eab5f974ec202f9576335f50646b1a7e6725557b1227b8f96ecc889c15498905

Analysis

max time kernel
114s
max time network
112s
platform
windows11-21h2_x64
resource
win11-20250207-en
resource tags

arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
submitted
09-02-2025 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HVCI/MbixMY.exe
Size

19.7MB
MD5

09e04205ee2e4b53e2bbaa249baf2598
SHA1

05da5d90f8bbca7fc3999da1bd9e2b0e11de0197
SHA256

60afe971d2f46a4ccf942b83c666a2f8a88927fea173fa99f227348f65cadcb0
SHA512

d5393035d8507cf51168873970ae76da51113f411bb3b1998ff73307d5ed4ea979fe4d61fd88db12d81c47ce815987f239762cc683b10dd749201c0c8c7ba2b5
SSDEEP

393216:lDahR5qGWQrGH+ipoatUWIDqBuH7iUFmO9BHq12s1T5oL34UMqt:lDapqGWe1bauqBXSmO7HQDtG0qt

Score

9^/10

defense_evasion discovery themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	gGTdgw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MbixMY.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
15	3420	Process not Found

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MbixMY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gGTdgw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gGTdgw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MbixMY.exe

Executes dropped EXE 1 IoCs

pid	Process
4816	gGTdgw.exe

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral8/memory/404-5-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/memory/404-6-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/memory/404-7-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/memory/404-8-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/files/0x001d00000002acf8-11.dat	themida
behavioral8/memory/404-12-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/memory/4816-15-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/memory/4816-16-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/memory/4816-17-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/memory/4816-18-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/memory/4816-37-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/memory/4816-38-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/memory/4816-39-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/memory/4816-40-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/memory/4816-41-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/memory/4816-42-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/memory/4816-44-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/memory/4816-45-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/memory/4816-46-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/memory/4816-47-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral8/memory/4816-48-0x0000000140000000-0x0000000143226000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MbixMY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gGTdgw.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
404	MbixMY.exe
4816	gGTdgw.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4100	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	404	MbixMY.exe
Token: SeDebugPrivilege	4816	gGTdgw.exe
Token: SeIncreaseQuotaPrivilege	5060	WMIC.exe
Token: SeSecurityPrivilege	5060	WMIC.exe
Token: SeTakeOwnershipPrivilege	5060	WMIC.exe
Token: SeLoadDriverPrivilege	5060	WMIC.exe
Token: SeSystemProfilePrivilege	5060	WMIC.exe
Token: SeSystemtimePrivilege	5060	WMIC.exe
Token: SeProfSingleProcessPrivilege	5060	WMIC.exe
Token: SeIncBasePriorityPrivilege	5060	WMIC.exe
Token: SeCreatePagefilePrivilege	5060	WMIC.exe
Token: SeBackupPrivilege	5060	WMIC.exe
Token: SeRestorePrivilege	5060	WMIC.exe
Token: SeShutdownPrivilege	5060	WMIC.exe
Token: SeDebugPrivilege	5060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5060	WMIC.exe
Token: SeRemoteShutdownPrivilege	5060	WMIC.exe
Token: SeUndockPrivilege	5060	WMIC.exe
Token: SeManageVolumePrivilege	5060	WMIC.exe
Token: 33	5060	WMIC.exe
Token: 34	5060	WMIC.exe
Token: 35	5060	WMIC.exe
Token: 36	5060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5060	WMIC.exe
Token: SeSecurityPrivilege	5060	WMIC.exe
Token: SeTakeOwnershipPrivilege	5060	WMIC.exe
Token: SeLoadDriverPrivilege	5060	WMIC.exe
Token: SeSystemProfilePrivilege	5060	WMIC.exe
Token: SeSystemtimePrivilege	5060	WMIC.exe
Token: SeProfSingleProcessPrivilege	5060	WMIC.exe
Token: SeIncBasePriorityPrivilege	5060	WMIC.exe
Token: SeCreatePagefilePrivilege	5060	WMIC.exe
Token: SeBackupPrivilege	5060	WMIC.exe
Token: SeRestorePrivilege	5060	WMIC.exe
Token: SeShutdownPrivilege	5060	WMIC.exe
Token: SeDebugPrivilege	5060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5060	WMIC.exe
Token: SeRemoteShutdownPrivilege	5060	WMIC.exe
Token: SeUndockPrivilege	5060	WMIC.exe
Token: SeManageVolumePrivilege	5060	WMIC.exe
Token: 33	5060	WMIC.exe
Token: 34	5060	WMIC.exe
Token: 35	5060	WMIC.exe
Token: 36	5060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	668	WMIC.exe
Token: SeSecurityPrivilege	668	WMIC.exe
Token: SeTakeOwnershipPrivilege	668	WMIC.exe
Token: SeLoadDriverPrivilege	668	WMIC.exe
Token: SeSystemProfilePrivilege	668	WMIC.exe
Token: SeSystemtimePrivilege	668	WMIC.exe
Token: SeProfSingleProcessPrivilege	668	WMIC.exe
Token: SeIncBasePriorityPrivilege	668	WMIC.exe
Token: SeCreatePagefilePrivilege	668	WMIC.exe
Token: SeBackupPrivilege	668	WMIC.exe
Token: SeRestorePrivilege	668	WMIC.exe
Token: SeShutdownPrivilege	668	WMIC.exe
Token: SeDebugPrivilege	668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	668	WMIC.exe
Token: SeRemoteShutdownPrivilege	668	WMIC.exe
Token: SeUndockPrivilege	668	WMIC.exe
Token: SeManageVolumePrivilege	668	WMIC.exe
Token: 33	668	WMIC.exe
Token: 34	668	WMIC.exe
Token: 35	668	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 4816	404	MbixMY.exe	82
PID 404 wrote to memory of 4816	404	MbixMY.exe	82
PID 404 wrote to memory of 3352	404	MbixMY.exe	83
PID 404 wrote to memory of 3352	404	MbixMY.exe	83
PID 3352 wrote to memory of 792	3352	cmd.exe	85
PID 3352 wrote to memory of 792	3352	cmd.exe	85
PID 4816 wrote to memory of 2092	4816	gGTdgw.exe	86
PID 4816 wrote to memory of 2092	4816	gGTdgw.exe	86
PID 2092 wrote to memory of 5060	2092	cmd.exe	88
PID 2092 wrote to memory of 5060	2092	cmd.exe	88
PID 4816 wrote to memory of 4660	4816	gGTdgw.exe	90
PID 4816 wrote to memory of 4660	4816	gGTdgw.exe	90
PID 4660 wrote to memory of 668	4660	cmd.exe	92
PID 4660 wrote to memory of 668	4660	cmd.exe	92
PID 4816 wrote to memory of 932	4816	gGTdgw.exe	93
PID 4816 wrote to memory of 932	4816	gGTdgw.exe	93
PID 932 wrote to memory of 2360	932	cmd.exe	95
PID 932 wrote to memory of 2360	932	cmd.exe	95
PID 4816 wrote to memory of 3124	4816	gGTdgw.exe	96
PID 4816 wrote to memory of 3124	4816	gGTdgw.exe	96
PID 3124 wrote to memory of 752	3124	cmd.exe	98
PID 3124 wrote to memory of 752	3124	cmd.exe	98
PID 4816 wrote to memory of 5112	4816	gGTdgw.exe	99
PID 4816 wrote to memory of 5112	4816	gGTdgw.exe	99
PID 5112 wrote to memory of 3896	5112	cmd.exe	101
PID 5112 wrote to memory of 3896	5112	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\HVCI\MbixMY.exe
"C:\Users\Admin\AppData\Local\Temp\HVCI\MbixMY.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404
- C:\Users\Admin\AppData\Local\Temp\HVCI\gGTdgw.exe
  "gGTdgw.exe" -R
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c wmic csproduct get uuid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5060
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c wmic BIOS get Manufacturer
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic BIOS get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:668
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c wmic BIOS get SMBIOSBIOSVersion
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic BIOS get SMBIOSBIOSVersion
      4⤵
      PID:2360
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c wmic BIOS get ReleaseDate
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic BIOS get ReleaseDate
      4⤵
      PID:752
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c wmic BIOS get Version
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic BIOS get Version
      4⤵
      PID:3896
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\HVCI\MbixMY.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:792

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTM0RjU2NDgtMzVGQS00Q0EzLUE0N0ItQ0MxRDZEMTU3RDNEfSIgdXNlcmlkPSJ7NkYwNTM5REYtMDEwMi00NjQwLUEyNUItREI1QzQ0QzYwOTI4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MkE2Nzg0M0YtNEU3OC00Mjk2LUIyRUItRDBBMkE4MzhFRDUxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczODk1NDk2OSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI3NjY5NTc5MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUyOTA1ODI1MDIiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HVCI\Config.ini

Filesize
367B

MD5
7454df6cd0d28e81275ed4280bb78f3a

SHA1
2dcf07cabfd953c685fa6f2aae7d71eec33adee8

SHA256
767cba75d23ddcf7822abac7461053f3ddcc315ebe5974d31e7a2a8ac574c15f

SHA512
2bbb290f41909c1b0c4657cd385b896b0ae57041cd34e6204c6d3b61f0e42a49e2a72cd4d94296b93cd2ec49d2edf1ee2d2946045dceabdc58a8f293bca6378a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HVCI\gGTdgw.exe

Filesize
19.7MB

MD5
6a3ec932de55df065644c3e0fc13d3b4

SHA1
4ba3766cc4d7b5072925a24d2f33c6548f2f0831

SHA256
1afe8556829f9c2a6afe878cdddae4ae1bded1749a7718043459573bc2a87fc7

SHA512
0b3e43f468f8cad904c505e54bdbadc34307f2aba2d227b40b55b284fae9092d1e5cf71762e0b6101bbaedcb41220c38544fee9ef8f07f0f7429d0838b9cbb82

Download Submit
memory/404-3-0x00007FFF963A0000-0x00007FFF96714000-memory.dmp

Filesize
3.5MB

Download
memory/404-0-0x00007FFF963F9000-0x00007FFF963FA000-memory.dmp

Filesize
4KB

Download
memory/404-4-0x00007FFF963A0000-0x00007FFF96714000-memory.dmp

Filesize
3.5MB

Download
memory/404-5-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/404-6-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/404-7-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/404-8-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/404-2-0x00007FFF963A0000-0x00007FFF96714000-memory.dmp

Filesize
3.5MB

Download
memory/404-14-0x00007FFF963A0000-0x00007FFF96714000-memory.dmp

Filesize
3.5MB

Download
memory/404-12-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/404-1-0x00007FFF963A0000-0x00007FFF96714000-memory.dmp

Filesize
3.5MB

Download
memory/4816-17-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4816-40-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4816-18-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4816-15-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4816-37-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4816-38-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4816-39-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4816-16-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4816-41-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4816-42-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4816-44-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4816-45-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4816-46-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4816-47-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4816-48-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads