e4ba2c8e5ede2d6bbc3a9009a4c588ebbe8a1381cc2e3286ae36a1a87eb3241b

Analysis

max time kernel
147s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21-08-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Magic.exe
Size

5.4MB
MD5

632261a647d176fab4179afca83a6751
SHA1

22d032ffa9a12737c78437582e833beb644230e1
SHA256

e4ba2c8e5ede2d6bbc3a9009a4c588ebbe8a1381cc2e3286ae36a1a87eb3241b
SHA512

6e50432682a6fe3b9e5039ccc0776193f464bd1605974f946431b477d2dad9a267019df38d65a7cd5282f4933c0fb76dad6b33923b08ca76d28d3e8925f84f87
SSDEEP

98304:azz8zUAYRMhX8yJwO+H5S1//wvZWMoniz3SM0fcEQkouKMRXjDNUBT0D8l:c8zUAKMJlJT+H0VovT34cEgMJDkTo2

Score

9^/10

evasion execution themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Magic.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Magic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Magic.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/4916-0-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp	themida
behavioral1/memory/4916-3-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp	themida
behavioral1/memory/4916-2-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp	themida
behavioral1/memory/4916-4-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp	themida
behavioral1/memory/4916-5-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp	themida
behavioral1/memory/4916-6-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp	themida
behavioral1/memory/4916-7-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp	themida
behavioral1/memory/4916-12-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp	themida
behavioral1/memory/4916-15-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp	themida
behavioral1/memory/4916-17-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magic.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4916	Magic.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1284	sc.exe
4232	sc.exe
3888	sc.exe
3188	sc.exe
1588	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe
4916	Magic.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 1652	4916	Magic.exe	82
PID 4916 wrote to memory of 1652	4916	Magic.exe	82
PID 1652 wrote to memory of 1772	1652	cmd.exe	83
PID 1652 wrote to memory of 1772	1652	cmd.exe	83
PID 1652 wrote to memory of 1392	1652	cmd.exe	84
PID 1652 wrote to memory of 1392	1652	cmd.exe	84
PID 1652 wrote to memory of 2844	1652	cmd.exe	85
PID 1652 wrote to memory of 2844	1652	cmd.exe	85
PID 4916 wrote to memory of 3896	4916	Magic.exe	86
PID 4916 wrote to memory of 3896	4916	Magic.exe	86
PID 3896 wrote to memory of 4232	3896	cmd.exe	87
PID 3896 wrote to memory of 4232	3896	cmd.exe	87
PID 4916 wrote to memory of 2028	4916	Magic.exe	88
PID 4916 wrote to memory of 2028	4916	Magic.exe	88
PID 2028 wrote to memory of 3888	2028	cmd.exe	89
PID 2028 wrote to memory of 3888	2028	cmd.exe	89
PID 4916 wrote to memory of 2864	4916	Magic.exe	90
PID 4916 wrote to memory of 2864	4916	Magic.exe	90
PID 2864 wrote to memory of 3188	2864	cmd.exe	91
PID 2864 wrote to memory of 3188	2864	cmd.exe	91
PID 4916 wrote to memory of 3764	4916	Magic.exe	92
PID 4916 wrote to memory of 3764	4916	Magic.exe	92
PID 3764 wrote to memory of 1588	3764	cmd.exe	93
PID 3764 wrote to memory of 1588	3764	cmd.exe	93
PID 4916 wrote to memory of 3312	4916	Magic.exe	94
PID 4916 wrote to memory of 3312	4916	Magic.exe	94
PID 3312 wrote to memory of 1284	3312	cmd.exe	95
PID 3312 wrote to memory of 1284	3312	cmd.exe	95
PID 4916 wrote to memory of 3488	4916	Magic.exe	96
PID 4916 wrote to memory of 3488	4916	Magic.exe	96
PID 3488 wrote to memory of 1096	3488	cmd.exe	97
PID 3488 wrote to memory of 1096	3488	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\Magic.exe
"C:\Users\Admin\AppData\Local\Temp\Magic.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Magic.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Magic.exe" MD5
    3⤵
    PID:1772
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1392
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:4232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:3888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:3188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:1284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c MODE CON COLS=55 LINES=12
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\system32\mode.com
    MODE CON COLS=55 LINES=12
    3⤵
    PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4916-0-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp

Filesize
13.8MB

Download
memory/4916-1-0x00007FF918E47000-0x00007FF918E49000-memory.dmp

Filesize
8KB

Download
memory/4916-3-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp

Filesize
13.8MB

Download
memory/4916-2-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp

Filesize
13.8MB

Download
memory/4916-4-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp

Filesize
13.8MB

Download
memory/4916-5-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp

Filesize
13.8MB

Download
memory/4916-6-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp

Filesize
13.8MB

Download
memory/4916-7-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp

Filesize
13.8MB

Download
memory/4916-12-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp

Filesize
13.8MB

Download
memory/4916-15-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp

Filesize
13.8MB

Download
memory/4916-17-0x00007FF60DD50000-0x00007FF60EB24000-memory.dmp

Filesize
13.8MB

Download