ec0648c65e51c62a693819e1eadf6af347527d4d1a79421d366a5926911f38ea

General

Target

ec0648c65e51c62a693819e1eadf6af347527d4d1a79421d366a5926911f38ea.exe
Size

2.4MB
MD5

a59b1c1fa5e5ce0ce77499e538ba20ce
SHA1

a9a2c34575b48b580d6869e4deb7516fae03cd0d
SHA256

ec0648c65e51c62a693819e1eadf6af347527d4d1a79421d366a5926911f38ea
SHA512

cfa3ebac54a3ea24f9d6826485b88fcbf05ab1360eb17c95d75f8d439a31db12bf83f01726457ca25f3dd3107f41e5f947fceb8c24cdb685b74bcb2af8ade66b
SSDEEP

49152:L3KoBQxG9i9w4QclMHG/m9FBiC1y/uUNxff0vhtAFE9P/qX/SBL:L3KkQMcNQlHG/oF8aUz0vnx9h

Score

9^/10

evasion persistence privilege_escalation themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ec0648c65e51c62a693819e1eadf6af347527d4d1a79421d366a5926911f38ea.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	iqncgig.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ec0648c65e51c62a693819e1eadf6af347527d4d1a79421d366a5926911f38ea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ec0648c65e51c62a693819e1eadf6af347527d4d1a79421d366a5926911f38ea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iqncgig.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iqncgig.exe

Executes dropped EXE 1 IoCs

pid	Process
912	iqncgig.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2064-0-0x0000000000400000-0x0000000000A91000-memory.dmp	themida
behavioral1/files/0x0018000000018b3e-6.dat	themida
behavioral1/memory/912-8-0x0000000000400000-0x0000000000A91000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iqncgig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ec0648c65e51c62a693819e1eadf6af347527d4d1a79421d366a5926911f38ea.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\iqncgig.exe	ec0648c65e51c62a693819e1eadf6af347527d4d1a79421d366a5926911f38ea.exe
File created	C:\PROGRA~3\Mozilla\buwmlrn.dll	iqncgig.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2064	ec0648c65e51c62a693819e1eadf6af347527d4d1a79421d366a5926911f38ea.exe
912	iqncgig.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 912	2104	taskeng.exe	30
PID 2104 wrote to memory of 912	2104	taskeng.exe	30
PID 2104 wrote to memory of 912	2104	taskeng.exe	30
PID 2104 wrote to memory of 912	2104	taskeng.exe	30

C:\Users\Admin\AppData\Local\Temp\ec0648c65e51c62a693819e1eadf6af347527d4d1a79421d366a5926911f38ea.exe
"C:\Users\Admin\AppData\Local\Temp\ec0648c65e51c62a693819e1eadf6af347527d4d1a79421d366a5926911f38ea.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2064

C:\Windows\system32\taskeng.exe
taskeng.exe {F1828884-76CF-418A-873B-9ADE60362A70} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2104
- C:\PROGRA~3\Mozilla\iqncgig.exe
  C:\PROGRA~3\Mozilla\iqncgig.exe -txnfdsi
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

AppInit DLLs

1

T1546.010

Privilege Escalation

Event Triggered Execution

1

T1546

AppInit DLLs

1

T1546.010

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\iqncgig.exe

Filesize
2.4MB

MD5
927e64d01de67fb7bd35824ae3b9e420

SHA1
8d398f7624948b72c9b365b4a4ceabd252edacaa

SHA256
a75150543fcc108ecea18bd3556485d57f364b548a746e25e3f83455d900b500

SHA512
2e28b8aa5b3bb9e914497cf595338dd1b5cc9f3ae48240c132f1f8cd42089fb2b52ecb20261156055f1309ca46b49283d3b02ba11a23c7fe27bd923e0456351b

Download Submit
memory/912-8-0x0000000000400000-0x0000000000A91000-memory.dmp

Filesize
6.6MB

Download
memory/912-10-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/912-9-0x0000000000AA0000-0x0000000000AFB000-memory.dmp

Filesize
364KB

Download
memory/912-12-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2064-0-0x0000000000400000-0x0000000000A91000-memory.dmp

Filesize
6.6MB

Download
memory/2064-1-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/2064-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2064-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2064-5-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads