Overview

overview

9

Static

static

7

X_protected.exe

windows10-1703-x64

9

Analysis

  • max time kernel
    48s
  • max time network
    49s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-07-2024 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    X_protected.exe

  • Size

    7.5MB

  • MD5

    40daf12b1ddad422314d75caffbf8e63

  • SHA1

    93559caf20d42d455ad31dfb83da22ce26abbe9d

  • SHA256

    48f0dc575984fcbd4f0ae9a3f434d8fd6163b6f470bef7b8cd23b9dad858c211

  • SHA512

    782f5f3edcba370f1fee58e34aba033eb60b164c907cac4d4b69f9a542061f16ad9297c44834c76914a25418c01d603472494db83888821a0c02076c07ff22c1

  • SSDEEP

    196608:U+8zOaubUiLpwYETSEzYeGh07NWsS68mp5KZzgsY:U+Ue4iLGYETlzYBh0RS68iKZc

Score
9/10
evasionexecutionpersistencethemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\X_protected.exe
    "C:\Users\Admin\AppData\Local\Temp\X_protected.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops startup file
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:524
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\X_protected.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3000
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X_protected.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:660
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\St.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2592
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'St.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4276
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "St" /tr "C:\Users\Admin\AppData\Local\Temp\St.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:164
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "St"
      2⤵
        PID:4604
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp24AA.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3252
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:3272

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      c0bc2aff72c6e75ceb69ce83937af8e1

      SHA1

      cdccacfbf2c9a9eae991eea263bd32529a95fe76

      SHA256

      7d5f86b07492d6e4af60909e142c22589128dcf3e48076633055e112f04914f8

      SHA512

      ba48b01da9dae9c238a76c2ae02ba28d29d0782fbd01ca48d9f21f8b380407b94bebca2c257628491209e760ddf89a59595277677fdd7736b446b6b0f179816e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      22799d02f984b422dd8f80cca46672ac

      SHA1

      350eb85eb590df1f1304cf479d3b1f879501ec2c

      SHA256

      b1372871a26f13edb708a07c1816353f2d5f84bf36d4e636eeabf70630570230

      SHA512

      3889ee94502ae2425ed9ae48ae3ef523ffce92102bdc35b5e56b6ac5103d14658b52dfd1e97364eaf478d68a832cdf6f6e3625831bc103f692baa337f7d62234

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      8abd048e4518821e4c533beb519a01d2

      SHA1

      a0862a6d936529d4f1d64281fabaa8c0f51558cf

      SHA256

      a33c123bc837c79d6fbd22b21353e70ac4130537eaac3aee24c069ca90f4c051

      SHA512

      1b36809ebe1b5437960000151b02cbe30827154436be6fdf6c0dfa1e5e06d757706d739df0cc6088e84ba2dadcb28957903bb2583c6cee8a4827c2da0aa64e30

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_km4u5vok.jkj.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp24AA.tmp.bat
      Filesize

      163B

      MD5

      43b49f325eee40b4d09b83b571acc8e3

      SHA1

      c513bcd371a8a78fd396bca58cf49907e2df0f56

      SHA256

      498047ffe2a9956b0c79bf51a12643ec5ba679c4fc66164751af2e6ca5eeac57

      SHA512

      a0f10f461dc8e21f3f882f66cf06c5465cf84b1955a6aca5a4a13a59774caeefca1a811b9978f4f9ca48d9427ddb23311911775ba95efa242a963badabca9432

      Download Submit

    • memory/524-13-0x0000000005BA0000-0x0000000005C3C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/524-980-0x0000000007000000-0x0000000007092000-memory.dmp

      Filesize

      584KB

      Download

    • memory/524-6-0x0000000075680000-0x0000000075842000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/524-10-0x0000000075680000-0x0000000075842000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/524-11-0x0000000000400000-0x0000000001650000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/524-12-0x0000000000400000-0x0000000001650000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/524-0-0x0000000000400000-0x0000000001650000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/524-990-0x0000000000400000-0x0000000001650000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/524-1-0x0000000075776000-0x0000000075777000-memory.dmp

      Filesize

      4KB

      Download

    • memory/524-988-0x0000000075680000-0x0000000075842000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/524-981-0x00000000070A0000-0x000000000759E000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/524-2-0x0000000075680000-0x0000000075842000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/524-7-0x0000000075680000-0x0000000075842000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/524-977-0x0000000075680000-0x0000000075842000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/524-974-0x0000000075776000-0x0000000075777000-memory.dmp

      Filesize

      4KB

      Download

    • memory/524-3-0x0000000075680000-0x0000000075842000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/524-731-0x0000000000400000-0x0000000001650000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/524-732-0x0000000075680000-0x0000000075842000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/524-8-0x0000000075680000-0x0000000075842000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/524-5-0x0000000075680000-0x0000000075842000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/524-4-0x0000000075680000-0x0000000075842000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/660-287-0x000000006F380000-0x000000006F3CB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2592-522-0x000000006F380000-0x000000006F3CB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3000-21-0x0000000008020000-0x0000000008086000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3000-25-0x0000000008650000-0x000000000869B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3000-245-0x0000000009BA0000-0x0000000009BBA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3000-250-0x0000000009B90000-0x0000000009B98000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3000-266-0x0000000075680000-0x0000000075842000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3000-51-0x0000000009A50000-0x0000000009AF5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/3000-46-0x00000000096C0000-0x00000000096DE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3000-45-0x000000006F380000-0x000000006F3CB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3000-44-0x00000000096E0000-0x0000000009713000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3000-43-0x0000000075680000-0x0000000075842000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3000-26-0x0000000008720000-0x0000000008796000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3000-52-0x0000000009C00000-0x0000000009C94000-memory.dmp

      Filesize

      592KB

      Download

    • memory/3000-17-0x0000000075680000-0x0000000075842000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3000-24-0x0000000008450000-0x000000000846C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3000-16-0x0000000004CD0000-0x0000000004D06000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3000-23-0x0000000008100000-0x0000000008450000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3000-22-0x0000000008090000-0x00000000080F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3000-20-0x0000000007760000-0x0000000007782000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3000-19-0x0000000007880000-0x0000000007EA8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3000-18-0x0000000075680000-0x0000000075842000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4276-759-0x000000006F380000-0x000000006F3CB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4276-741-0x0000000007D90000-0x00000000080E0000-memory.dmp

      Filesize

      3.3MB

      Download