7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1

General

Target

7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exe
Size

5.6MB
MD5

6f31189187689bfa03f9fd58a240d36d
SHA1

622c4b6284a15a7caeff238f388e1734333ce3d0
SHA256

7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1
SHA512

b0992dad6a17ec94179f0374178b444ef80f3ec58c1dc59da8002f6fb1a9ce1baf9ce557a85b0a1946ddc9bbd27d2530f27c605d8cf52038924252c8df4ae2f1

Score

10^/10

evasion themida trojan

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3104 created 4648 3104 WerFault.exe 7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

description	pid	process	target process
PID 3104 created 4648	3104	WerFault.exe	7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4648-131-0x00007FF662D70000-0x00007FF663C37000-memory.dmp	themida
behavioral2/memory/4648-132-0x00007FF662D70000-0x00007FF663C37000-memory.dmp	themida
behavioral2/memory/4648-133-0x00007FF662D70000-0x00007FF663C37000-memory.dmp	themida
behavioral2/memory/4648-134-0x00007FF662D70000-0x00007FF663C37000-memory.dmp	themida
behavioral2/memory/4648-135-0x00007FF662D70000-0x00007FF663C37000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exe

pid process

4648 7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exe

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3080 4648 WerFault.exe 7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exe

pid	pid_target	process	target process
3080	4648	WerFault.exe	7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exeWerFault.exe

pid	process
4648	7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exe
4648	7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exe
3080	WerFault.exe
3080	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	3024	svchost.exe
Token: SeCreatePagefilePrivilege	3024	svchost.exe
Token: SeShutdownPrivilege	3024	svchost.exe
Token: SeCreatePagefilePrivilege	3024	svchost.exe
Token: SeShutdownPrivilege	3024	svchost.exe
Token: SeCreatePagefilePrivilege	3024	svchost.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe
Token: SeRestorePrivilege	632	TiWorker.exe
Token: SeSecurityPrivilege	632	TiWorker.exe
Token: SeBackupPrivilege	632	TiWorker.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WerFault.exe

description	pid	process	target process
PID 3104 wrote to memory of 4648	3104	WerFault.exe	7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exe
PID 3104 wrote to memory of 4648	3104	WerFault.exe	7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exe

C:\Users\Admin\AppData\Local\Temp\7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exe
"C:\Users\Admin\AppData\Local\Temp\7d6fc90ebd69e00192c9318fa33d86712c1d59ce2fbc9e5ce68c88c78bb3c0a1.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4648 -s 1136
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3080

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 4648 -ip 4648
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:632

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3024-136-0x0000024D0C750000-0x0000024D0C760000-memory.dmp

Filesize
64KB

Download
memory/3024-137-0x0000024D0CE20000-0x0000024D0CE30000-memory.dmp

Filesize
64KB

Download
memory/3024-138-0x0000024D0F4D0000-0x0000024D0F4D4000-memory.dmp

Filesize
16KB

Download
memory/4648-130-0x00007FF911FF0000-0x00007FF911FF2000-memory.dmp

Filesize
8KB

Download
memory/4648-131-0x00007FF662D70000-0x00007FF663C37000-memory.dmp

Filesize
14.8MB

Download
memory/4648-132-0x00007FF662D70000-0x00007FF663C37000-memory.dmp

Filesize
14.8MB

Download
memory/4648-133-0x00007FF662D70000-0x00007FF663C37000-memory.dmp

Filesize
14.8MB

Download
memory/4648-134-0x00007FF662D70000-0x00007FF663C37000-memory.dmp

Filesize
14.8MB

Download
memory/4648-135-0x00007FF662D70000-0x00007FF663C37000-memory.dmp

Filesize
14.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads