Overview

overview

9

Static

static

7

Haxor-AIO/...IO.exe

windows10-1703-x64

9

Analysis

  • max time kernel
    21s
  • max time network
    18s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09/07/2024, 13:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Haxor-AIO/Haxor-AIO.exe

  • Size

    244KB

  • MD5

    216946b0e047100e4a2727b6edc3f369

  • SHA1

    df848ac54617db88ee4bb6144e0a201402fe7e7f

  • SHA256

    e6dcc4f30dd7eba66cb3281fc4696fc1d7776de58591f123398f2e952e11a24d

  • SHA512

    77c7253191f3ca4e69fd7d8839db35d8f49994e33ed98637792a99fa9a0fd10a79e1456f4799138a758a71872bce751910697fcf1946a90e35f5b6257d14a7d0

  • SSDEEP

    6144:HeU9ZEwQ5Fnp0Ak27gU6bF8VmOAOPp7paKFh:HxfXgFnphE780ORZpaEh

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Themida packer 10 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Haxor-AIO\Haxor-AIO.exe
    "C:\Users\Admin\AppData\Local\Temp\Haxor-AIO\Haxor-AIO.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\ProgramData\UserOOOBE\UserOOOBE.exe
      C:\ProgramData\\UserOOOBE\\UserOOOBE.exe ,.
      2⤵
      • Executes dropped EXE
      PID:224
    • C:\ProgramData\winsrvhost\winsrvhost.exe
      C:\ProgramData\\winsrvhost\\winsrvhost.exe tVhsdmtKyjYLTqjt9MvoNh7Ds5oyfUyme6U7MX4dWErnyDj8pwqdblP2hRP9Yk92
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:660

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\UserOOOBE\UserOOOBE.exe
          Filesize

          1.6MB

          MD5

          939712a4d4341fb67c0214621a78fca7

          SHA1

          53225cb2d07e8131c9fdb086a70a81cd41f588ea

          SHA256

          f594ff49ea0a51dc4a76609291b7c3e44fcc92789378f899349609407ac55b61

          SHA512

          f9cd9997394dae980b99018902e347a48b4eab44041e88bad6fc3d10c173b31cea44b0202e7233b1dc934c102c27f1ce5662a01e53b1b0f80197c9c73bb24144

          Download Submit

        • C:\ProgramData\winsrvhost\winsrvhost.exe
          Filesize

          3.0MB

          MD5

          a553208ea4a57f1334669fe1e80113b7

          SHA1

          509aebd8384adb5f0d5f37dd3dd2b799ca7ddae6

          SHA256

          c868a800bef638fd579202534fa763a584cf78a01447afc89908ed1bae308ace

          SHA512

          08765ce1ed9d095527b469495b2138e6446c9034916f4030e7c02c43ea7b39708c1d3cd4f35c9df156633e77cdcb702258f7d627c028c902ac3f450dd0643eef

          Download Submit

        • memory/660-14-0x0000000000B30000-0x0000000000F8B000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/660-17-0x0000000000B30000-0x0000000000F8B000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/660-19-0x0000000000B30000-0x0000000000F8B000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/660-21-0x0000000000B30000-0x0000000000F8B000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/660-20-0x0000000000B30000-0x0000000000F8B000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/660-16-0x0000000000B30000-0x0000000000F8B000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/660-15-0x0000000000B30000-0x0000000000F8B000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/660-18-0x0000000000B30000-0x0000000000F8B000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/660-22-0x0000000000B30000-0x0000000000F8B000-memory.dmp

          Filesize

          4.4MB

          Download