964a805a94e838ec7981e546f4ac79d522a88784757740b1375e39a08e833c9d

General

Target

964a805a94e838ec7981e546f4ac79d522a88784757740b1375e39a08e833c9d.exe
Size

15.2MB
MD5

07b97630f5cb4c47a65a31f8d4d2b725
SHA1

506c6f6855e45bb3ac53c1431395b7060308b86e
SHA256

964a805a94e838ec7981e546f4ac79d522a88784757740b1375e39a08e833c9d
SHA512

322918f6373c33c4a941c47d266958c87b849df5fa0ff3a2ee02db39749784f26fda9b8e0d20f3655b1fbd7bfe90964feb25566139399e132dd33130b459a3a1
SSDEEP

393216:xzRcVmqWE9O8Vy2GcM2zjzovmCUopNK8GZbYEpkz7:xEPqTcZX0+CUop2xA

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	964a805a94e838ec7981e546f4ac79d522a88784757740b1375e39a08e833c9d.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	964a805a94e838ec7981e546f4ac79d522a88784757740b1375e39a08e833c9d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	964a805a94e838ec7981e546f4ac79d522a88784757740b1375e39a08e833c9d.exe

Themida packer 19 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2572-0-0x0000000140000000-0x00000001416F6000-memory.dmp	themida
behavioral1/memory/2572-2-0x0000000140000000-0x00000001416F6000-memory.dmp	themida
behavioral1/memory/2572-4-0x0000000140000000-0x00000001416F6000-memory.dmp	themida
behavioral1/memory/2572-3-0x0000000140000000-0x00000001416F6000-memory.dmp	themida
behavioral1/memory/2572-11-0x0000000140000000-0x00000001416F6000-memory.dmp	themida
behavioral1/memory/2572-12-0x0000000140000000-0x00000001416F6000-memory.dmp	themida
behavioral1/memory/2572-13-0x0000000140000000-0x00000001416F6000-memory.dmp	themida
behavioral1/memory/2572-14-0x0000000140000000-0x00000001416F6000-memory.dmp	themida
behavioral1/memory/2572-15-0x0000000140000000-0x00000001416F6000-memory.dmp	themida
behavioral1/memory/2572-16-0x0000000140000000-0x00000001416F6000-memory.dmp	themida
behavioral1/memory/2572-17-0x0000000140000000-0x00000001416F6000-memory.dmp	themida
behavioral1/memory/2572-18-0x0000000140000000-0x00000001416F6000-memory.dmp	themida
behavioral1/memory/2572-19-0x0000000140000000-0x00000001416F6000-memory.dmp	themida
behavioral1/memory/2572-20-0x0000000140000000-0x00000001416F6000-memory.dmp	themida
behavioral1/memory/2572-21-0x0000000140000000-0x00000001416F6000-memory.dmp	themida
behavioral1/memory/2572-22-0x0000000140000000-0x00000001416F6000-memory.dmp	themida
behavioral1/memory/2572-23-0x0000000140000000-0x00000001416F6000-memory.dmp	themida
behavioral1/memory/2572-24-0x0000000140000000-0x00000001416F6000-memory.dmp	themida
behavioral1/memory/2572-25-0x0000000140000000-0x00000001416F6000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	964a805a94e838ec7981e546f4ac79d522a88784757740b1375e39a08e833c9d.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2572	964a805a94e838ec7981e546f4ac79d522a88784757740b1375e39a08e833c9d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2572	964a805a94e838ec7981e546f4ac79d522a88784757740b1375e39a08e833c9d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2572	964a805a94e838ec7981e546f4ac79d522a88784757740b1375e39a08e833c9d.exe
2572	964a805a94e838ec7981e546f4ac79d522a88784757740b1375e39a08e833c9d.exe

C:\Users\Admin\AppData\Local\Temp\964a805a94e838ec7981e546f4ac79d522a88784757740b1375e39a08e833c9d.exe
"C:\Users\Admin\AppData\Local\Temp\964a805a94e838ec7981e546f4ac79d522a88784757740b1375e39a08e833c9d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2572-1-0x0000000077940000-0x0000000077942000-memory.dmp

Filesize
8KB

Download
memory/2572-0-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download
memory/2572-2-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download
memory/2572-4-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download
memory/2572-3-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download
memory/2572-5-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download
memory/2572-6-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download
memory/2572-11-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download
memory/2572-12-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download
memory/2572-13-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download
memory/2572-14-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download
memory/2572-15-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download
memory/2572-16-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download
memory/2572-17-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download
memory/2572-18-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download
memory/2572-19-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download
memory/2572-20-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download
memory/2572-21-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download
memory/2572-22-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download
memory/2572-23-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download
memory/2572-24-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download
memory/2572-25-0x0000000140000000-0x00000001416F6000-memory.dmp

Filesize
23.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads