eecc62ff3146dfefda210a2b171e8cadccd3fae591664d14f6c1050f2276e4bd

General

Target

Loader (1).exe
Size

19.4MB
MD5

b0e9695947a18901349ca0dd41521f01
SHA1

24dcad88b3a36e1ce145ba769702b00a2ea82738
SHA256

eecc62ff3146dfefda210a2b171e8cadccd3fae591664d14f6c1050f2276e4bd
SHA512

fe0793394c85845e75a852dbb65898f97659b09c340068d954235e4fc98909ff09b1a0adac17ddac03d5b9262b815af2d27a06af5892198220e1eacced159108
SSDEEP

393216:gDI5Bw8g+wwmMQYx16YTnxoOmkEYYe5HVOvNMuPNCEBbRVOqzW:wI5BwDwZQYxxoGpVOvuuPNCcNVQ

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader (1).exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader (1).exe

Loads dropped DLL 1 IoCs

pid	Process
524	Loader (1).exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/524-1-0x00007FF72BB90000-0x00007FF72EED7000-memory.dmp	themida
behavioral2/memory/524-0-0x00007FF72BB90000-0x00007FF72EED7000-memory.dmp	themida
behavioral2/memory/524-2-0x00007FF72BB90000-0x00007FF72EED7000-memory.dmp	themida
behavioral2/memory/524-23-0x00007FF72BB90000-0x00007FF72EED7000-memory.dmp	themida
behavioral2/memory/524-24-0x00007FF72BB90000-0x00007FF72EED7000-memory.dmp	themida
behavioral2/memory/524-25-0x00007FF72BB90000-0x00007FF72EED7000-memory.dmp	themida
behavioral2/memory/524-26-0x00007FF72BB90000-0x00007FF72EED7000-memory.dmp	themida
behavioral2/memory/524-33-0x00007FF72BB90000-0x00007FF72EED7000-memory.dmp	themida
behavioral2/memory/524-46-0x00007FF72BB90000-0x00007FF72EED7000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader (1).exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3396	EXCEL.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3396	EXCEL.EXE
3396	EXCEL.EXE
3396	EXCEL.EXE
3396	EXCEL.EXE
3396	EXCEL.EXE
3396	EXCEL.EXE
3396	EXCEL.EXE
3396	EXCEL.EXE
3396	EXCEL.EXE

cURL User-Agent 1 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	2	curl/8.4.0

C:\Users\Admin\AppData\Local\Temp\Loader (1).exe
"C:\Users\Admin\AppData\Local\Temp\Loader (1).exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
PID:524

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\RepairReceive.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7405f4.dll

Filesize
10KB

MD5
93294a49d4b822f9e521e099deae3c5b

SHA1
ef1c47b61019d58ce6c3d6819efcdb9d4f768f97

SHA256
d6451ea2a42d426cb042b2953feb1d77720204448124226275970ce5c566aa79

SHA512
306e18437946ad980a50b0b1957a8fd30609667a93848f175aad80acc073374edaeb8ef22414bccde35126048ddc69f6f7f9be1cc6e68461e1a1e503d48016bc

Download Submit
memory/524-27-0x00007FFC78EF0000-0x00007FFC791B9000-memory.dmp

Filesize
2.8MB

Download
memory/524-2-0x00007FF72BB90000-0x00007FF72EED7000-memory.dmp

Filesize
51.3MB

Download
memory/524-0-0x00007FF72BB90000-0x00007FF72EED7000-memory.dmp

Filesize
51.3MB

Download
memory/524-5-0x0000000180000000-0x0000000180049000-memory.dmp

Filesize
292KB

Download
memory/524-1-0x00007FF72BB90000-0x00007FF72EED7000-memory.dmp

Filesize
51.3MB

Download
memory/524-13-0x0000000180000000-0x0000000180049000-memory.dmp

Filesize
292KB

Download
memory/524-7-0x000001D3212E0000-0x000001D321350000-memory.dmp

Filesize
448KB

Download
memory/524-33-0x00007FF72BB90000-0x00007FF72EED7000-memory.dmp

Filesize
51.3MB

Download
memory/524-23-0x00007FF72BB90000-0x00007FF72EED7000-memory.dmp

Filesize
51.3MB

Download
memory/524-24-0x00007FF72BB90000-0x00007FF72EED7000-memory.dmp

Filesize
51.3MB

Download
memory/524-25-0x00007FF72BB90000-0x00007FF72EED7000-memory.dmp

Filesize
51.3MB

Download
memory/524-3-0x00007FFC78F54000-0x00007FFC78F55000-memory.dmp

Filesize
4KB

Download
memory/524-4-0x00007FFC78EF0000-0x00007FFC791B9000-memory.dmp

Filesize
2.8MB

Download
memory/524-26-0x00007FF72BB90000-0x00007FF72EED7000-memory.dmp

Filesize
51.3MB

Download
memory/524-46-0x00007FF72BB90000-0x00007FF72EED7000-memory.dmp

Filesize
51.3MB

Download
memory/524-47-0x00007FFC78EF0000-0x00007FFC791B9000-memory.dmp

Filesize
2.8MB

Download
memory/3396-37-0x00007FFC78EF0000-0x00007FFC791B9000-memory.dmp

Filesize
2.8MB

Download
memory/3396-32-0x00007FFC3B570000-0x00007FFC3B580000-memory.dmp

Filesize
64KB

Download
memory/3396-30-0x00007FFC3B570000-0x00007FFC3B580000-memory.dmp

Filesize
64KB

Download
memory/3396-34-0x00007FFC78EF0000-0x00007FFC791B9000-memory.dmp

Filesize
2.8MB

Download
memory/3396-31-0x00007FFC3B570000-0x00007FFC3B580000-memory.dmp

Filesize
64KB

Download
memory/3396-36-0x00007FFC38C10000-0x00007FFC38C20000-memory.dmp

Filesize
64KB

Download
memory/3396-28-0x00007FFC3B570000-0x00007FFC3B580000-memory.dmp

Filesize
64KB

Download
memory/3396-38-0x00007FFC38C10000-0x00007FFC38C20000-memory.dmp

Filesize
64KB

Download
memory/3396-29-0x00007FFC3B570000-0x00007FFC3B580000-memory.dmp

Filesize
64KB

Download
memory/3396-35-0x00007FFC78EF0000-0x00007FFC791B9000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads