Malware Analysis Report

2025-08-10 22:42

Sample ID 250127-zm3j2avmhx
Target utility-1.0.6.3.exe
SHA256 1b57734ff8cb74b218aa7c0920933e21142006a868f16e1ff51fab4f1d93d965
Tags
defense_evasion themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

1b57734ff8cb74b218aa7c0920933e21142006a868f16e1ff51fab4f1d93d965

Threat Level: Likely malicious

The file utility-1.0.6.3.exe was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion themida trojan

Detected Nirsoft tools

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 20:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 20:50

Reported

2025-01-27 20:53

Platform

win11-20241023-en

Max time kernel

87s

Max time network

91s

Command Line

"C:\Users\Admin\AppData\Local\Temp\utility-1.0.6.3.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\utility-1.0.6.3.exe

"C:\Users\Admin\AppData\Local\Temp\utility-1.0.6.3.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\utility.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 5.1.26.104.in-addr.arpa udp

Files

memory/4860-16-0x00007FFA0CAD3000-0x00007FFA0CAD5000-memory.dmp

memory/4860-17-0x0000019C10C10000-0x0000019C1512C000-memory.dmp

memory/4860-18-0x0000019C2F550000-0x0000019C2F628000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Runtime64.dll

MD5 1536bbb84ce32cfcaf72dbcfd5949401
SHA1 1c6742ed78c708672e06f2c8a4c989bc5e5a838d
SHA256 e3bcb8faecc22a443d41312b80e798a6358749d8b266a1bfc66ede45009e7b92
SHA512 387dda2304d0da1ed732c3d4a8f49987e5998251634cd8b449dd4821a0f7834830d7caaea5a0616ed5810ac4595d8355645266856cc8ba1e4bfed50c874c755e

memory/4860-21-0x00007FFA0CAD0000-0x00007FFA0D592000-memory.dmp

memory/4860-22-0x0000000180000000-0x0000000181261000-memory.dmp

memory/4860-23-0x00007FF47A870000-0x00007FF47AA78000-memory.dmp

memory/4860-24-0x00007FFA0CAD0000-0x00007FFA0D592000-memory.dmp

memory/4860-27-0x0000000180000000-0x0000000181261000-memory.dmp

memory/4860-26-0x0000000180000000-0x0000000181261000-memory.dmp

memory/4860-25-0x0000000180000000-0x0000000181261000-memory.dmp

memory/4860-29-0x00007FFA0B380000-0x00007FFA0B4CF000-memory.dmp

memory/4860-28-0x0000000180000000-0x0000000181261000-memory.dmp

memory/4860-30-0x0000019C2F550000-0x0000019C2F622000-memory.dmp

memory/4860-33-0x0000019C2F550000-0x0000019C2F622000-memory.dmp

memory/4860-31-0x0000019C2F550000-0x0000019C2F622000-memory.dmp

memory/4860-34-0x0000019C307A0000-0x0000019C30B76000-memory.dmp

memory/4860-35-0x0000019C30B80000-0x0000019C30C18000-memory.dmp

memory/4860-36-0x0000019C30C10000-0x0000019C30DFA000-memory.dmp

memory/4860-37-0x0000019C30E00000-0x0000019C30E96000-memory.dmp

memory/4860-38-0x0000019C30EA0000-0x0000019C30F34000-memory.dmp

memory/4860-39-0x00007FFA0CAD3000-0x00007FFA0CAD5000-memory.dmp

memory/4860-40-0x0000000180000000-0x0000000181261000-memory.dmp

memory/4860-41-0x00007FFA0CAD0000-0x00007FFA0D592000-memory.dmp

memory/4860-42-0x0000000180000000-0x0000000181261000-memory.dmp

memory/4860-43-0x00007FFA0CAD0000-0x00007FFA0D592000-memory.dmp

memory/4860-44-0x0000019C39630000-0x0000019C3D54C000-memory.dmp

memory/4860-45-0x00007FFA0CAD0000-0x00007FFA0D592000-memory.dmp

memory/4860-46-0x00007FFA0CAD0000-0x00007FFA0D592000-memory.dmp

memory/4860-47-0x0000019C2F1B0000-0x0000019C2F1B1000-memory.dmp

memory/4860-48-0x0000019C2F680000-0x0000019C2F692000-memory.dmp

memory/4860-49-0x0000019C2F9E0000-0x0000019C2FA1C000-memory.dmp

memory/4860-50-0x0000000180000000-0x0000000181261000-memory.dmp

memory/4860-51-0x00007FFA0CAD0000-0x00007FFA0D592000-memory.dmp

memory/4860-53-0x00007FFA0CAD0000-0x00007FFA0D592000-memory.dmp