID 2956 wrote to memory of 2924	2956	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\[DemonArchives]1e0dc068677f96c9da7f43cf4d4acd92.exe
"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]1e0dc068677f96c9da7f43cf4d4acd92.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1744

C:\Windows\system32\taskeng.exe
taskeng.exe {8CA27FBF-A408-4903-9831-C29C44D8C01F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2956
- C:\PROGRA~3\Mozilla\gugcane.exe
  C:\PROGRA~3\Mozilla\gugcane.exe -eoikpie
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\gugcane.exe

Filesize
2.9MB

MD5
35bd790d9f3046ae095b012165fe143f

SHA1
d2933b9c6bd46c327ad85ca922ec4c765116a31c

SHA256
8462eb986b110da57bd6f3ffade545024966eefd641e20d41676dfd314594a8b

SHA512
d4d85f4bb9ab18b032a18c5be099c93e4825daf66b882791ae638fb3aab8292c7e855f661fbedbf604f5da9a7063e8987903fb6ef597e88b172cfaa1074a8790

Download Submit
memory/1744-0-0x0000000000400000-0x0000000000AB4000-memory.dmp

Filesize
6.7MB

Download
memory/1744-1-0x0000000000400000-0x0000000000AB4000-memory.dmp

Filesize
6.7MB

Download
memory/1744-3-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1744-2-0x0000000000290000-0x00000000002EB000-memory.dmp

Filesize
364KB

Download
memory/1744-5-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2924-8-0x0000000000400000-0x0000000000AB4000-memory.dmp

Filesize
6.7MB

Download
memory/2924-9-0x0000000000400000-0x0000000000AB4000-memory.dmp

Filesize
6.7MB

Download
memory/2924-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2924-10-0x0000000000AC0000-0x0000000000B1B000-memory.dmp

Filesize
364KB

Download
memory/2924-13-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads