bcef64f477021a9b6953539a83a528cc4af7e1b43b5c5f7c94a7083d35eed287

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pribate.exe
Size

5.6MB
MD5

d00796d52b036d5ee320b91e974037da
SHA1

329a385031c8220bb7d9bd6b935a420f23dd7385
SHA256

bcef64f477021a9b6953539a83a528cc4af7e1b43b5c5f7c94a7083d35eed287
SHA512

1e7621cb8a7230fac2958ee9ac4f65939ccb851f57bc76fa0954e5342f07aabb19e0d4d805e52c454aea0fc5dba6ffd07aa0370283dad95e208d2d5e3d68182c
SSDEEP

98304:/Zj9cgkAi79yfbZD+jR1/Yy/MVXVVyLVFhvVTZLoywHkHWuJTO6kyT:ggJIyfb4jRVYRVbyLvZLIk2uJTNHT

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	pribate.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	pribate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	pribate.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1956-0-0x000000013FBA0000-0x0000000140726000-memory.dmp	themida
behavioral1/memory/1956-3-0x000000013FBA0000-0x0000000140726000-memory.dmp	themida
behavioral1/memory/1956-2-0x000000013FBA0000-0x0000000140726000-memory.dmp	themida
behavioral1/memory/1956-5-0x000000013FBA0000-0x0000000140726000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pribate.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1956	pribate.exe

cURL User-Agent 1 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	2	curl/8.4.0

C:\Users\Admin\AppData\Local\Temp\pribate.exe
"C:\Users\Admin\AppData\Local\Temp\pribate.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1956-0-0x000000013FBA0000-0x0000000140726000-memory.dmp

Filesize
11.5MB

Download
memory/1956-1-0x0000000077B20000-0x0000000077B22000-memory.dmp

Filesize
8KB

Download
memory/1956-3-0x000000013FBA0000-0x0000000140726000-memory.dmp

Filesize
11.5MB

Download
memory/1956-2-0x000000013FBA0000-0x0000000140726000-memory.dmp

Filesize
11.5MB

Download
memory/1956-5-0x000000013FBA0000-0x0000000140726000-memory.dmp

Filesize
11.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads