Overview

overview

9

Static

static

7

MWIII (4).exe

windows7-x64

9

MWIII (4).exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-07-2024 10:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MWIII (4).exe

  • Size

    5.6MB

  • MD5

    b476586a746d1c9f0571b23d6e0f8eb0

  • SHA1

    f9ecd837efba745d191f2f5e2f6961b3c2312d7a

  • SHA256

    f97a31c132cf5472952069dbbd483f80d2e6ce2f22f0808cfe9e2fc1de191e9c

  • SHA512

    8b3914081b897fbf9bcc913322e1083bac4c8620f54cb0e6710e6b058af2b6ceea3e4cf8533a534c757506d5ae1ab66d161f25b34abe37e5f4c01fb5c701ea1a

  • SSDEEP

    98304:RXXO/G3+KDPHMNelEWoZqclpBq1JBKatE+vLcSPGkmBmdFmJQrers8+ui:dOe3hHUMEWoQef+KuE+zcOGkmBQFFB8y

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 19 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MWIII (4).exe
    "C:\Users\Admin\AppData\Local\Temp\MWIII (4).exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\MWIII (4).exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\MWIII (4).exe" MD5
        3⤵
          PID:2680
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:2668
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:2224
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            2⤵
              PID:2700

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/2444-0-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download

          • memory/2444-1-0x0000000077B80000-0x0000000077B82000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2444-2-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download

          • memory/2444-3-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download

          • memory/2444-4-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download

          • memory/2444-5-0x0000000077B30000-0x0000000077CD9000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/2444-7-0x0000000077B30000-0x0000000077CD9000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/2444-6-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download

          • memory/2444-8-0x0000000077B30000-0x0000000077CD9000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/2444-9-0x0000000077B30000-0x0000000077CD9000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/2444-10-0x0000000077B30000-0x0000000077CD9000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/2444-11-0x0000000077B30000-0x0000000077CD9000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/2444-12-0x0000000077B30000-0x0000000077CD9000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/2444-14-0x0000000077B30000-0x0000000077CD9000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/2444-16-0x0000000077B30000-0x0000000077CD9000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/2444-15-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download

          • memory/2444-17-0x0000000077B30000-0x0000000077CD9000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/2444-18-0x0000000077B30000-0x0000000077CD9000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/2444-19-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download

          • memory/2444-20-0x0000000077B30000-0x0000000077CD9000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/2444-21-0x0000000077B30000-0x0000000077CD9000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/2444-22-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download

          • memory/2444-23-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download

          • memory/2444-24-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download

          • memory/2444-25-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download

          • memory/2444-26-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download

          • memory/2444-27-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download

          • memory/2444-28-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download

          • memory/2444-29-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download

          • memory/2444-30-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download

          • memory/2444-31-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download

          • memory/2444-32-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download

          • memory/2444-33-0x0000000140000000-0x0000000140E2B000-memory.dmp

            Filesize

            14.2MB

            Download