153e20ccb9da08dc69c9f0c5152961384d81d17672efb5b62c37d791d5dd3811

Analysis

max time kernel
82s
max time network
196s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
19/07/2024, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0XqHTML3yw.exe
Size

6.0MB
MD5

595ac58a31309a190242332224b38b0b
SHA1

685265c61aff806a26098c30fef95db188387b34
SHA256

153e20ccb9da08dc69c9f0c5152961384d81d17672efb5b62c37d791d5dd3811
SHA512

b926dbc9117bb0341b077412f99949b602c77df9943d0119cbdda7bfd58ec500faffb151c516581996fdcae614069b38f54fb71caf818bc59dd805c1fdc93fa0
SSDEEP

196608:7L8IJpu+zejziWhikMdV0ETcUtu8b3r9J:8IJpukoziWhK0icI3rz

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0XqHTML3yw.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0XqHTML3yw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0XqHTML3yw.exe

Loads dropped DLL 1 IoCs

pid	Process
4368	0XqHTML3yw.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/4368-0-0x00007FF63D190000-0x00007FF63E058000-memory.dmp	themida
behavioral1/memory/4368-6-0x00007FF63D190000-0x00007FF63E058000-memory.dmp	themida
behavioral1/memory/4368-8-0x00007FF63D190000-0x00007FF63E058000-memory.dmp	themida
behavioral1/memory/4368-7-0x00007FF63D190000-0x00007FF63E058000-memory.dmp	themida
behavioral1/memory/4368-20-0x00007FF63D190000-0x00007FF63E058000-memory.dmp	themida
behavioral1/memory/4368-21-0x00007FF63D190000-0x00007FF63E058000-memory.dmp	themida
behavioral1/memory/4368-22-0x00007FF63D190000-0x00007FF63E058000-memory.dmp	themida
behavioral1/memory/4368-26-0x00007FF63D190000-0x00007FF63E058000-memory.dmp	themida
behavioral1/memory/4368-28-0x00007FF63D190000-0x00007FF63E058000-memory.dmp	themida
behavioral1/memory/4368-29-0x00007FF63D190000-0x00007FF63E058000-memory.dmp	themida
behavioral1/memory/4368-30-0x00007FF63D190000-0x00007FF63E058000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0XqHTML3yw.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
4368	0XqHTML3yw.exe
4368	0XqHTML3yw.exe
4368	0XqHTML3yw.exe
4368	0XqHTML3yw.exe
4368	0XqHTML3yw.exe
4368	0XqHTML3yw.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\csetz\AWBHCT62D95C9D67CECF60E74271EE44092B641A8DAD757B558F77CC12A06D22AF7DAB = "䉄䉂㔲㤰ㅁ䘷䈷䄱㑅䑄䔸あ䐶䔲㔸㐶〹㤵䔹䅂䐱㈰㤹ㄵぃ㌲㐵䄰㑅㠸㠴䔱㜵䘵㔶䍅㜶㈷䄱䔳䅆㔶〹䌶䈳䉃䉆㈵㈵㙄䔶㑅㈷㝃䐱ㅃ䘵䍂㕄䐱〲䘰㤴㌷䄵䘹㘸\u3130㘰㈱㜱㠲䘸㕆㝂㜹䄶㜸㍃㥃㔷䄴䈳㙆㌵䔷ㅃ㜹䐹〵䈴〳㕅㑅㠵ㄷ㝄㘸㉅䑅䉁䉂㉃䈹㝅㤲㡁䌲㔸㙅㔴㌶"	0XqHTML3yw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\csetz\KWLNTP62D95C9D67CECF60E74271EE44092B641A8DAD757B558F77CC12A06D22AF7DAB = "䔱䌴㈹䐸㜳㔴䅄䐹㘷ㄱ㕁䘳㍅㜹㔸䉃㉅㌶㠵ㄹ㡃䑂䑆䙂㌷㈶㉁㤳〸ㄲ䌵䙄䌹㤱䕁㑁䔰䐲㤳㠳ㄲ㈱㤳㈱㘰䈹㔳䄴㙅䐸䘶ぅ㌶㐸䐱䄱㌱㥆㐶䑆㉆䕂㤵䈵㝁䄵ㅁ䈱㐶ㄸ䔵䐲㡄ㄶ㐷㍁㙆㕃㘲䈰䔱〵䉄㜷㡅䕄㍆㍆䌹㐹ㄱ䐰䌲㕁䈳〶㝂䔷㥆䙆䐱䔰㉅㐲㜰㔹䄶㜰䐲㥆\u3130䘰"	0XqHTML3yw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\csetz\BFQTYS62D95C9D67CECF60E74271EE44092B641A8DAD757B558F77CC12A06D22AF7DAB = "䅁䈱䉅䈲䕁䔱㠲㤵㈱㉆〳䔶㔱㙃䌰ㄸ䅄㉁䈶㥅㌴㥄㜷㠰䔳㙆㠰㤰㉅㡂䈲㝆㝃㑃㜴㥆㍅㜰㔸䔸㥁㥃䕆䔶䔲㍃䈰䐷㕂㈹㙆㜷䘶䙅䘶䘷䑂㜱䉆䌶䌹㝅㘵㜹㠰䉃䅂ㅁ㈷㠷䐶㌰䌶䌶ㅄ䅅䈰㝂䌴㕄ㄴ䑃㕆䔴㠳䈵㔸㠳䔹㈴䈴䑂㘹ㅁ䕄㤷\u3130㙂䄶㈰㉃㐹㙁〴㘵䌵㑅䑄㐲䄸䄲㈸"	0XqHTML3yw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\csetz\BFAS1F62D95C9D67CECF60E74271EE44092B641A8DAD757B558F77CC12A06D22AF7DAB = "㜵㔷䉁㙄䑃㘳㐳㠶䌱㝂䘰ㄸ㘳㥁いㄸ㡆ㅆㅅ㔴䙅㘶㤳㙅〲䈴䘹䕃〱㤴㤱〵㘹㘷䄶㜴㍂䍄㐵㤵㈲㔶䕁㔹䙄㝆㜵㜴䉄䌳䙂㍅䑆㘳㔱㤱䄷䔰䐶㔸㈳㈹㐲㉅㌹㘱㉃㥄㑂㙅〸㜴䑂㍄䍁あ〳䔱䐰㑄䙅㙁㡄䐱㜹㠰〶㔹䌲㘷㜹い䄵㠶㤱㑂㍁㉂䄳ㅄ㐱㈸㤸う㔲㤷㜲㥆㈴㐱䅄㈸㕆〱㠸〱㑆㔰㠳㙅㤷㘹㌵䐹㜶〴㉆䌲㡆䍁㥂䅃㝄㐷㝄㈹䐵㤹䍁㐶㡅㘷〷㥆㐵㤹ぅ䔵㘷㝅䅅䈴㌸㈴㐴ㅄ㥁㘸䈵㉃䐶㜳㙂㠲䐹㐴㙁㈶㌰㥆㈵\u3130㥁䐰䕄䑅"	0XqHTML3yw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\csetz\HDPB1A62D95C9D67CECF60E74271EE44092B641A8DAD757B558F77CC12A06D22AF7DAB = "䈶㈱〰ㅂ㈲㔷㑂䍄㉆䌵䌵䉆㠱〲㥆㌵䙃㤸䌸䘰㡃䄷㈰䌶㈷㘷㡁㔹㘷ㅄ䔲㝅㥂㜵ㅅ㈷㥁䅆〷㘱㔱〱䔷㔰䙅䅁㌲㥁㐰㈸䘴䌵㈶䍅㑁㠸䉁䌸ㄵㄶ〶䌱䌷䑁䄹㑃㌰䑁䔶㙁〳㜵㥄䅁い㤷䑃㘱䉆䌱㌳䘵䄴䔷㔹䌵䙆㐰㝂㡆䕆䙆䌱㔱䍄〸䈸䍅䑅䕆䙁㤹㙁㘶ㄸ㔷䑆㤷ㄵ㐰㐹㡂㔸䔶ㄴ㝄㙁ㄶ䍆䕄䑅〲㙃ㅁ㤵〶䍁㌵㐱㝁䘲䈰㈳䌹䈰䕄䔲䑆㜷䑅㤸䐵䕃㜸㌵㜰㠰〳䔷㑄㈵䐱䐰䍄㘰䙆䕄䅅ㅂ㡁㍂㘸あ㉆㑄㙁㥄䄱ㅂ䔹䐹㝂㠱䈷㤰㕃㠸䄰㕂䄱䄳㤹䅂㌹䑂䕂䄲䐱ぅ䔹㡅㈳㕃ㄱ䄹䄸㤳㌷䍄䔰㥁㠹㘰䘰㡃ㅄ㑅䄳㜸䈶ㄲ㘷ㄴい〱㉃㑁䐲㤲㐹㍁㜰䐳䔸㜷ぅ㔷䄷㤷㘹ㅂ䐷㜳㝃ㅁ㠳䈵䑁㝆㥁㤲〷㤰㡅㠸㑃㈹〹㡅ㄱ䑁䔲㕂㐸㈸䌶㈹䉆い䉁㘷䈲㜱㤸㌳䈸㤰㐰䉆ㄵ䉅ぁ㌹㍅䉄㌵䘳䘲㙄〵㘵䈹㉄䄰䕆ㅂ㌳〱䉆㜲䅄䍄㌱ㅁ䈸㥂㕂㜸㝆䈶㠳䍄䅆㐴䙄㤴ㄹ㝃㝅䄲㉅㌶䘳䐳䍁䈸㐹㌲㜹䑅〸䘲㡄䕆㝃㈳㙃㌹䘰㜹㙅㙄䐵㍁㔰㐴㐲䌹䌱䍂㥁い㍅䙆㉅〸㤱䔶〰䌲㜷䘳㔱䈵〹䕅䐶䌸㍂䈲䐵㌵䌷㘶〹䉄䙄ㄹ"	0XqHTML3yw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\csetz\KOPGHT62D95C9D67CECF60E74271EE44092B641A8DAD757B558F77CC12A06D22AF7DAB = "䙃䘵㠰ㅅ䐵䅁㕁ぅㅁ〰㐷㔰䌷㉄䌷䕆㌷㤹㍂㈱㜶㉅㐰䌱䘳㐱〶䍄ㅁ㠶㐹㜲䑃㡆㕁あ㡁ぃ〵㐹㕄䔹㐲㕄㔰ㅆ㜴ㅅ㍃ㄷ㠲ㄶ㜶〲㡃㈶㝁㤸䄷䍃\u3130䐳䄱㤷㠲㘰㘶ㅄ㍄䙂㑁䍄ㄹ㠹㝄〴䈸䔸\u3130䈳㥁㕅䄰㔱㌶㔸䍆䔳〰䘳䄳䄸㐹䍁ㄳ䐶䘷ㅄ䙆㝃㜷㔳㈵㑃㐰䘴䙅㤵䔳㝃㌰㠸"	0XqHTML3yw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\csetz\ZGWLSM62D95C9D67CECF60E74271EE44092B641A8DAD757B558F77CC12A06D22AF7DAB = "䘲㑆䐰䌱㠵\u3130䅁䉅䙆㔸㑄䑃㜱㤷㘰䔱㜴䑁䅆䘹䘶䈲䅂䑁㑅〴䉆㝄㐰䍆䌷ㅁ䐶䘳䈸㝄䐱䙃㝁ㄷ䄴䌳䍄䙁㔰㘰㌲䄶㘶㝁㔲㤳䄱ㅅ㑄䍆㕅䔷䉃㑂㉂ㅄ㘷䈲䐹䘶㥂䉅㙆㑃䈸ㄲ㥅㥄㍆㘱㤰㈵㉅䍅㌲㔷㡂䐳㔲㌹䘳〶䈱㙆䐱㈶㔷㘶㌶䔴㤲䔴㔱㌸㝂㘴〰〲㠳㙃䍅䐲䙆㜵䘲㥃"	0XqHTML3yw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\csetz\PDRFCB62D95C9D67CECF60E74271EE44092B641A8DAD757B558F77CC12A06D22AF7DAB = "〳㤲㑅㌹䄲㌴㍅䐹㥂㘷䄹㜸㐳〳䘵㈱㍃㥂㜲㑆㕅㤰㑂䉁㙄㜹䈵㈳䔵㙅䅅䙂ぅ㔶㌳ぃ㍂㠱䘹㔳䉃㜷㈲䘷㠱㥂㑃䄲㙅㐲㙂䉃㤹䄵㐶䈰㕅䈷㍁ㄴ䉆㕃㜹䈹㠶㌵䍆㤸䙁㐵䕅㉆㥂䌱㥄䑆㉁㠸㘲㡅䔸䙂䈸㕄䔳㔱ㄵ㤲䔹㑆䑅ㄸ㘶〸ㄷ䌳䔹㤳䅆㝄㐷䔰ㄹ䈸〵䙂あ䑁䌳㐷㠳䘰"	0XqHTML3yw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\csetz\ADUPVS62D95C9D67CECF60E74271EE44092B641A8DAD757B558F77CC12A06D22AF7DAB = "㕆〸㜴䄰䉂㠷㠵䌳㙆㍁㙄䐳㉃䄹㔸㐰ㄸ㠶㡅䈶〹ㄹ㤶䄳㤷䈵㐲\u3130㐶䙂〵㘸䔹㐱㐴㌱䍁䔳㡆㌴䈶䐲䔸䙄ㄶ㥆㐴㈸䘹䄰䌵䔳䉂㑂㥆〷䘷〵ㄳ䐵䐸あ䍅䘷䍆䐵〶㐰䅅䔸㐲䄸䘱䈱㈰㕆䑆㘸〵㌶㘵〴〸ㄳ䈴㉂䘱䍅䌱㝄䔴㙄㙂ㅃ䔹䑂ぁ䅂䄷䑃䄲䐸㥆㍂㙆㜱䔲㌴㔵㍁䅄㈸"	0XqHTML3yw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\csetz\FAWBNS62D95C9D67CECF60E74271EE44092B641A8DAD757B558F77CC12A06D22AF7DAB = "㥁䐰䔰䐷㔹䅂㡅䕂䄷㌲䈵㝁㑆㠳ㄴ䉄ぃ䙅㍆㐱㔱䐷㍁ㄲ㘵㌵㌸㔷䘳ㄷ䈲䅆䕅あ㘰い㙂㡆㝂䐸䘲㌴䕆㐱㔴い㐵䐱㝆㥃㠹㈵㠷㐳〶ぁ䘳㤹䅃䘴㥅㑄䉄㕁㠴䔶㔱〳㝃㌶㈹㠸㙆㙂㕁䕆㡅䈵䐸㜶㤱〱䄸㌸㠸㍃䐲㙅ㄲ䄵䐸あㄷ㜷䔳㈵㕄ぃ㔳〰㘲㠱㝂㑁㝅䘷ㄴ㤸ㄱ㜱㉂䐳"	0XqHTML3yw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\csetz\ESHFCE62D95C9D67CECF60E74271EE44092B641A8DAD757B558F77CC12A06D22AF7DAB = "㜶あ䑃㌹㥁㈸䔰㑂㥁㐸㍃㈶㜷㈸㉂䕁䑂䐴㤸㌲いㅂ䉄㌷䔸〲㌲䉄䘴䐶䙆㐸䘳㈳㤳㉆䘰䄶䐵㠹㡆䔲㈱㜷䔴㠸䕂㙃あ㜷㜵〹㘴㑄䅁ぁ㤸㍆〶ㄱ㌴䔱㍃䙄䔲䈰䐰䐶㠳㥅㉄㤶䘹䔱䌷ㄷ㡂㠵㈲㕄䌴ㄷ䔵䈲㍆䄵㘹䔵㝃㤳䕂㜳䔱㜴䄹㕄䔳㕁〷㌰㘱䑁䉅䔱䔴䑂㥄䕂䔸㠴䌳䄵"	0XqHTML3yw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\csetz\OEAYCM62D95C9D67CECF60E74271EE44092B641A8DAD757B558F77CC12A06D22AF7DAB = "䔶㙅㤴㘲ㅁㄸ䕂㜲䍄䉄㐲䌳㘰㉄䔷䔲ㅅ㔷㑆㐱䅄䔹㠸ㅃ㌷㘵㐱㐲㈳䔱㈱㤹㌸㝅㘱㝄㍆䙂䍅䌷䔶䕆㡃㘹㍁䈱㔲㜷㜲䙂㍅㤹䈵䕄㥂䌲䐵㜸䉆ㅄ䑄㍄䘱䘶ㅁ䘴ㅆ䅆㔱䄹㘸䄶ㄸㅆあ㜱㌱㌰㐲ㄱ㤱䍃㜹䐸䈷㈰㜱㈳㐱ㄹ㙅㔷㔷㡁䘲䄲㜹䈳㌴㐷ㄶ䔴䅁㝁䄸㜵㥆䌴㜸㘱䘵䈸"	0XqHTML3yw.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\csetz	0XqHTML3yw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\csetz\BFAS1F62D95C9D67CECF60E74271EE44092B641A8DAD757B558F77CC12A06D22AF7DAB = "䕃㐰〳㐹䔳㜰㠶䍄㈶㠳ㄳ䕂䔰䌶䕁䔸㤷䌱䈰㐴㜸㑃㡃㠱㑂㤷䐰㙃㌷㝃㠴䙄䑄䄸㡃䔹㜳䄸㕂㌵あ㐶㥄䌷䄲㐳ㄵㄹ㉁䌲㝆ㅄ䈰㠶㜲ぅ㔵㐴ぅ䈸〴㠲㥄䍂䅅㝂㤹䘴䄹〴䕆㈲䙄㐳㜷㉁〷䄴䈱㌹䑄㜷㠲䐷䘰㙆㙃䑃㈱䈰䈰䘷䔳䙆㈳㡆䕄〳䕃䙁㝅䄶㝃㌹䑅㜲㜵う〷㙃ㅆ㘳"	0XqHTML3yw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\csetz\HUDXJK62D95C9D67CECF60E74271EE44092B641A8DAD757B558F77CC12A06D22AF7DAB = "㉅㕅〷䑃㌱㑄䙄ㄶ㤶㉃㙆㜷㘷㐴䐵䄲䔰㑄䉆䔵䑂䉄䐰㡄㈰㙄㌵㉁㡃䄰㐴䌸䌲䘶㍃䄰㔸㤶䑃ㅃ㡆㔸ㄴ㜶䙅䅃ㅄ䑄䙃䐵䘹㥁㌲㤹〷䈱ぅ㌹㤵㡃㤱㈶㑆㜳㈹ぅ䘷䅁㙅䌲䅃㔵䍂〶䕄㐸㕂䔸㜶䌹㤴〸㜸㌱㥅㍁㜰䉁㍆䄴〹䅆㠲䈸い䙁〰㠸䉂㡂ㄶ〷㐲㉁㐰䍅㥁䐷㝆䌹㈱㍅"	0XqHTML3yw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3528	WMIC.exe
Token: SeSecurityPrivilege	3528	WMIC.exe
Token: SeTakeOwnershipPrivilege	3528	WMIC.exe
Token: SeLoadDriverPrivilege	3528	WMIC.exe
Token: SeSystemProfilePrivilege	3528	WMIC.exe
Token: SeSystemtimePrivilege	3528	WMIC.exe
Token: SeProfSingleProcessPrivilege	3528	WMIC.exe
Token: SeIncBasePriorityPrivilege	3528	WMIC.exe
Token: SeCreatePagefilePrivilege	3528	WMIC.exe
Token: SeBackupPrivilege	3528	WMIC.exe
Token: SeRestorePrivilege	3528	WMIC.exe
Token: SeShutdownPrivilege	3528	WMIC.exe
Token: SeDebugPrivilege	3528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3528	WMIC.exe
Token: SeRemoteShutdownPrivilege	3528	WMIC.exe
Token: SeUndockPrivilege	3528	WMIC.exe
Token: SeManageVolumePrivilege	3528	WMIC.exe
Token: 33	3528	WMIC.exe
Token: 34	3528	WMIC.exe
Token: 35	3528	WMIC.exe
Token: 36	3528	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3528	WMIC.exe
Token: SeSecurityPrivilege	3528	WMIC.exe
Token: SeTakeOwnershipPrivilege	3528	WMIC.exe
Token: SeLoadDriverPrivilege	3528	WMIC.exe
Token: SeSystemProfilePrivilege	3528	WMIC.exe
Token: SeSystemtimePrivilege	3528	WMIC.exe
Token: SeProfSingleProcessPrivilege	3528	WMIC.exe
Token: SeIncBasePriorityPrivilege	3528	WMIC.exe
Token: SeCreatePagefilePrivilege	3528	WMIC.exe
Token: SeBackupPrivilege	3528	WMIC.exe
Token: SeRestorePrivilege	3528	WMIC.exe
Token: SeShutdownPrivilege	3528	WMIC.exe
Token: SeDebugPrivilege	3528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3528	WMIC.exe
Token: SeRemoteShutdownPrivilege	3528	WMIC.exe
Token: SeUndockPrivilege	3528	WMIC.exe
Token: SeManageVolumePrivilege	3528	WMIC.exe
Token: 33	3528	WMIC.exe
Token: 34	3528	WMIC.exe
Token: 35	3528	WMIC.exe
Token: 36	3528	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4160	WMIC.exe
Token: SeSecurityPrivilege	4160	WMIC.exe
Token: SeTakeOwnershipPrivilege	4160	WMIC.exe
Token: SeLoadDriverPrivilege	4160	WMIC.exe
Token: SeSystemProfilePrivilege	4160	WMIC.exe
Token: SeSystemtimePrivilege	4160	WMIC.exe
Token: SeProfSingleProcessPrivilege	4160	WMIC.exe
Token: SeIncBasePriorityPrivilege	4160	WMIC.exe
Token: SeCreatePagefilePrivilege	4160	WMIC.exe
Token: SeBackupPrivilege	4160	WMIC.exe
Token: SeRestorePrivilege	4160	WMIC.exe
Token: SeShutdownPrivilege	4160	WMIC.exe
Token: SeDebugPrivilege	4160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4160	WMIC.exe
Token: SeRemoteShutdownPrivilege	4160	WMIC.exe
Token: SeUndockPrivilege	4160	WMIC.exe
Token: SeManageVolumePrivilege	4160	WMIC.exe
Token: 33	4160	WMIC.exe
Token: 34	4160	WMIC.exe
Token: 35	4160	WMIC.exe
Token: 36	4160	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4160	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 4432	4368	0XqHTML3yw.exe	71
PID 4368 wrote to memory of 4432	4368	0XqHTML3yw.exe	71
PID 4432 wrote to memory of 3528	4432	cmd.exe	72
PID 4432 wrote to memory of 3528	4432	cmd.exe	72
PID 4368 wrote to memory of 4260	4368	0XqHTML3yw.exe	74
PID 4368 wrote to memory of 4260	4368	0XqHTML3yw.exe	74
PID 4260 wrote to memory of 4160	4260	cmd.exe	75
PID 4260 wrote to memory of 4160	4260	cmd.exe	75
PID 4368 wrote to memory of 1524	4368	0XqHTML3yw.exe	76
PID 4368 wrote to memory of 1524	4368	0XqHTML3yw.exe	76
PID 1524 wrote to memory of 208	1524	cmd.exe	77
PID 1524 wrote to memory of 208	1524	cmd.exe	77
PID 4368 wrote to memory of 4272	4368	0XqHTML3yw.exe	78
PID 4368 wrote to memory of 4272	4368	0XqHTML3yw.exe	78
PID 4272 wrote to memory of 1788	4272	cmd.exe	79
PID 4272 wrote to memory of 1788	4272	cmd.exe	79
PID 4368 wrote to memory of 356	4368	0XqHTML3yw.exe	80
PID 4368 wrote to memory of 356	4368	0XqHTML3yw.exe	80
PID 356 wrote to memory of 2784	356	cmd.exe	81
PID 356 wrote to memory of 2784	356	cmd.exe	81
PID 4368 wrote to memory of 1960	4368	0XqHTML3yw.exe	82
PID 4368 wrote to memory of 1960	4368	0XqHTML3yw.exe	82
PID 1960 wrote to memory of 1100	1960	cmd.exe	83
PID 1960 wrote to memory of 1100	1960	cmd.exe	83
PID 4368 wrote to memory of 192	4368	0XqHTML3yw.exe	84
PID 4368 wrote to memory of 192	4368	0XqHTML3yw.exe	84
PID 192 wrote to memory of 4080	192	cmd.exe	85
PID 192 wrote to memory of 4080	192	cmd.exe	85
PID 4368 wrote to memory of 1992	4368	0XqHTML3yw.exe	86
PID 4368 wrote to memory of 1992	4368	0XqHTML3yw.exe	86
PID 1992 wrote to memory of 2280	1992	cmd.exe	87
PID 1992 wrote to memory of 2280	1992	cmd.exe	87
PID 4368 wrote to memory of 1548	4368	0XqHTML3yw.exe	88
PID 4368 wrote to memory of 1548	4368	0XqHTML3yw.exe	88
PID 1548 wrote to memory of 4280	1548	cmd.exe	89
PID 1548 wrote to memory of 4280	1548	cmd.exe	89
PID 4368 wrote to memory of 3176	4368	0XqHTML3yw.exe	90
PID 4368 wrote to memory of 3176	4368	0XqHTML3yw.exe	90
PID 3176 wrote to memory of 5076	3176	cmd.exe	91
PID 3176 wrote to memory of 5076	3176	cmd.exe	91
PID 4368 wrote to memory of 3888	4368	0XqHTML3yw.exe	92
PID 4368 wrote to memory of 3888	4368	0XqHTML3yw.exe	92
PID 3888 wrote to memory of 4340	3888	cmd.exe	93
PID 3888 wrote to memory of 4340	3888	cmd.exe	93
PID 4368 wrote to memory of 1328	4368	0XqHTML3yw.exe	94
PID 4368 wrote to memory of 1328	4368	0XqHTML3yw.exe	94
PID 1328 wrote to memory of 4092	1328	cmd.exe	95
PID 1328 wrote to memory of 4092	1328	cmd.exe	95
PID 4368 wrote to memory of 1364	4368	0XqHTML3yw.exe	96
PID 4368 wrote to memory of 1364	4368	0XqHTML3yw.exe	96
PID 1364 wrote to memory of 5072	1364	cmd.exe	97
PID 1364 wrote to memory of 5072	1364	cmd.exe	97
PID 4368 wrote to memory of 4968	4368	0XqHTML3yw.exe	98
PID 4368 wrote to memory of 4968	4368	0XqHTML3yw.exe	98
PID 4968 wrote to memory of 1564	4968	cmd.exe	99
PID 4968 wrote to memory of 1564	4968	cmd.exe	99
PID 4368 wrote to memory of 1512	4368	0XqHTML3yw.exe	100
PID 4368 wrote to memory of 1512	4368	0XqHTML3yw.exe	100
PID 1512 wrote to memory of 1432	1512	cmd.exe	101
PID 1512 wrote to memory of 1432	1512	cmd.exe	101
PID 1512 wrote to memory of 1408	1512	cmd.exe	102
PID 1512 wrote to memory of 1408	1512	cmd.exe	102
PID 1512 wrote to memory of 3048	1512	cmd.exe	103
PID 1512 wrote to memory of 3048	1512	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\0XqHTML3yw.exe
"C:\Users\Admin\AppData\Local\Temp\0XqHTML3yw.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic baseboard get product
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get product
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic baseboard get manufacturer
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get manufacturer
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic baseboard get version
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get version
    3⤵
    PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:1788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic diskdrive get caption
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:356
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get caption
    3⤵
    PID:2784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    PID:1100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:192
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer
    3⤵
    PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get name
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get name
    3⤵
    PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get model
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get model
    3⤵
    PID:4280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:5076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic bios get manufacturer
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get manufacturer
    3⤵
    PID:4340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic bios get name
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get name
    3⤵
    PID:4092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic bios get version
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get version
    3⤵
    PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic bios get serialnumber
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    PID:1564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\0XqHTML3yw.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\0XqHTML3yw.exe" MD5
    3⤵
    PID:1432
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1408
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\7dfa7dba.dll

Filesize
10KB

MD5
2d7adffa791933d88f7e7b04558de0c2

SHA1
a5fc7751c7bbfcb038b86838fffede41255304c4

SHA256
9d1247485ba1865c4be7429580a5afb71e4ec8e656ee7a50bc565bf79def2880

SHA512
46d308c5370e5b7ad14d42fe26d1c86fe62535ba77ea7d29cfd046fb96be8b3c296c88cea38d1e67722b4201340d307787f70599e89c44b56583ba626f93b29b

Download Submit
memory/4368-20-0x00007FF63D190000-0x00007FF63E058000-memory.dmp

Filesize
14.8MB

Download
memory/4368-10-0x0000000180000000-0x0000000180148000-memory.dmp

Filesize
1.3MB

Download
memory/4368-3-0x00007FFF45100000-0x00007FFF451AE000-memory.dmp

Filesize
696KB

Download
memory/4368-4-0x00007FFF45100000-0x00007FFF451AE000-memory.dmp

Filesize
696KB

Download
memory/4368-5-0x00007FFF45100000-0x00007FFF451AE000-memory.dmp

Filesize
696KB

Download
memory/4368-6-0x00007FF63D190000-0x00007FF63E058000-memory.dmp

Filesize
14.8MB

Download
memory/4368-8-0x00007FF63D190000-0x00007FF63E058000-memory.dmp

Filesize
14.8MB

Download
memory/4368-21-0x00007FF63D190000-0x00007FF63E058000-memory.dmp

Filesize
14.8MB

Download
memory/4368-0-0x00007FF63D190000-0x00007FF63E058000-memory.dmp

Filesize
14.8MB

Download
memory/4368-7-0x00007FF63D190000-0x00007FF63E058000-memory.dmp

Filesize
14.8MB

Download
memory/4368-2-0x00007FFF45100000-0x00007FFF451AE000-memory.dmp

Filesize
696KB

Download
memory/4368-9-0x0000000180000000-0x0000000180148000-memory.dmp

Filesize
1.3MB

Download
memory/4368-1-0x00007FFF4511B000-0x00007FFF4511C000-memory.dmp

Filesize
4KB

Download
memory/4368-22-0x00007FF63D190000-0x00007FF63E058000-memory.dmp

Filesize
14.8MB

Download
memory/4368-23-0x00007FFF44F60000-0x00007FFF44F70000-memory.dmp

Filesize
64KB

Download
memory/4368-24-0x00007FFF44F50000-0x00007FFF44F60000-memory.dmp

Filesize
64KB

Download
memory/4368-25-0x00007FFF4511B000-0x00007FFF4511C000-memory.dmp

Filesize
4KB

Download
memory/4368-27-0x00007FFF45100000-0x00007FFF451AE000-memory.dmp

Filesize
696KB

Download
memory/4368-26-0x00007FF63D190000-0x00007FF63E058000-memory.dmp

Filesize
14.8MB

Download
memory/4368-28-0x00007FF63D190000-0x00007FF63E058000-memory.dmp

Filesize
14.8MB

Download
memory/4368-29-0x00007FF63D190000-0x00007FF63E058000-memory.dmp

Filesize
14.8MB

Download
memory/4368-31-0x00007FFF45100000-0x00007FFF451AE000-memory.dmp

Filesize
696KB

Download
memory/4368-30-0x00007FF63D190000-0x00007FF63E058000-memory.dmp

Filesize
14.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads