2c5d51a000560a6f498bb266d2fcee4f76aa60354a7d44343d33631a4c37d905

General

Target

CS2.exe
Size

21.7MB
MD5

933f1bfaf98d22278faf7d54c6d1d3fa
SHA1

1309ec4b8aa14ceec5d38397f429d1eb385b0005
SHA256

2c5d51a000560a6f498bb266d2fcee4f76aa60354a7d44343d33631a4c37d905
SHA512

608c0649747027a053086e2ffcf578df45b5a9a0144d4400bf4f6494a12dc91248c1b6dd9888aaf5727b4666fe144b94646c1c68b4ef7f3a5f80d50316db5c83
SSDEEP

393216:J1WJ89yLP1xrHM1TlQnyGve0Zy5shRVhC+1w1pmTYpxUexxag9PM7WxP+yyk:JIJ88P1RHgQyGG0QERVQ+1w1pxpxEV7C

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CS2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	녕사안세지잘.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CS2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CS2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	녕사안세지잘.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	녕사안세지잘.exe

Executes dropped EXE 1 IoCs

pid	Process
852	녕사안세지잘.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/1928-6-0x0000000140000000-0x0000000143997000-memory.dmp	themida
behavioral2/memory/1928-8-0x0000000140000000-0x0000000143997000-memory.dmp	themida
behavioral2/memory/1928-9-0x0000000140000000-0x0000000143997000-memory.dmp	themida
behavioral2/memory/1928-10-0x0000000140000000-0x0000000143997000-memory.dmp	themida
behavioral2/files/0x000e0000000006c1-13.dat	themida
behavioral2/memory/1928-15-0x0000000140000000-0x0000000143997000-memory.dmp	themida
behavioral2/memory/852-20-0x0000000140000000-0x0000000143997000-memory.dmp	themida
behavioral2/memory/852-21-0x0000000140000000-0x0000000143997000-memory.dmp	themida
behavioral2/memory/852-22-0x0000000140000000-0x0000000143997000-memory.dmp	themida
behavioral2/memory/852-23-0x0000000140000000-0x0000000143997000-memory.dmp	themida
behavioral2/memory/852-24-0x0000000140000000-0x0000000143997000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CS2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	녕사안세지잘.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1928	CS2.exe
852	녕사안세지잘.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
852	녕사안세지잘.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	CS2.exe
Token: SeDebugPrivilege	852	녕사안세지잘.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 852	1928	CS2.exe	87
PID 1928 wrote to memory of 852	1928	CS2.exe	87
PID 1928 wrote to memory of 3236	1928	CS2.exe	88
PID 1928 wrote to memory of 3236	1928	CS2.exe	88
PID 3236 wrote to memory of 3980	3236	cmd.exe	90
PID 3236 wrote to memory of 3980	3236	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\CS2.exe
"C:\Users\Admin\AppData\Local\Temp\CS2.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\녕사안세지잘.exe
  "녕사안세지잘.exe" -R
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\CS2.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\raylib.dll

Filesize
1.5MB

MD5
1ad2ed8a744a5e09070692bb0dc8044c

SHA1
da47e4ab91bcfc6e96f0585bb0fc7918ea12aec1

SHA256
7c0e4669fe2d882dc4c19e19b876031b96995e6ebd5e913a3eadb6535c90e7b3

SHA512
78ca30fed441dc418a163a7ce48fd7e90558cb2ae52fa9b9df77f209c5c27e2b52428fe1e70fdc1fb639fd95aac7d0642c57892310e80712c58710c526045684

Download Submit
C:\Users\Admin\AppData\Local\Temp\녕사안세지잘.exe

Filesize
21.7MB

MD5
950e930a175d52237c15d63183b43a75

SHA1
389296f41b92afa129ebfbbd7d3af91e99416f37

SHA256
6770afd1c4c04275112d5d91b25b8fc50e78a747d973f948b2b6559392d96c6a

SHA512
4599cfc30260b5d1b1c1d76601f8c84f4164e5ce2a65d37261d0373e20d87cb7f61c142b706f9bd49738c2b38ef5690d8af418d2ffce8ee8ee36766988f3f002

Download Submit
memory/852-24-0x0000000140000000-0x0000000143997000-memory.dmp

Filesize
57.6MB

Download
memory/852-23-0x0000000140000000-0x0000000143997000-memory.dmp

Filesize
57.6MB

Download
memory/852-22-0x0000000140000000-0x0000000143997000-memory.dmp

Filesize
57.6MB

Download
memory/852-21-0x0000000140000000-0x0000000143997000-memory.dmp

Filesize
57.6MB

Download
memory/852-20-0x0000000140000000-0x0000000143997000-memory.dmp

Filesize
57.6MB

Download
memory/1928-7-0x00007FFE0E2D0000-0x00007FFE0E599000-memory.dmp

Filesize
2.8MB

Download
memory/1928-10-0x0000000140000000-0x0000000143997000-memory.dmp

Filesize
57.6MB

Download
memory/1928-9-0x0000000140000000-0x0000000143997000-memory.dmp

Filesize
57.6MB

Download
memory/1928-16-0x00007FFE0E2D0000-0x00007FFE0E599000-memory.dmp

Filesize
2.8MB

Download
memory/1928-15-0x0000000140000000-0x0000000143997000-memory.dmp

Filesize
57.6MB

Download
memory/1928-8-0x0000000140000000-0x0000000143997000-memory.dmp

Filesize
57.6MB

Download
memory/1928-6-0x0000000140000000-0x0000000143997000-memory.dmp

Filesize
57.6MB

Download
memory/1928-0-0x00007FFE00000000-0x00007FFE00002000-memory.dmp

Filesize
8KB

Download
memory/1928-3-0x00007FFE0E2D0000-0x00007FFE0E599000-memory.dmp

Filesize
2.8MB

Download
memory/1928-2-0x00007FFE0E2D0000-0x00007FFE0E599000-memory.dmp

Filesize
2.8MB

Download
memory/1928-1-0x00007FFE0E334000-0x00007FFE0E335000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads