9ec35c201fc13a3aa957921d8a752ba6d893e6a0c8a427bbbcbd7951374531cf

Analysis

max time kernel
9s
max time network
7s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MWIII.exe
Size

7.8MB
MD5

b28690b408681225c9a2a5edd79b4733
SHA1

6e96699ad95256ba20c43b6d7bfd4fb788439667
SHA256

9ec35c201fc13a3aa957921d8a752ba6d893e6a0c8a427bbbcbd7951374531cf
SHA512

9fdfdc5760515b69da479410fbca995ed760d468ea4c148538abf4fdc9290a8126b5573ec6de2234e5d46ceedcb0399a255a95852db5ef7d33a06ba6d9997fde
SSDEEP

196608:z8EW0ZGL/vXQS8blnejwaAUnEawEuxRWA5G6yfQfdn79wX:YEtZsHXjGlejwa5n5wdxs+9FyX

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MWIII.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MWIII.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MWIII.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/4564-0-0x0000000140000000-0x00000001412AC000-memory.dmp	themida
behavioral2/memory/4564-3-0x0000000140000000-0x00000001412AC000-memory.dmp	themida
behavioral2/memory/4564-2-0x0000000140000000-0x00000001412AC000-memory.dmp	themida
behavioral2/memory/4564-4-0x0000000140000000-0x00000001412AC000-memory.dmp	themida
behavioral2/memory/4564-6-0x0000000140000000-0x00000001412AC000-memory.dmp	themida
behavioral2/memory/4564-16-0x0000000140000000-0x00000001412AC000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MWIII.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4564	MWIII.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe
4564	MWIII.exe

C:\Users\Admin\AppData\Local\Temp\MWIII.exe
"C:\Users\Admin\AppData\Local\Temp\MWIII.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4564-0-0x0000000140000000-0x00000001412AC000-memory.dmp

Filesize
18.7MB

Download
memory/4564-1-0x00007FF93D350000-0x00007FF93D352000-memory.dmp

Filesize
8KB

Download
memory/4564-3-0x0000000140000000-0x00000001412AC000-memory.dmp

Filesize
18.7MB

Download
memory/4564-2-0x0000000140000000-0x00000001412AC000-memory.dmp

Filesize
18.7MB

Download
memory/4564-4-0x0000000140000000-0x00000001412AC000-memory.dmp

Filesize
18.7MB

Download
memory/4564-5-0x00007FF93D2B0000-0x00007FF93D4A5000-memory.dmp

Filesize
2.0MB

Download
memory/4564-6-0x0000000140000000-0x00000001412AC000-memory.dmp

Filesize
18.7MB

Download
memory/4564-7-0x00007FF93D2B0000-0x00007FF93D4A5000-memory.dmp

Filesize
2.0MB

Download
memory/4564-8-0x00007FF93D2B0000-0x00007FF93D4A5000-memory.dmp

Filesize
2.0MB

Download
memory/4564-9-0x00007FF93D2B0000-0x00007FF93D4A5000-memory.dmp

Filesize
2.0MB

Download
memory/4564-10-0x00007FF93D2B0000-0x00007FF93D4A5000-memory.dmp

Filesize
2.0MB

Download
memory/4564-11-0x00007FF93D2B0000-0x00007FF93D4A5000-memory.dmp

Filesize
2.0MB

Download
memory/4564-12-0x00007FF93D2B0000-0x00007FF93D4A5000-memory.dmp

Filesize
2.0MB

Download
memory/4564-13-0x00007FF93D2B0000-0x00007FF93D4A5000-memory.dmp

Filesize
2.0MB

Download
memory/4564-14-0x00007FF93D2B0000-0x00007FF93D4A5000-memory.dmp

Filesize
2.0MB

Download
memory/4564-15-0x00007FF93D2B0000-0x00007FF93D4A5000-memory.dmp

Filesize
2.0MB

Download
memory/4564-17-0x00007FF93D2B0000-0x00007FF93D4A5000-memory.dmp

Filesize
2.0MB

Download
memory/4564-16-0x0000000140000000-0x00000001412AC000-memory.dmp

Filesize
18.7MB

Download