a1c0cf13e6d6ec991aa0a254a41e6f0eee050c22d6ec17672be746ed046d7e4f | Triage

Submit
Reports

Overview

overview

Static

static

7

a1c0cf13e6...4f.exe

windows7-x64

a1c0cf13e6...4f.exe

windows10-2004-x64

Sharing

General

Target

a1c0cf13e6d6ec991aa0a254a41e6f0eee050c22d6ec17672be746ed046d7e4f
Size

2.5MB
Sample

241101-webvkavmdp
MD5

b551e18a01e757ece82417fce15c9159
SHA1

e6d9d144614bdec105a38a40fad0db7085355d4a
SHA256

a1c0cf13e6d6ec991aa0a254a41e6f0eee050c22d6ec17672be746ed046d7e4f
SHA512

337fb83b11d73bc652950e800ffea222bd3350acfbdc135b683a4d8366ad97b897e4eacda384145546e47408d69db6266d6d731f2d1fa2400a175225b8054401
SSDEEP

49152:MxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxU:Mxx9NUFkQx753uWuCyyxU

Score

10^/10

discovery evasion persistence themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

a1c0cf13e6d6ec991aa0a254a41e6f0eee050c22d6ec17672be746ed046d7e4f.exe

Resource

win7-20241023-en

discovery evasion persistence themida trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

a1c0cf13e6d6ec991aa0a254a41e6f0eee050c22d6ec17672be746ed046d7e4f.exe

Resource

win10v2004-20241007-en

discovery evasion persistence themida trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  a1c0cf13e6d6ec991aa0a254a41e6f0eee050c22d6ec17672be746ed046d7e4f
- Size
  
  2.5MB
- MD5
  
  b551e18a01e757ece82417fce15c9159
- SHA1
  
  e6d9d144614bdec105a38a40fad0db7085355d4a
- SHA256
  
  a1c0cf13e6d6ec991aa0a254a41e6f0eee050c22d6ec17672be746ed046d7e4f
- SHA512
  
  337fb83b11d73bc652950e800ffea222bd3350acfbdc135b683a4d8366ad97b897e4eacda384145546e47408d69db6266d6d731f2d1fa2400a175225b8054401
- SSDEEP
  
  49152:MxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxU:Mxx9NUFkQx753uWuCyyxU
Score

10^/10

discovery evasion persistence themida trojan
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistencethemidatrojan

behavioral2

discoveryevasionpersistencethemidatrojan

© 2018-2024

Terms | Privacy