18c0bba23af8256a5f9e3de3038555a6a706dddd0c24123c011c1a8aa4d78156

General

Target

Inj.exe
Size

3.6MB
MD5

c01178fa2626c8d717fde33e03a3876e
SHA1

afee86588501928ae39eec90d6c1d6028f243689
SHA256

18c0bba23af8256a5f9e3de3038555a6a706dddd0c24123c011c1a8aa4d78156
SHA512

233744740883ab71ea7bb8c493db24c062e480f547cf13cd3210a3fa165368f7eb3cf908a6da3f6a5f81fbfe415cdfb03fb1ad38d6ff27ac9e8df417fe7ec7c0
SSDEEP

98304:sdvPB9yZdnrBYwSsHrOfmjSctW70xGtat:uvpMZdnrBhl67m3t

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Inj.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\hOPlFILzGFKHzudCOcWqs\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\hOPlFILzGFKHzudCOcWqs"	3nzx3.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Inj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Inj.exe

Executes dropped EXE 1 IoCs

pid	Process
2888	3nzx3.exe

Loads dropped DLL 1 IoCs

pid	Process
3024	Inj.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/3024-0-0x000000013F540000-0x000000013FEC7000-memory.dmp	themida
behavioral1/memory/3024-5-0x000000013F540000-0x000000013FEC7000-memory.dmp	themida
behavioral1/memory/3024-2-0x000000013F540000-0x000000013FEC7000-memory.dmp	themida
behavioral1/memory/3024-6-0x000000013F540000-0x000000013FEC7000-memory.dmp	themida
behavioral1/memory/3024-7-0x000000013F540000-0x000000013FEC7000-memory.dmp	themida
behavioral1/memory/3024-4-0x000000013F540000-0x000000013FEC7000-memory.dmp	themida
behavioral1/memory/3024-3-0x000000013F540000-0x000000013FEC7000-memory.dmp	themida
behavioral1/memory/3024-15-0x000000013F540000-0x000000013FEC7000-memory.dmp	themida
behavioral1/memory/3024-18-0x000000013F540000-0x000000013FEC7000-memory.dmp	themida
behavioral1/memory/3024-19-0x000000013F540000-0x000000013FEC7000-memory.dmp	themida
behavioral1/memory/3024-21-0x000000013F540000-0x000000013FEC7000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Inj.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3024	Inj.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\Download\3nzx3.exe	Inj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2888	3nzx3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2888	3nzx3.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2836	3024	Inj.exe	31
PID 3024 wrote to memory of 2836	3024	Inj.exe	31
PID 3024 wrote to memory of 2836	3024	Inj.exe	31
PID 3024 wrote to memory of 2900	3024	Inj.exe	32
PID 3024 wrote to memory of 2900	3024	Inj.exe	32
PID 3024 wrote to memory of 2900	3024	Inj.exe	32
PID 3024 wrote to memory of 2888	3024	Inj.exe	33
PID 3024 wrote to memory of 2888	3024	Inj.exe	33
PID 3024 wrote to memory of 2888	3024	Inj.exe	33

C:\Users\Admin\AppData\Local\Temp\Inj.exe
"C:\Users\Admin\AppData\Local\Temp\Inj.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 9
  2⤵
  PID:2900
- C:\Windows\SoftwareDistribution\Download\3nzx3.exe
  "C:\Windows\SoftwareDistribution\Download\3nzx3.exe"
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SoftwareDistribution\Download\3nzx3.exe

Filesize
100KB

MD5
03997b52220aa284bd6da2f39a82b002

SHA1
7aa87879a471cbda376914927a3b6b8274a6d642

SHA256
7873158c42440a31a986c1472c0982404f54325ccd0c8b3a6e63a707277945a2

SHA512
e7ccf9300166cb8c3d81153e9675240778a4910b2f503f8c2293c273f42eee6fe0841d66fe0baa91d9355392b06b85008921a75c90969d2b823d2092935efef9

Download Submit
memory/3024-4-0x000000013F540000-0x000000013FEC7000-memory.dmp

Filesize
9.5MB

Download
memory/3024-5-0x000000013F540000-0x000000013FEC7000-memory.dmp

Filesize
9.5MB

Download
memory/3024-2-0x000000013F540000-0x000000013FEC7000-memory.dmp

Filesize
9.5MB

Download
memory/3024-6-0x000000013F540000-0x000000013FEC7000-memory.dmp

Filesize
9.5MB

Download
memory/3024-7-0x000000013F540000-0x000000013FEC7000-memory.dmp

Filesize
9.5MB

Download
memory/3024-0-0x000000013F540000-0x000000013FEC7000-memory.dmp

Filesize
9.5MB

Download
memory/3024-3-0x000000013F540000-0x000000013FEC7000-memory.dmp

Filesize
9.5MB

Download
memory/3024-1-0x0000000077050000-0x0000000077052000-memory.dmp

Filesize
8KB

Download
memory/3024-15-0x000000013F540000-0x000000013FEC7000-memory.dmp

Filesize
9.5MB

Download
memory/3024-18-0x000000013F540000-0x000000013FEC7000-memory.dmp

Filesize
9.5MB

Download
memory/3024-19-0x000000013F540000-0x000000013FEC7000-memory.dmp

Filesize
9.5MB

Download
memory/3024-21-0x000000013F540000-0x000000013FEC7000-memory.dmp

Filesize
9.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads