124e9a0fb03fceb4dd2ed5820c5a8d8381a2bfe6922a6cf8b630c29d3bef564a

Analysis

max time kernel
131s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NetLimiterKeygenv1.3.exe
Size

3.8MB
MD5

403ce52e780c06d2869145ad4461b567
SHA1

026dab4630eaf49c77944cd8bbebd8f506e979bb
SHA256

124e9a0fb03fceb4dd2ed5820c5a8d8381a2bfe6922a6cf8b630c29d3bef564a
SHA512

34f7ecb0b6464d93f12050e4044fc3d779c71ac5c41666f76c6085d743515e3cb8b4720a4ed525bd6c07d211c0806d28dadb7739ef227890d78f558562c5a10a
SSDEEP

98304:Zo6iM+KzBm3CsCd/EIHl+yIKSJlF+qtFD03Miv0s:Zo9M+KVmod/EIF7IzlFtWMi8

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NetLimiterKeygenv1.3.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NetLimiterKeygenv1.3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NetLimiterKeygenv1.3.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	NetLimiterKeygenv1.3.exe
2220	NetLimiterKeygenv1.3.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2220-30-0x00000000012D0000-0x0000000001C28000-memory.dmp	themida
behavioral1/memory/2220-31-0x00000000012D0000-0x0000000001C28000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NetLimiterKeygenv1.3.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bassmod.dll	NetLimiterKeygenv1.3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2220	NetLimiterKeygenv1.3.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetLimiterKeygenv1.3.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2220	NetLimiterKeygenv1.3.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2740	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2740	AUDIODG.EXE
Token: 33	2740	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2740	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\NetLimiterKeygenv1.3.exe
"C:\Users\Admin\AppData\Local\Temp\NetLimiterKeygenv1.3.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2220

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Netlimiter Keygen.X86.1.0.0.0\Native.dll

Filesize
71KB

MD5
36fde2466fea08328edb8744ee01981e

SHA1
c651bd011af3a1292ba8e59663c4018c17ef1291

SHA256
ac3d757539af3ac2103803f5f058fcf05d4082498dcb02f42ebf322a5ac9d9d6

SHA512
52b36430d07f5f3d20c9c4f054e368d730c2e3389231ea43c8da5cd343e51e7630f20e0096f069f815d3477c67b5b98b3bdb899871236cc02d0670642dd448f1

Download Submit
\Windows\SysWOW64\bassmod.dll

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
memory/2220-0-0x00000000012D0000-0x0000000001C28000-memory.dmp

Filesize
9.3MB

Download
memory/2220-1-0x00000000753A1000-0x00000000753A2000-memory.dmp

Filesize
4KB

Download
memory/2220-2-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-3-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-4-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-5-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-25-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-24-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-23-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-22-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-21-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-20-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-19-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-18-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-17-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-16-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-15-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-14-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-13-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-12-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-11-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-10-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-9-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-8-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-7-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-6-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-29-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-30-0x00000000012D0000-0x0000000001C28000-memory.dmp

Filesize
9.3MB

Download
memory/2220-31-0x00000000012D0000-0x0000000001C28000-memory.dmp

Filesize
9.3MB

Download
memory/2220-32-0x00000000003A0000-0x00000000003F4000-memory.dmp

Filesize
336KB

Download
memory/2220-34-0x00000000012D0000-0x0000000001C28000-memory.dmp

Filesize
9.3MB

Download
memory/2220-33-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/2220-35-0x00000000753A1000-0x00000000753A2000-memory.dmp

Filesize
4KB

Download
memory/2220-40-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-39-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-41-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-42-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2220-60-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2220-61-0x0000000075390000-0x00000000754A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-62-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2220-64-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2220-66-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2220-68-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2220-70-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2220-72-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2220-74-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2220-76-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2220-78-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2220-80-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2220-82-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2220-84-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2220-86-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download