58337239098c01aca77aa8b4e7768ff2865400b802f3f3381fc38f8f5e30c70c

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MainC-razy.exe
Size

18.6MB
MD5

ee0856acfae5be20b38ea85315720cb2
SHA1

e45a3bfae79c9bda70479f5d3addad4ceea44423
SHA256

58337239098c01aca77aa8b4e7768ff2865400b802f3f3381fc38f8f5e30c70c
SHA512

7c79509309e229bb66ffcfb22853ed8a13fccac4123decb81898ee55f67643df1cb8dfe92a7a49094b3984b694a47fcb512d5d4d54e7f04440c076d5149f9e16
SSDEEP

393216:eEjNaf4lx6fuKIx5ndL01+l+uq+VvbW+eGQRXMTozGxu8C0ibftJXMu9:LjNu4lk3IxRR01+l+uqgvbW+e5Raoztx

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

main_protected.exemain_protected.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ main_protected.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ main_protected.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	main_protected.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	main_protected.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

main_protected.exemain_protected.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	main_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	main_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	main_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	main_protected.exe

Executes dropped EXE 2 IoCs

Processes:

main_protected.exemain_protected.exe

pid process

1140 main_protected.exe
2628 main_protected.exe
Loads dropped DLL 4 IoCs

Processes:

MainC-razy.exemain_protected.exemain_protected.exe

pid process

2124 MainC-razy.exe
2612
1140 main_protected.exe
2628 main_protected.exe

pid	process
1140	main_protected.exe
2628	main_protected.exe

pid	process
2124	MainC-razy.exe
2612
1140	main_protected.exe
2628	main_protected.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MainC-razy_02fca171-a59e-432e-b389-28c667c53cbb\main_protected.exe	themida
behavioral1/memory/1140-15-0x0000000140000000-0x0000000140A88000-memory.dmp	themida
behavioral1/memory/1140-18-0x0000000140000000-0x0000000140A88000-memory.dmp	themida
behavioral1/memory/1140-19-0x0000000140000000-0x0000000140A88000-memory.dmp	themida
behavioral1/memory/2628-54-0x0000000140000000-0x0000000140A88000-memory.dmp	themida
behavioral1/memory/2628-56-0x0000000140000000-0x0000000140A88000-memory.dmp	themida
behavioral1/memory/2628-57-0x0000000140000000-0x0000000140A88000-memory.dmp	themida
behavioral1/memory/2628-61-0x0000000140000000-0x0000000140A88000-memory.dmp	themida
behavioral1/memory/1140-93-0x0000000140000000-0x0000000140A88000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

main_protected.exemain_protected.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	main_protected.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	main_protected.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

main_protected.exemain_protected.exe

pid process

1140 main_protected.exe
2628 main_protected.exe

pid	process
1140	main_protected.exe
2628	main_protected.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

MainC-razy.exemain_protected.exe

description	pid	process	target process
PID 2124 wrote to memory of 1140	2124	MainC-razy.exe	main_protected.exe
PID 2124 wrote to memory of 1140	2124	MainC-razy.exe	main_protected.exe
PID 2124 wrote to memory of 1140	2124	MainC-razy.exe	main_protected.exe
PID 2124 wrote to memory of 1140	2124	MainC-razy.exe	main_protected.exe
PID 1140 wrote to memory of 2628	1140	main_protected.exe	main_protected.exe
PID 1140 wrote to memory of 2628	1140	main_protected.exe	main_protected.exe
PID 1140 wrote to memory of 2628	1140	main_protected.exe	main_protected.exe

C:\Users\Admin\AppData\Local\Temp\MainC-razy.exe
"C:\Users\Admin\AppData\Local\Temp\MainC-razy.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124

C:\Users\Admin\AppData\Local\Temp\MainC-razy_02fca171-a59e-432e-b389-28c667c53cbb\main_protected.exe
"C:\Users\Admin\AppData\Local\Temp\MainC-razy_02fca171-a59e-432e-b389-28c667c53cbb\main_protected.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Local\Temp\MainC-razy_02fca171-a59e-432e-b389-28c667c53cbb\main_protected.exe
"C:\Users\Admin\AppData\Local\Temp\MainC-razy_02fca171-a59e-432e-b389-28c667c53cbb\main_protected.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2628

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI11402\python312.dll
Filesize
6.7MB

MD5
48ebfefa21b480a9b0dbfc3364e1d066

SHA1
b44a3a9b8c585b30897ddc2e4249dfcfd07b700a

SHA256
0cc4e557972488eb99ea4aeb3d29f3ade974ef3bcd47c211911489a189a0b6f2

SHA512
4e6194f1c55b82ee41743b35d749f5d92a955b219decacf9f1396d983e0f92ae02089c7f84a2b8296a3062afa3f9c220da9b7cd9ed01b3315ea4a953b4ecc6ce

Download Submit
\Users\Admin\AppData\Local\Temp\MainC-razy_02fca171-a59e-432e-b389-28c667c53cbb\main_protected.exe
Filesize
15.3MB

MD5
ef0843783dc297098f2687448afc278d

SHA1
ba1a2683e11433645e13f70ab591c80e8d2acbf9

SHA256
539377e8badeb22556d54e62dcb043cc9e7cb938322cffbdecf3546a0e9a388c

SHA512
05348f7cfe0682454042472f3e85d66e3359073d74d988cc0f0e6d2ca1cb434f0d0bf35f0a8ef203f45daf707741961a845c7919baec3fe446024bd7249d4adc

Download Submit
memory/1140-19-0x0000000140000000-0x0000000140A88000-memory.dmp

Filesize
10.5MB

Download
memory/1140-15-0x0000000140000000-0x0000000140A88000-memory.dmp

Filesize
10.5MB

Download
memory/1140-16-0x00000000771E0000-0x00000000771E2000-memory.dmp

Filesize
8KB

Download
memory/1140-18-0x0000000140000000-0x0000000140A88000-memory.dmp

Filesize
10.5MB

Download
memory/1140-53-0x00000000024E0000-0x0000000002F68000-memory.dmp

Filesize
10.5MB

Download
memory/1140-93-0x0000000140000000-0x0000000140A88000-memory.dmp

Filesize
10.5MB

Download
memory/2124-3-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/2124-2-0x0000000000430000-0x0000000000454000-memory.dmp

Filesize
144KB

Download
memory/2124-13-0x0000000005170000-0x0000000005BF8000-memory.dmp

Filesize
10.5MB

Download
memory/2124-1-0x0000000000C90000-0x0000000000CDA000-memory.dmp

Filesize
296KB

Download
memory/2124-0-0x0000000073F7E000-0x0000000073F7F000-memory.dmp

Filesize
4KB

Download
memory/2124-97-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/2628-54-0x0000000140000000-0x0000000140A88000-memory.dmp

Filesize
10.5MB

Download
memory/2628-57-0x0000000140000000-0x0000000140A88000-memory.dmp

Filesize
10.5MB

Download
memory/2628-61-0x0000000140000000-0x0000000140A88000-memory.dmp

Filesize
10.5MB

Download
memory/2628-62-0x0000000077190000-0x0000000077339000-memory.dmp

Filesize
1.7MB

Download
memory/2628-56-0x0000000140000000-0x0000000140A88000-memory.dmp

Filesize
10.5MB

Download
memory/2628-55-0x0000000077190000-0x0000000077339000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads