dea30e9fae094570ec778a0c06c813de1d490b9941f3b147199b28bf6f04ab6d

Analysis

max time kernel
30s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ShxdowFNPriv.exe
Size

8.9MB
MD5

b71f7df698f84a4a2be07470c0211c42
SHA1

d5c136cb51351227171e712e5d13418f889a24ce
SHA256

dea30e9fae094570ec778a0c06c813de1d490b9941f3b147199b28bf6f04ab6d
SHA512

1078c75a89a2d3abfda257da636e2898ae8ed0bb3ff38105917f1ac6e79edd311157db90838bec7a3822374ef2e63b5228ff805980a4f38a0852e2f348cfcf17
SSDEEP

196608:KM5i3Gve7iiGc7oMcVnUWGdFo3ZOlQKtvRbKP37OLvRs:KM5TvIiUoMcOWxpOlhsTOTRs

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

ShxdowFNPriv.exeZDfGMzHAIq.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ShxdowFNPriv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ZDfGMzHAIq.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ShxdowFNPriv.exeZDfGMzHAIq.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ShxdowFNPriv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ShxdowFNPriv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ZDfGMzHAIq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ZDfGMzHAIq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ShxdowFNPriv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	ShxdowFNPriv.exe

Executes dropped EXE 1 IoCs

Processes:

ZDfGMzHAIq.exe

pid process

1392 ZDfGMzHAIq.exe
Loads dropped DLL 4 IoCs

Processes:

ShxdowFNPriv.exeZDfGMzHAIq.exe

pid process

3612 ShxdowFNPriv.exe
3612 ShxdowFNPriv.exe
1392 ZDfGMzHAIq.exe
1392 ZDfGMzHAIq.exe

pid	process
1392	ZDfGMzHAIq.exe

pid	process
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
1392	ZDfGMzHAIq.exe
1392	ZDfGMzHAIq.exe

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3612-133-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp	themida
behavioral2/memory/3612-138-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp	themida
behavioral2/memory/3612-139-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp	themida
behavioral2/memory/3612-140-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp	themida
behavioral2/memory/3612-145-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp	themida
behavioral2/memory/3612-146-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp	themida
behavioral2/memory/3612-147-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp	themida
behavioral2/memory/3612-148-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp	themida
behavioral2/memory/3612-170-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\ZDfGMzHAIq.exe	themida
behavioral2/memory/3612-195-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\ZDfGMzHAIq.exe	themida
C:\Users\Admin\AppData\Local\Temp\ZDfGMzHAIq.exe	themida
behavioral2/memory/3612-199-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp	themida
behavioral2/memory/1392-201-0x00007FF62AB00000-0x00007FF62C3BF000-memory.dmp	themida
behavioral2/memory/1392-204-0x00007FF62AB00000-0x00007FF62C3BF000-memory.dmp	themida
behavioral2/memory/1392-205-0x00007FF62AB00000-0x00007FF62C3BF000-memory.dmp	themida
behavioral2/memory/1392-206-0x00007FF62AB00000-0x00007FF62C3BF000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ShxdowFNPriv.exeZDfGMzHAIq.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ShxdowFNPriv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ZDfGMzHAIq.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

ShxdowFNPriv.exeZDfGMzHAIq.exe

pid process

3612 ShxdowFNPriv.exe
1392 ZDfGMzHAIq.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3612	ShxdowFNPriv.exe
1392	ZDfGMzHAIq.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

powershell.exeShxdowFNPriv.exe

pid	process
1816	powershell.exe
1816	powershell.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe
3612	ShxdowFNPriv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1816 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ZDfGMzHAIq.exe

pid process

1392 ZDfGMzHAIq.exe

description	pid	process
Token: SeDebugPrivilege	1816	powershell.exe

pid	process
1392	ZDfGMzHAIq.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ShxdowFNPriv.exe

description	pid	process	target process
PID 3612 wrote to memory of 1816	3612	ShxdowFNPriv.exe	powershell.exe
PID 3612 wrote to memory of 1816	3612	ShxdowFNPriv.exe	powershell.exe
PID 3612 wrote to memory of 1392	3612	ShxdowFNPriv.exe	ZDfGMzHAIq.exe
PID 3612 wrote to memory of 1392	3612	ShxdowFNPriv.exe	ZDfGMzHAIq.exe

C:\Users\Admin\AppData\Local\Temp\ShxdowFNPriv.exe
"C:\Users\Admin\AppData\Local\Temp\ShxdowFNPriv.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /C Get-Service -Name WpnUserService* | Restart-Service -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Users\Admin\AppData\Local\Temp\ZDfGMzHAIq.exe
"C:\Users\Admin\AppData\Local\Temp\ZDfGMzHAIq.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZDfGMzHAIq.exe
Filesize
9.1MB

MD5
0f53046b14048a8b61c1b9fd46be3245

SHA1
7c9c67d31a6b5c6b9d746a685318f873d349629d

SHA256
d843d759953773e04aac058a293d6aa9b24542e7c303a1a160b456449cea5619

SHA512
48e56b403b4690da8f4fce04996d8d023b2a4bc4463e47cb071195132c9fc4c017c0a7dce3320ab0865117cdf76b901dbf82b5ab8c3580cb1dddf7c4d051d91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZDfGMzHAIq.exe
Filesize
9.1MB

MD5
0f53046b14048a8b61c1b9fd46be3245

SHA1
7c9c67d31a6b5c6b9d746a685318f873d349629d

SHA256
d843d759953773e04aac058a293d6aa9b24542e7c303a1a160b456449cea5619

SHA512
48e56b403b4690da8f4fce04996d8d023b2a4bc4463e47cb071195132c9fc4c017c0a7dce3320ab0865117cdf76b901dbf82b5ab8c3580cb1dddf7c4d051d91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZDfGMzHAIq.exe
Filesize
9.1MB

MD5
0f53046b14048a8b61c1b9fd46be3245

SHA1
7c9c67d31a6b5c6b9d746a685318f873d349629d

SHA256
d843d759953773e04aac058a293d6aa9b24542e7c303a1a160b456449cea5619

SHA512
48e56b403b4690da8f4fce04996d8d023b2a4bc4463e47cb071195132c9fc4c017c0a7dce3320ab0865117cdf76b901dbf82b5ab8c3580cb1dddf7c4d051d91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vflc5ygq.vzi.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3d11.dll
Filesize
2.4MB

MD5
b284ae0d37cc7d47fc149bf93ef6a5bf

SHA1
3952b84377b0a1d267daae711ee47581749cb2a3

SHA256
0d1fe975cc83acc64a5c2341fbed3700a10509fa3df64535bc50adddd95b7f8b

SHA512
b3982d34808264907520602a5a7798c20b035e78152731856b2c3e0b83086a9b744377e2a2014a3ed91fcb9478468986360fcd62df98a544c9f8a856829ffc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3d11.dll
Filesize
2.4MB

MD5
b284ae0d37cc7d47fc149bf93ef6a5bf

SHA1
3952b84377b0a1d267daae711ee47581749cb2a3

SHA256
0d1fe975cc83acc64a5c2341fbed3700a10509fa3df64535bc50adddd95b7f8b

SHA512
b3982d34808264907520602a5a7798c20b035e78152731856b2c3e0b83086a9b744377e2a2014a3ed91fcb9478468986360fcd62df98a544c9f8a856829ffc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3d11.dll
Filesize
1.2MB

MD5
362fe8da9dec5f59ae1764ce1fa50483

SHA1
b3bcb74b08078b0b417330024b2a865883f7d289

SHA256
fdfd642b72316c4c7acf352bf22588e969881760ab4dd711defb76a35f70b1b0

SHA512
0ce290b6bf1f2786fa3aa8fe0d753f0d86579413dfac6cc8bc5ef42e83d4e86d09977a052bf93a5d1b45eb2a884bebe6e633c6e99dd6443a7c8faa48ea1587af

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll
Filesize
4.1MB

MD5
222d020bd33c90170a8296adc1b7036a

SHA1
612e6f443d927330b9b8ac13cc4a2a6b959cee48

SHA256
4432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3

SHA512
ad8c7ce7f6f353da5e2cf816e1a69f1ec14011612e8041e4f9bb6ebed3e0fa4e4ebc069155a0c66e23811467012c201893b9b3b7a947d089ce2c749d5e8910c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll
Filesize
4.1MB

MD5
222d020bd33c90170a8296adc1b7036a

SHA1
612e6f443d927330b9b8ac13cc4a2a6b959cee48

SHA256
4432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3

SHA512
ad8c7ce7f6f353da5e2cf816e1a69f1ec14011612e8041e4f9bb6ebed3e0fa4e4ebc069155a0c66e23811467012c201893b9b3b7a947d089ce2c749d5e8910c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll
Filesize
1.8MB

MD5
6695f4f804feb7ffe4e7c6a16f194667

SHA1
3b82e1a63008d09b2d3ce3d8eec95a3a2d07cc26

SHA256
f27b654e5e90da1d74cd1dca6462ae1433a5cf76c3b9a1b06df3700da38912f3

SHA512
b11d9f7ef1bc8018ef3a1872c81a864862b280325c94b93ca284c3a081d2432c597bd3901a621554442259e4aed248a6325649a6b2c5ebd5acdd1f45625aa009

Download Submit
memory/1392-204-0x00007FF62AB00000-0x00007FF62C3BF000-memory.dmp

Filesize
24.7MB

Download
memory/1392-205-0x00007FF62AB00000-0x00007FF62C3BF000-memory.dmp

Filesize
24.7MB

Download
memory/1392-201-0x00007FF62AB00000-0x00007FF62C3BF000-memory.dmp

Filesize
24.7MB

Download
memory/1392-206-0x00007FF62AB00000-0x00007FF62C3BF000-memory.dmp

Filesize
24.7MB

Download
memory/1816-154-0x000001F6660F0000-0x000001F666112000-memory.dmp

Filesize
136KB

Download
memory/1816-159-0x000001F665530000-0x000001F665540000-memory.dmp

Filesize
64KB

Download
memory/1816-160-0x000001F665530000-0x000001F665540000-memory.dmp

Filesize
64KB

Download
memory/1816-161-0x000001F665530000-0x000001F665540000-memory.dmp

Filesize
64KB

Download
memory/1816-164-0x000001F666120000-0x000001F66633C000-memory.dmp

Filesize
2.1MB

Download
memory/3612-146-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp

Filesize
24.2MB

Download
memory/3612-195-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp

Filesize
24.2MB

Download
memory/3612-199-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp

Filesize
24.2MB

Download
memory/3612-170-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp

Filesize
24.2MB

Download
memory/3612-148-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp

Filesize
24.2MB

Download
memory/3612-147-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp

Filesize
24.2MB

Download
memory/3612-133-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp

Filesize
24.2MB

Download
memory/3612-145-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp

Filesize
24.2MB

Download
memory/3612-140-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp

Filesize
24.2MB

Download
memory/3612-139-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp

Filesize
24.2MB

Download
memory/3612-138-0x00007FF65FE70000-0x00007FF6616A8000-memory.dmp

Filesize
24.2MB

Download