Overview

overview

9

Static

static

7

368f80fd75...0N.exe

windows7-x64

9

368f80fd75...0N.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 20:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    368f80fd75e51f4aeaaf89ff2fb7d5f0N.exe

  • Size

    6.9MB

  • MD5

    368f80fd75e51f4aeaaf89ff2fb7d5f0

  • SHA1

    df8cc8a60a012b2e019dfde775d8e8567ddef888

  • SHA256

    1944688ceca74de96b3d32dc9f2003a97aa56ef3f970c6eacf926f6f688450c9

  • SHA512

    9cac22e3a0971ec68f90b602f8bb828677bb529579b0defd788522fafd437edce726aed5e54aec78c9a3d37a8fec5bd99ce5adf2870a6ec713ab64237030f6bc

  • SSDEEP

    196608:pxTaLHqLRq7srzQT09F3tNw1Mqde6bWCjt:7TaLKLRo08T0v3EKet

Score
9/10
discoveryevasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Themida packer 22 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • AutoIT Executable 15 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\368f80fd75e51f4aeaaf89ff2fb7d5f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\368f80fd75e51f4aeaaf89ff2fb7d5f0N.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\amd64_microsoft-windows-wmi-stdprov-provider_31bf3856ad364e35_10.0.18362.1_none_10ebcf1c43c7c480" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\ProgramData\amd64_microsoft-windows-wmi-stdprov-provider_31bf3856ad364e35_10.0.18362.1_none_10ebcf1c43c7c480" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\ProgramData\amd64_microsoft-windows-wmi-stdprov-provider_31bf3856ad364e35_10.0.18362.1_none_10ebcf1c43c7c480" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\ProgramData\amd64_microsoft-windows-wmi-stdprov-provider_31bf3856ad364e35_10.0.18362.1_none_10ebcf1c43c7c480" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:1080
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\ProgramData\amd64_microsoft-windows-wmi-stdprov-provider_31bf3856ad364e35_10.0.18362.1_none_10ebcf1c43c7c480" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2860
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\ProgramData\amd64_microsoft-windows-wmi-stdprov-provider_31bf3856ad364e35_10.0.18362.1_none_10ebcf1c43c7c480" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2696
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {3090F66C-9AA9-42A6-94E0-8AC67CAE0F09} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\ProgramData\amd64_microsoft-windows-wmi-stdprov-provider_31bf3856ad364e35_10.0.18362.1_none_10ebcf1c43c7c480\keymgr.exe
      C:\ProgramData\amd64_microsoft-windows-wmi-stdprov-provider_31bf3856ad364e35_10.0.18362.1_none_10ebcf1c43c7c480\keymgr.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2772
    • C:\ProgramData\amd64_microsoft-windows-wmi-stdprov-provider_31bf3856ad364e35_10.0.18362.1_none_10ebcf1c43c7c480\keymgr.exe
      C:\ProgramData\amd64_microsoft-windows-wmi-stdprov-provider_31bf3856ad364e35_10.0.18362.1_none_10ebcf1c43c7c480\keymgr.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2856
    • C:\ProgramData\amd64_microsoft-windows-wmi-stdprov-provider_31bf3856ad364e35_10.0.18362.1_none_10ebcf1c43c7c480\keymgr.exe
      C:\ProgramData\amd64_microsoft-windows-wmi-stdprov-provider_31bf3856ad364e35_10.0.18362.1_none_10ebcf1c43c7c480\keymgr.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\amd64_microsoft-windows-wmi-stdprov-provider_31bf3856ad364e35_10.0.18362.1_none_10ebcf1c43c7c480\keymgr.exe
    Filesize

    6.9MB

    MD5

    368f80fd75e51f4aeaaf89ff2fb7d5f0

    SHA1

    df8cc8a60a012b2e019dfde775d8e8567ddef888

    SHA256

    1944688ceca74de96b3d32dc9f2003a97aa56ef3f970c6eacf926f6f688450c9

    SHA512

    9cac22e3a0971ec68f90b602f8bb828677bb529579b0defd788522fafd437edce726aed5e54aec78c9a3d37a8fec5bd99ce5adf2870a6ec713ab64237030f6bc

    Download Submit

  • memory/1732-206-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/1732-158-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2488-13-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2488-8-0x0000000000210000-0x0000000000211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2488-46-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2488-45-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2488-49-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2488-48-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2488-44-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2488-40-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2488-47-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2488-43-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2488-38-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2488-39-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2488-30-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2488-28-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2488-25-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2488-23-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2488-20-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2488-18-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2488-15-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2488-0-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2488-42-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2488-6-0x0000000000210000-0x0000000000211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2488-10-0x0000000000210000-0x0000000000211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2488-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2488-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2488-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2488-52-0x00000000018BB000-0x0000000001B2D000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2488-51-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2488-33-0x00000000018BB000-0x0000000001B2D000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2488-41-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2488-35-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2772-151-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2772-54-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2856-71-0x0000000000110000-0x0000000000111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2856-69-0x0000000000110000-0x0000000000111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2856-66-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2856-64-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2856-61-0x00000000000F0000-0x00000000000F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2856-59-0x00000000000F0000-0x00000000000F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2856-150-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/2856-56-0x0000000001340000-0x0000000002206000-memory.dmp

    Filesize

    14.8MB

    Download