cbde45013b47a0b4bfe13d434bc224483942dae6c169600893ff4d55e7e41482

General

Target

tywtQU.exe
Size

21.3MB
MD5

6942076bd2d552f67e24b7ad18b21e69
SHA1

f041b16fb1707654557b7ea7b91294163aceb539
SHA256

cbde45013b47a0b4bfe13d434bc224483942dae6c169600893ff4d55e7e41482
SHA512

44454452a1e818c93ae619abfb4a4cab447605beeb379af53a97f65332dbf8f91aa1dffcb3247df8903755dd1dc15538cf8a038fb0965b50b57698c38694bbed
SSDEEP

393216:UfQUu1r5500XlU1XeorjN8Tx95zVEOONK2GQsxmr6WOrVOtX9lpiMxjNw:U7u1z00XsXPrjN8l3CNKrQsxmrROrYt+

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	tywtQU.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tywtQU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tywtQU.exe

Loads dropped DLL 2 IoCs

pid	Process
2368	tywtQU.exe
2368	tywtQU.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2368-3-0x000000013FB20000-0x0000000143335000-memory.dmp	themida
behavioral1/memory/2368-5-0x000000013FB20000-0x0000000143335000-memory.dmp	themida
behavioral1/memory/2368-4-0x000000013FB20000-0x0000000143335000-memory.dmp	themida
behavioral1/memory/2368-37-0x000000013FB20000-0x0000000143335000-memory.dmp	themida
behavioral1/memory/2368-39-0x000000013FB20000-0x0000000143335000-memory.dmp	themida
behavioral1/memory/2368-38-0x000000013FB20000-0x0000000143335000-memory.dmp	themida
behavioral1/memory/2368-166-0x000000013FB20000-0x0000000143335000-memory.dmp	themida
behavioral1/memory/2368-167-0x000000013FB20000-0x0000000143335000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tywtQU.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2368	tywtQU.exe
2368	tywtQU.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1900	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2368	tywtQU.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2368	tywtQU.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2620	2368	tywtQU.exe	32
PID 2368 wrote to memory of 2620	2368	tywtQU.exe	32
PID 2368 wrote to memory of 2620	2368	tywtQU.exe	32
PID 2368 wrote to memory of 1404	2368	tywtQU.exe	33
PID 2368 wrote to memory of 1404	2368	tywtQU.exe	33
PID 2368 wrote to memory of 1404	2368	tywtQU.exe	33
PID 1404 wrote to memory of 1336	1404	cmd.exe	34
PID 1404 wrote to memory of 1336	1404	cmd.exe	34
PID 1404 wrote to memory of 1336	1404	cmd.exe	34
PID 1336 wrote to memory of 1900	1336	cmd.exe	36
PID 1336 wrote to memory of 1900	1336	cmd.exe	36
PID 1336 wrote to memory of 1900	1336	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\tywtQU.exe
"C:\Users\Admin\AppData\Local\Temp\tywtQU.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:2620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd /C "color 4 && title Auth-Error && echo [DB-FOX] security issue 0x2 with ''. && timeout /t 5"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\system32\cmd.exe
    cmd /C "color 4 && title Auth-Error && echo [DB-FOX] security issue 0x2 with ''. && timeout /t 5"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3cc1f7c.dll

Filesize
10KB

MD5
542538c7cb8986fa2867045e2255976a

SHA1
c3496e0a1faac9bb970308cf26f278c41a7d8ab3

SHA256
454485afce1a9aa105ddd94072c63fc433c7aa378b3ebf94bf3c6e1a56fcfb54

SHA512
8726e87e644ceef4e11c271b2d66f6d399b5f19b4a7d3e9420c100c817940f1f8636026c02ec0de50294f2810df9a00560326a834a166d446705454251ea0401

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabECC1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarECD4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\3cc1f7b.dll

Filesize
10KB

MD5
2d7adffa791933d88f7e7b04558de0c2

SHA1
a5fc7751c7bbfcb038b86838fffede41255304c4

SHA256
9d1247485ba1865c4be7429580a5afb71e4ec8e656ee7a50bc565bf79def2880

SHA512
46d308c5370e5b7ad14d42fe26d1c86fe62535ba77ea7d29cfd046fb96be8b3c296c88cea38d1e67722b4201340d307787f70599e89c44b56583ba626f93b29b

Download Submit
memory/2368-38-0x000000013FB20000-0x0000000143335000-memory.dmp

Filesize
56.1MB

Download
memory/2368-3-0x000000013FB20000-0x0000000143335000-memory.dmp

Filesize
56.1MB

Download
memory/2368-5-0x000000013FB20000-0x0000000143335000-memory.dmp

Filesize
56.1MB

Download
memory/2368-4-0x000000013FB20000-0x0000000143335000-memory.dmp

Filesize
56.1MB

Download
memory/2368-37-0x000000013FB20000-0x0000000143335000-memory.dmp

Filesize
56.1MB

Download
memory/2368-39-0x000000013FB20000-0x0000000143335000-memory.dmp

Filesize
56.1MB

Download
memory/2368-0-0x000007FEFDA33000-0x000007FEFDA34000-memory.dmp

Filesize
4KB

Download
memory/2368-18-0x0000000001BD0000-0x0000000001C26000-memory.dmp

Filesize
344KB

Download
memory/2368-17-0x0000000001BD0000-0x0000000001C26000-memory.dmp

Filesize
344KB

Download
memory/2368-28-0x0000000002540000-0x0000000002A2F000-memory.dmp

Filesize
4.9MB

Download
memory/2368-7-0x0000000180000000-0x0000000180026000-memory.dmp

Filesize
152KB

Download
memory/2368-6-0x0000000180000000-0x0000000180026000-memory.dmp

Filesize
152KB

Download
memory/2368-2-0x000007FEFDA20000-0x000007FEFDA8C000-memory.dmp

Filesize
432KB

Download
memory/2368-1-0x000007FEFDA20000-0x000007FEFDA8C000-memory.dmp

Filesize
432KB

Download
memory/2368-166-0x000000013FB20000-0x0000000143335000-memory.dmp

Filesize
56.1MB

Download
memory/2368-168-0x000007FEFDA20000-0x000007FEFDA8C000-memory.dmp

Filesize
432KB

Download
memory/2368-167-0x000000013FB20000-0x0000000143335000-memory.dmp

Filesize
56.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads