6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31

General

Target

DDOSER FOR WINDOWS 11_protected.exe
Size

8.7MB
MD5

41b147fd16a94a8ea6164177cf91733c
SHA1

f586388782d636b286ef606de997087f451fe11f
SHA256

6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31
SHA512

c15b8cc463186471a12431131d90733f9389d2eded969ee056b1bfe391ab255fc88c4f1b896e05dc6d4f94cba82bf066316fca489047781e13ddfd522e9e5da0
SSDEEP

196608:lPWgT2X83i4bCFRu3TN9hoy6Enwc4GgpG0REtHIrq7L3mrbW3jmy+:lDKXe0c3jWyotGgpGLtz7bmrbmyJ

Score

9^/10

discovery evasion themida trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DDOSER FOR WINDOWS 11_protected.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DDOSER FOR WINDOWS 11_protected.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0005000000019515-29.dat	acprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DDOSER FOR WINDOWS 11_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DDOSER FOR WINDOWS 11_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DDOSER FOR WINDOWS 11_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DDOSER FOR WINDOWS 11_protected.exe

Loads dropped DLL 1 IoCs

pid	Process
2892	DDOSER FOR WINDOWS 11_protected.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2736-0-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral1/memory/2736-2-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral1/memory/2736-3-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral1/memory/2736-25-0x0000000002930000-0x0000000003077000-memory.dmp	themida
behavioral1/memory/2892-26-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral1/memory/2892-27-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral1/memory/2892-28-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral1/memory/2892-33-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral1/memory/2736-34-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral1/memory/2736-56-0x0000000000400000-0x0000000000B47000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DDOSER FOR WINDOWS 11_protected.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DDOSER FOR WINDOWS 11_protected.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2736	DDOSER FOR WINDOWS 11_protected.exe
2892	DDOSER FOR WINDOWS 11_protected.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019515-29.dat	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DDOSER FOR WINDOWS 11_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DDOSER FOR WINDOWS 11_protected.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2736	DDOSER FOR WINDOWS 11_protected.exe
2892	DDOSER FOR WINDOWS 11_protected.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2892	2736	DDOSER FOR WINDOWS 11_protected.exe	30
PID 2736 wrote to memory of 2892	2736	DDOSER FOR WINDOWS 11_protected.exe	30
PID 2736 wrote to memory of 2892	2736	DDOSER FOR WINDOWS 11_protected.exe	30
PID 2736 wrote to memory of 2892	2736	DDOSER FOR WINDOWS 11_protected.exe	30

C:\Users\Admin\AppData\Local\Temp\DDOSER FOR WINDOWS 11_protected.exe
"C:\Users\Admin\AppData\Local\Temp\DDOSER FOR WINDOWS 11_protected.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\DDOSER FOR WINDOWS 11_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\DDOSER FOR WINDOWS 11_protected.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI27362\python311.dll

Filesize
1.4MB

MD5
0e06f85bcfb1c684469ce62e35b5c272

SHA1
73122369425c1fec9a035975a1834139f6869279

SHA256
6209e55cae73ab3d7bb19a80cd4fb9981b6a3db75bcd5036e84084b23956d9f8

SHA512
c4077f23bf2bc1b2826ad85b4955419b4f79c1bba144372e6706ee8e07ea252d820fdb8c43a6fdd4020fa1e468aff287df443a42b2fdcbd9f41d56f5bbe83b4f

Download Submit
memory/2736-3-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/2736-2-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/2736-0-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/2736-25-0x0000000002930000-0x0000000003077000-memory.dmp

Filesize
7.3MB

Download
memory/2736-1-0x00000000777D0000-0x00000000777D2000-memory.dmp

Filesize
8KB

Download
memory/2736-34-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/2736-56-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/2892-26-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/2892-27-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/2892-28-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/2892-31-0x0000000074670000-0x0000000074B7B000-memory.dmp

Filesize
5.0MB

Download
memory/2892-33-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads