f9cb65c4d208ba89805850d0ea1e2d9853236ac21ad1f93a4f263f377ddd614c

Resubmissions

20/07/2024, 17:01

240720-vjk4cswbkp 7

20/07/2024, 16:55

240720-ve8nvstgkb 7

20/07/2024, 16:53

240720-vedtgswamn 7

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 17:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RVVNfAFuoPUg.exe
Size

20.5MB
MD5

e5bb4ca071b4a7f32467d4260fef5610
SHA1

7e950adae620544f07a3b455546e498a6ac2c4d0
SHA256

f9cb65c4d208ba89805850d0ea1e2d9853236ac21ad1f93a4f263f377ddd614c
SHA512

065cd30ca5bd18bc9d7be0c3700f1f6282b2525f59d741e3a0476d0572b4b0c90f077ecedc0aea4df7eded285948a9ebc54b8192fc2260862b9999c564ab7ca2
SSDEEP

393216:HNZI9KZ5ikvL+rWGtlqSfBI5xX4LH4pYZv7ugs7G2pWCL6o+DhUOvNR:U9KZ4kvqrh/hfBI5xXoH4KZviTGDaOvf

Score

7^/10

themida

Malware Config

Signatures

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/3652-22-0x0000000140000000-0x000000014296B000-memory.dmp	themida
behavioral1/memory/3652-24-0x0000000140000000-0x000000014296B000-memory.dmp	themida
behavioral1/memory/3652-26-0x0000000140000000-0x000000014296B000-memory.dmp	themida
behavioral1/memory/2004-44-0x0000000140000000-0x000000014296B000-memory.dmp	themida
behavioral1/memory/4204-65-0x0000000140000000-0x000000014296B000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3652	RVVNfAFuoPUg.exe
2004	RVVNfAFuoPUg.exe
4204	RVVNfAFuoPUg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3652	RVVNfAFuoPUg.exe
3652	RVVNfAFuoPUg.exe
3652	RVVNfAFuoPUg.exe
3652	RVVNfAFuoPUg.exe
2004	RVVNfAFuoPUg.exe
2004	RVVNfAFuoPUg.exe
2004	RVVNfAFuoPUg.exe
2004	RVVNfAFuoPUg.exe
4204	RVVNfAFuoPUg.exe
4204	RVVNfAFuoPUg.exe
4204	RVVNfAFuoPUg.exe
4204	RVVNfAFuoPUg.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3652	RVVNfAFuoPUg.exe
2004	RVVNfAFuoPUg.exe
4204	RVVNfAFuoPUg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2004	RVVNfAFuoPUg.exe
4204	RVVNfAFuoPUg.exe

C:\Users\Admin\AppData\Local\Temp\RVVNfAFuoPUg.exe
"C:\Users\Admin\AppData\Local\Temp\RVVNfAFuoPUg.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\RVVNfAFuoPUg.exe
"C:\Users\Admin\AppData\Local\Temp\RVVNfAFuoPUg.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Users\Admin\AppData\Local\Temp\RVVNfAFuoPUg.exe
"C:\Users\Admin\AppData\Local\Temp\RVVNfAFuoPUg.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2004-44-0x0000000140000000-0x000000014296B000-memory.dmp

Filesize
41.4MB

Download
memory/3652-11-0x00007FF898AF0000-0x00007FF898AF2000-memory.dmp

Filesize
8KB

Download
memory/3652-7-0x00007FF898AB0000-0x00007FF898AB2000-memory.dmp

Filesize
8KB

Download
memory/3652-3-0x00007FF898A70000-0x00007FF898A72000-memory.dmp

Filesize
8KB

Download
memory/3652-2-0x00007FF898A60000-0x00007FF898A62000-memory.dmp

Filesize
8KB

Download
memory/3652-1-0x00007FF898A50000-0x00007FF898A52000-memory.dmp

Filesize
8KB

Download
memory/3652-6-0x00007FF898AA0000-0x00007FF898AA2000-memory.dmp

Filesize
8KB

Download
memory/3652-0-0x0000000140DB1000-0x00000001414F2000-memory.dmp

Filesize
7.3MB

Download
memory/3652-8-0x00007FF898AC0000-0x00007FF898AC2000-memory.dmp

Filesize
8KB

Download
memory/3652-10-0x00007FF898AE0000-0x00007FF898AE2000-memory.dmp

Filesize
8KB

Download
memory/3652-9-0x00007FF898AD0000-0x00007FF898AD2000-memory.dmp

Filesize
8KB

Download
memory/3652-5-0x00007FF898A90000-0x00007FF898A92000-memory.dmp

Filesize
8KB

Download
memory/3652-12-0x00007FF898B00000-0x00007FF898B02000-memory.dmp

Filesize
8KB

Download
memory/3652-15-0x00007FF898B30000-0x00007FF898B32000-memory.dmp

Filesize
8KB

Download
memory/3652-14-0x00007FF898B20000-0x00007FF898B22000-memory.dmp

Filesize
8KB

Download
memory/3652-17-0x00007FF898B50000-0x00007FF898B52000-memory.dmp

Filesize
8KB

Download
memory/3652-16-0x00007FF898B40000-0x00007FF898B42000-memory.dmp

Filesize
8KB

Download
memory/3652-13-0x00007FF898B10000-0x00007FF898B12000-memory.dmp

Filesize
8KB

Download
memory/3652-22-0x0000000140000000-0x000000014296B000-memory.dmp

Filesize
41.4MB

Download
memory/3652-23-0x0000000140DB1000-0x00000001414F2000-memory.dmp

Filesize
7.3MB

Download
memory/3652-24-0x0000000140000000-0x000000014296B000-memory.dmp

Filesize
41.4MB

Download
memory/3652-25-0x0000000140DB1000-0x00000001414F2000-memory.dmp

Filesize
7.3MB

Download
memory/3652-26-0x0000000140000000-0x000000014296B000-memory.dmp

Filesize
41.4MB

Download
memory/3652-4-0x00007FF898A80000-0x00007FF898A82000-memory.dmp

Filesize
8KB

Download
memory/4204-65-0x0000000140000000-0x000000014296B000-memory.dmp

Filesize
41.4MB

Download