d7435449ef4aecbd126115316045b002cb5aecfbcd6cbed9f3cbe62114502060

Analysis

max time kernel
35s
max time network
31s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
19/08/2024, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Monolith.exe
Size

3.9MB
MD5

07dc38e53039d72d14e1cbca9856ba5b
SHA1

d3a981998c26f59d08090150a813d5ab27e53526
SHA256

d7435449ef4aecbd126115316045b002cb5aecfbcd6cbed9f3cbe62114502060
SHA512

0b96bd20778d8524602de2ce6027500d8412b5fc8d00d3af34a954b55c82cc9d59fc988ffbf78a9e3866dae8862158ca31f1bd5e516527a8857d240f2df4c465
SSDEEP

98304:uw8woLTfmptqpaKjSVO+Pm5hXvAPAtXI08y4OfcswrxhKAqLB/JsSYOkM:uwuH+pMP4Pk9vuAtXp8HOkBdhpqBJWQ

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Monolith.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Monolith.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Monolith.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral3/memory/2740-0-0x0000000140000000-0x0000000140A49000-memory.dmp	themida
behavioral3/memory/2740-3-0x0000000140000000-0x0000000140A49000-memory.dmp	themida
behavioral3/memory/2740-2-0x0000000140000000-0x0000000140A49000-memory.dmp	themida
behavioral3/memory/2740-32-0x0000000140000000-0x0000000140A49000-memory.dmp	themida
behavioral3/memory/2740-33-0x0000000140000000-0x0000000140A49000-memory.dmp	themida
behavioral3/memory/2740-50-0x0000000140000000-0x0000000140A49000-memory.dmp	themida
behavioral3/memory/2740-60-0x0000000140000000-0x0000000140A49000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Monolith.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	discord.com
16	discord.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2740	Monolith.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe
2740	Monolith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 1092	2740	Monolith.exe	83
PID 2740 wrote to memory of 1092	2740	Monolith.exe	83
PID 1092 wrote to memory of 4492	1092	msedge.exe	84
PID 1092 wrote to memory of 4492	1092	msedge.exe	84
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 576	1092	msedge.exe	85
PID 1092 wrote to memory of 4820	1092	msedge.exe	86
PID 1092 wrote to memory of 4820	1092	msedge.exe	86
PID 1092 wrote to memory of 3388	1092	msedge.exe	87
PID 1092 wrote to memory of 3388	1092	msedge.exe	87
PID 1092 wrote to memory of 3388	1092	msedge.exe	87
PID 1092 wrote to memory of 3388	1092	msedge.exe	87
PID 1092 wrote to memory of 3388	1092	msedge.exe	87
PID 1092 wrote to memory of 3388	1092	msedge.exe	87
PID 1092 wrote to memory of 3388	1092	msedge.exe	87
PID 1092 wrote to memory of 3388	1092	msedge.exe	87
PID 1092 wrote to memory of 3388	1092	msedge.exe	87
PID 1092 wrote to memory of 3388	1092	msedge.exe	87
PID 1092 wrote to memory of 3388	1092	msedge.exe	87
PID 1092 wrote to memory of 3388	1092	msedge.exe	87
PID 1092 wrote to memory of 3388	1092	msedge.exe	87
PID 1092 wrote to memory of 3388	1092	msedge.exe	87
PID 1092 wrote to memory of 3388	1092	msedge.exe	87
PID 1092 wrote to memory of 3388	1092	msedge.exe	87
PID 1092 wrote to memory of 3388	1092	msedge.exe	87
PID 1092 wrote to memory of 3388	1092	msedge.exe	87

C:\Users\Admin\AppData\Local\Temp\Monolith.exe
"C:\Users\Admin\AppData\Local\Temp\Monolith.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/rpgq7aKtBD
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffd86373cb8,0x7ffd86373cc8,0x7ffd86373cd8
    3⤵
    PID:4492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,9742975439071247300,4883812147270227987,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
    3⤵
    PID:576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,9742975439071247300,4883812147270227987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
    3⤵
    PID:4820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,9742975439071247300,4883812147270227987,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
    3⤵
    PID:3388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,9742975439071247300,4883812147270227987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:1476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,9742975439071247300,4883812147270227987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
    3⤵
    PID:3288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,9742975439071247300,4883812147270227987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
    3⤵
    PID:2780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
da1796719a8b3e4401e14594e9d552a5

SHA1
92a2071aa2a782603044d1d8eb47a8be3d72ec1d

SHA256
3bb92ec281f6b2061ef9f3d4cef6949fd2494df37851d5289b6d8147b626aa49

SHA512
27d6a5b544bcfa9c7a087c168a703cba93251c420d058d886fbe9a34b16280f4ab1ff1b3fef7815b9db4b19e63df6a1565a3ad9fe6d02b58f3c3cc7711ad340f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
70f3bdcc19980aa7fdfa8d01eac87055

SHA1
156d6804747f3749528e9b46c5e5616e65f8915a

SHA256
8b07baeb43b939b23501809e84df2ec6ddb14fd128eed26f16b453d48ac0a682

SHA512
27717c6b4392cfe92572e49e61f18a00840f5a20c387890b6dadb0a1a9b964e9bad7ec140a989a80fbc716b77314f55f63c1c95b82e34671d1edd5f0691bff3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0c0c9b70eb7c400ece5f57c04f1dc622

SHA1
b6778b7461f25a64f6964f982bafbec54a19d5a6

SHA256
3bddb87bbcfe121483475ca61707844685101aa5b5aa57b3848505c1c07da847

SHA512
8f6b1d91e6bbbcbc708265e8a454bd3d43ffcd75d6fb5648a56baded9743542b2c2be9b5a46fb4f31683d0a4a73bf462cd6c5b241602d3ffa1a2398777edac55

Download Submit
memory/2740-2-0x0000000140000000-0x0000000140A49000-memory.dmp

Filesize
10.3MB

Download
memory/2740-0-0x0000000140000000-0x0000000140A49000-memory.dmp

Filesize
10.3MB

Download
memory/2740-32-0x0000000140000000-0x0000000140A49000-memory.dmp

Filesize
10.3MB

Download
memory/2740-33-0x0000000140000000-0x0000000140A49000-memory.dmp

Filesize
10.3MB

Download
memory/2740-3-0x0000000140000000-0x0000000140A49000-memory.dmp

Filesize
10.3MB

Download
memory/2740-1-0x00007FFD96027000-0x00007FFD96029000-memory.dmp

Filesize
8KB

Download
memory/2740-50-0x0000000140000000-0x0000000140A49000-memory.dmp

Filesize
10.3MB

Download
memory/2740-60-0x0000000140000000-0x0000000140A49000-memory.dmp

Filesize
10.3MB

Download