Overview

overview

9

Static

static

7

Scooby.exe

windows7-x64

9

Scooby.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    147s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 10:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Scooby.exe

  • Size

    7.8MB

  • MD5

    ae7fde370b3f9f9d8f85f9730fb7cb60

  • SHA1

    81f7adcb70ecdb64e163c214949b63f9da7d1e66

  • SHA256

    4fc4b28effd4a919a2c9135976641d17c349c92eb59530b142c37f900ff0e567

  • SHA512

    3bd2423aac11963e2a4f34db3881d566dc9abb12b8d4d097c15d4469de4366b7995850c23a2a2e040b424f9547b426d567d0634e2620a1885120d80eb32a706f

  • SSDEEP

    196608:TG/HEQpC4DtE0oBPd8Oq4BC0z9W2TOn3M0Q65oy9J7gb1/:T4ZpCVP/+0J63aUM/

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 11 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Scooby.exe
    "C:\Users\Admin\AppData\Local\Temp\Scooby.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Scooby.exe" MD5
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4584
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Scooby.exe" MD5
        3⤵
          PID:4832
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:212
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
      1⤵
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Modifies registry class
      PID:3136

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Videos\Captures\desktop.ini
      Filesize

      190B

      MD5

      b0d27eaec71f1cd73b015f5ceeb15f9d

      SHA1

      62264f8b5c2f5034a1e4143df6e8c787165fbc2f

      SHA256

      86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

      SHA512

      7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

      Download Submit

    • memory/3056-7-0x00007FF6D6990000-0x00007FF6D7DFB000-memory.dmp

      Filesize

      20.4MB

      Download

    • memory/3056-9-0x00007FF6D6990000-0x00007FF6D7DFB000-memory.dmp

      Filesize

      20.4MB

      Download

    • memory/3056-4-0x00007FF6D6990000-0x00007FF6D7DFB000-memory.dmp

      Filesize

      20.4MB

      Download

    • memory/3056-5-0x00007FF6D6990000-0x00007FF6D7DFB000-memory.dmp

      Filesize

      20.4MB

      Download

    • memory/3056-2-0x00007FF6D6990000-0x00007FF6D7DFB000-memory.dmp

      Filesize

      20.4MB

      Download

    • memory/3056-0-0x00007FF6D6990000-0x00007FF6D7DFB000-memory.dmp

      Filesize

      20.4MB

      Download

    • memory/3056-8-0x00007FF6D6990000-0x00007FF6D7DFB000-memory.dmp

      Filesize

      20.4MB

      Download

    • memory/3056-3-0x00007FF6D6990000-0x00007FF6D7DFB000-memory.dmp

      Filesize

      20.4MB

      Download

    • memory/3056-6-0x00007FF6D6990000-0x00007FF6D7DFB000-memory.dmp

      Filesize

      20.4MB

      Download

    • memory/3056-10-0x00007FFAE7050000-0x00007FFAE7245000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3056-11-0x00007FF6D6990000-0x00007FF6D7DFB000-memory.dmp

      Filesize

      20.4MB

      Download

    • memory/3056-1-0x00007FFAE70F0000-0x00007FFAE70F2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3056-27-0x00007FFAE7050000-0x00007FFAE7245000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3056-28-0x00007FF6D6990000-0x00007FF6D7DFB000-memory.dmp

      Filesize

      20.4MB

      Download