c84d35f2958824982cedc7c88c848bc4ceae2c3389365033a34a52ad0060ca4c

General

Target

vqyyauw.exe
Size

5.4MB
MD5

e882bed1df1394f65df9943cc9726e6f
SHA1

53a25b728bd993d12a4ff6bb5d559c40d3701816
SHA256

c84d35f2958824982cedc7c88c848bc4ceae2c3389365033a34a52ad0060ca4c
SHA512

aedb0526c29eb878c7485c899a42d1cc691dfccb1b7b16e3418ab266888e15d00a148c6201c47a0adcf1db39f24aec6a3bfea9a824702065e1ce2a3c5c9f193b
SSDEEP

98304:37QRplXvUQijINsV48p2DN0MvJ7mBdkH1CFYOuwn95gF+C:8rhsQijIV8p2DNjNmRFYGDgFx

Score

9^/10

defense_evasion evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

vqyyauw.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ vqyyauw.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	vqyyauw.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vqyyauw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vqyyauw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vqyyauw.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4368-0-0x00007FF6AF9E0000-0x00007FF6B0729000-memory.dmp	themida
behavioral2/memory/4368-10-0x00007FF6AF9E0000-0x00007FF6B0729000-memory.dmp	themida
behavioral2/memory/4368-8-0x00007FF6AF9E0000-0x00007FF6B0729000-memory.dmp	themida
behavioral2/memory/4368-9-0x00007FF6AF9E0000-0x00007FF6B0729000-memory.dmp	themida
behavioral2/memory/4368-12-0x00007FF6AF9E0000-0x00007FF6B0729000-memory.dmp	themida
behavioral2/memory/4368-13-0x00007FF6AF9E0000-0x00007FF6B0729000-memory.dmp	themida
behavioral2/memory/4368-11-0x00007FF6AF9E0000-0x00007FF6B0729000-memory.dmp	themida
behavioral2/memory/4368-14-0x00007FF6AF9E0000-0x00007FF6B0729000-memory.dmp	themida
behavioral2/memory/4368-18-0x00007FF6AF9E0000-0x00007FF6B0729000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

vqyyauw.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vqyyauw.exe
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

vqyyauw.exe

pid process

4368 vqyyauw.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

vqyyauw.exe

pid process

4368 vqyyauw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vqyyauw.exe

pid	process
4368	vqyyauw.exe

pid	process
4368	vqyyauw.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

vqyyauw.exe

description	pid	process	target process
PID 4368 wrote to memory of 4964	4368	vqyyauw.exe	cmd.exe
PID 4368 wrote to memory of 4964	4368	vqyyauw.exe	cmd.exe
PID 4368 wrote to memory of 3420	4368	vqyyauw.exe	cmd.exe
PID 4368 wrote to memory of 3420	4368	vqyyauw.exe	cmd.exe
PID 4368 wrote to memory of 3476	4368	vqyyauw.exe	cmd.exe
PID 4368 wrote to memory of 3476	4368	vqyyauw.exe	cmd.exe
PID 4368 wrote to memory of 2180	4368	vqyyauw.exe	cmd.exe
PID 4368 wrote to memory of 2180	4368	vqyyauw.exe	cmd.exe
PID 4368 wrote to memory of 4012	4368	vqyyauw.exe	cmd.exe
PID 4368 wrote to memory of 4012	4368	vqyyauw.exe	cmd.exe
PID 4368 wrote to memory of 1624	4368	vqyyauw.exe	cmd.exe
PID 4368 wrote to memory of 1624	4368	vqyyauw.exe	cmd.exe
PID 4368 wrote to memory of 4940	4368	vqyyauw.exe	cmd.exe
PID 4368 wrote to memory of 4940	4368	vqyyauw.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\vqyyauw.exe
"C:\Users\Admin\AppData\Local\Temp\vqyyauw.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f dec.exe
  2⤵
  PID:3420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f Binalyze.sys
  2⤵
  PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f epson.dll
  2⤵
  PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Binalyze.sys

Filesize
12KB

MD5
ff1d4de5bebacb1622e447501f711a2c

SHA1
c288952fdfe4e2525acf49a5ed43909e790aa05d

SHA256
8418186545a549643c4b8bd4d377e1cd6975bf72bdcbef3572a50098f0770e67

SHA512
75090f4515a8399693c365837752e16fb1953836cd83fe4d2b98e966532fd44f0d137090a77b40223fb94db749c369876009a3006afe0a844e1704f1c88cd407

Download Submit
C:\Users\Admin\AppData\Local\Temp\dec.exe

Filesize
297KB

MD5
e6a94a064ba8d985720684b24383678e

SHA1
7a0b95da48f329483fc28331b608cfd2d3e46b8d

SHA256
e4bb04bf7560b09fcf8043c087ed95f6a464f8e9697f7b9017a739b197ed4edb

SHA512
50713482f421e30db894376626f6fc802b3ebddb0a5e744bdf6450c2259911e448db2a537d8163c833f3547d63c920eb1c8454c197a855ed7673e39c2f4e8a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\epson.dll

Filesize
1.2MB

MD5
91ac5eeb4269febc570105a40ecbb47a

SHA1
0661aa0ebd05b3ec04bc390a4856237220a204d6

SHA256
982400ec9751ad8e42a02a8fb2b0a73c91b84c74eb5b9eff4c8f45981af46774

SHA512
b5cd5a061f9533eb46d0adbf816f5dbd8b03a174a3d03fe028ecf55afdccdeb258f03944c8c07b381105192b0a075ebb9f392431918060975da96c6a39f2c467

Download Submit
memory/4368-8-0x00007FF6AF9E0000-0x00007FF6B0729000-memory.dmp

Filesize
13.3MB

Download
memory/4368-9-0x00007FF6AF9E0000-0x00007FF6B0729000-memory.dmp

Filesize
13.3MB

Download
memory/4368-12-0x00007FF6AF9E0000-0x00007FF6B0729000-memory.dmp

Filesize
13.3MB

Download
memory/4368-13-0x00007FF6AF9E0000-0x00007FF6B0729000-memory.dmp

Filesize
13.3MB

Download
memory/4368-11-0x00007FF6AF9E0000-0x00007FF6B0729000-memory.dmp

Filesize
13.3MB

Download
memory/4368-14-0x00007FF6AF9E0000-0x00007FF6B0729000-memory.dmp

Filesize
13.3MB

Download
memory/4368-0-0x00007FF6AF9E0000-0x00007FF6B0729000-memory.dmp

Filesize
13.3MB

Download
memory/4368-10-0x00007FF6AF9E0000-0x00007FF6B0729000-memory.dmp

Filesize
13.3MB

Download
memory/4368-1-0x00007FFF09E30000-0x00007FFF09E32000-memory.dmp

Filesize
8KB

Download
memory/4368-18-0x00007FF6AF9E0000-0x00007FF6B0729000-memory.dmp

Filesize
13.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads