522f8ba52ee45fdab6f7cfce51c27c4ef0351438a4d20fa18a302efd4c9aa2db

General

Target

AsProgrammeroutprotected.exe
Size

34.7MB
MD5

969e5d2784440716dc2561999ad03e4a
SHA1

0f62361615c6504e14e1e12a138c3f7f9fb5ec35
SHA256

522f8ba52ee45fdab6f7cfce51c27c4ef0351438a4d20fa18a302efd4c9aa2db
SHA512

d39449678016713b922beda3a7d766065b3afdcc3b4f6d07600ce19f404da70dff9cf9f8444cdeab2c58db3bbe2110ce80cca18bdf0362bdb6f4597bbd40d7d2
SSDEEP

786432:Vu+a9UsWGhsFu7REPVxHl8DZ4ZYVyqJ5u/US:wRfl+PbFsdVyq+cS

Score

9^/10

evasion pyinstaller themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AsProgrammeroutprotected.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AsProgrammeroutprotected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AsProgrammeroutprotected.exe

Executes dropped EXE 4 IoCs

pid	Process
2080	AsProgrammerDriver.exe
2864	AsProgrammer.exe
1640	AsProgrammerDriver.exe
1204	Process not Found

Loads dropped DLL 4 IoCs

pid	Process
1800	AsProgrammeroutprotected.exe
2080	AsProgrammerDriver.exe
1640	AsProgrammerDriver.exe
1204	Process not Found

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1800-4-0x000000013F2F0000-0x00000001415B2000-memory.dmp	themida
behavioral1/memory/1800-5-0x000000013F2F0000-0x00000001415B2000-memory.dmp	themida
behavioral1/memory/1800-129-0x000000013F2F0000-0x00000001415B2000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AsProgrammeroutprotected.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000012118-11.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2080	1800	AsProgrammeroutprotected.exe	30
PID 1800 wrote to memory of 2080	1800	AsProgrammeroutprotected.exe	30
PID 1800 wrote to memory of 2080	1800	AsProgrammeroutprotected.exe	30
PID 1800 wrote to memory of 2864	1800	AsProgrammeroutprotected.exe	31
PID 1800 wrote to memory of 2864	1800	AsProgrammeroutprotected.exe	31
PID 1800 wrote to memory of 2864	1800	AsProgrammeroutprotected.exe	31
PID 1800 wrote to memory of 2864	1800	AsProgrammeroutprotected.exe	31
PID 2080 wrote to memory of 1640	2080	AsProgrammerDriver.exe	32
PID 2080 wrote to memory of 1640	2080	AsProgrammerDriver.exe	32
PID 2080 wrote to memory of 1640	2080	AsProgrammerDriver.exe	32

C:\Users\Admin\AppData\Local\Temp\AsProgrammeroutprotected.exe
"C:\Users\Admin\AppData\Local\Temp\AsProgrammeroutprotected.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\AsProgrammerDriver.exe
  "C:\Users\Admin\AppData\Local\Temp\AsProgrammerDriver.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\AsProgrammerDriver.exe
    "C:\Users\Admin\AppData\Local\Temp\AsProgrammerDriver.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1640
- C:\Users\Admin\AppData\Local\Temp\AsProgrammer.exe
  "C:\Users\Admin\AppData\Local\Temp\AsProgrammer.exe"
  2⤵
  - Executes dropped EXE
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AsProgrammer.exe

Filesize
3.5MB

MD5
43c2a759cfaeccb560ac7231223245fa

SHA1
dbfe38d55513a9cdf23a4e012dcc169012a316a1

SHA256
ac71e17cf55d08c0a07a5ca67fe6cb8a86ffb0899034316738c3001c2eef4241

SHA512
ea481e183e886568abc636d156eec27ec28fd9e24f6453a9424757f804f8c79ed05a3b099cb337978a26a7dbd81eb5b4f7a6696a56d295fceefba963fea07701

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20802\python311.dll

Filesize
5.5MB

MD5
387bb2c1e40bde1517f06b46313766be

SHA1
601f83ef61c7699652dec17edd5a45d6c20786c4

SHA256
0817a2a657a24c0d5fbb60df56960f42fc66b3039d522ec952dab83e2d869364

SHA512
521cde6eaa5d4a2e0ef6bbfdea50b00750ae022c1c7bd66b20654c035552b49c9d2fac18ef503bbd136a7a307bdeb97f759d45c25228a0bf0c37739b6e897bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20802\setuptools\_vendor\jaraco.context-5.3.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20802\setuptools\_vendor\jaraco.text-3.12.1.dist-info\LICENSE

Filesize
1023B

MD5
141643e11c48898150daa83802dbc65f

SHA1
0445ed0f69910eeaee036f09a39a13c6e1f37e12

SHA256
86da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741

SHA512
ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20802\setuptools\_vendor\jaraco.text-3.12.1.dist-info\WHEEL

Filesize
92B

MD5
43136dde7dd276932f6197bb6d676ef4

SHA1
6b13c105452c519ea0b65ac1a975bd5e19c50122

SHA256
189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714

SHA512
e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1

Download Submit
\Users\Admin\AppData\Local\Temp\AsProgrammerDriver.exe

Filesize
14.6MB

MD5
414da3cc6900371a012f6a26568e6c1f

SHA1
58c0a0b0f2967e84fe9a09bae9a28b796f4f484b

SHA256
27b4dd23bf21dd8ccf27e4caffc5db2a44a5b61533b3896cd0579d403511a0e2

SHA512
4ec63d07db45db05dc6d00011924f8eef52f4faa94d4771a3963865fff401d205fc4c28e1c50cb36f5c2c19da4a9ebdbc5feacb5cc0d059c45161796b0a9060c

Download Submit
memory/1800-6-0x000000001BEC0000-0x000000001D0F4000-memory.dmp

Filesize
18.2MB

Download
memory/1800-9-0x000007FEFD240000-0x000007FEFD2AC000-memory.dmp

Filesize
432KB

Download
memory/1800-2-0x000007FEFD240000-0x000007FEFD2AC000-memory.dmp

Filesize
432KB

Download
memory/1800-5-0x000000013F2F0000-0x00000001415B2000-memory.dmp

Filesize
34.8MB

Download
memory/1800-57-0x000007FEFD240000-0x000007FEFD2AC000-memory.dmp

Filesize
432KB

Download
memory/1800-129-0x000000013F2F0000-0x00000001415B2000-memory.dmp

Filesize
34.8MB

Download
memory/1800-4-0x000000013F2F0000-0x00000001415B2000-memory.dmp

Filesize
34.8MB

Download
memory/1800-3-0x000007FEFD240000-0x000007FEFD2AC000-memory.dmp

Filesize
432KB

Download
memory/1800-0-0x000000013F2F0000-0x00000001415B2000-memory.dmp

Filesize
34.8MB

Download
memory/1800-1-0x000007FEFD254000-0x000007FEFD255000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads