3c9564882c892e219c16f1dd92669be7953227ea85c91eed632bd05821e60478

General

Target

CW_DARK_AETHER_TOOL.exe
Size

10.5MB
MD5

4a5b6d9a4856e5d3a679f35802e20fb5
SHA1

340fe0b21097b555dca31293fd40630456800af0
SHA256

508a28f86839b77f5e10b1f1f02638511cf8e4ed87d08e18fe262302fb62f322
SHA512

fcd69159569c0b9f2a974d589adb8a1e99aeb1abf41e4fa6dfe0e6f7fbc0e4c301e994f3896f81851bf3be19ae271453cef29318c9f3738ad39026b7fedfcada
SSDEEP

196608:sI0r9hhUQ9XroosByTvMzbXNdPh6exztqnA49wFPZCQ6hekmSW5ZVrsI:s97rzsByT4LbPh6wztqnA6Q4hekmrwI

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CW_DARK_AETHER_TOOL.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\WinD64.sys	inject.exe
File created	C:\Windows\system32\drivers\WinD64loader.sys	inject.exe

Sets service image path in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinD64\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\WinD64.sys"	inject.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinD64loader\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\WinD64loader.sys"	inject.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinD64\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\WinD64.sys"	inject.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinD64loader\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\WinD64loader.sys"	inject.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CW_DARK_AETHER_TOOL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CW_DARK_AETHER_TOOL.exe

Executes dropped EXE 3 IoCs

pid	Process
1484	inject.exe
796	inject.exe
500	inject.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/496-10-0x0000000000FA0000-0x0000000002B0A000-memory.dmp	themida
behavioral2/memory/496-11-0x0000000000FA0000-0x0000000002B0A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CW_DARK_AETHER_TOOL.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\WinD64.exe	inject.exe
File created	C:\Windows\system32\WinD64.dll	inject.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
496	CW_DARK_AETHER_TOOL.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
496	CW_DARK_AETHER_TOOL.exe
496	CW_DARK_AETHER_TOOL.exe
496	CW_DARK_AETHER_TOOL.exe
496	CW_DARK_AETHER_TOOL.exe

Suspicious behavior: LoadsDriver 11 IoCs

pid	Process
676	Process not Found
1484	inject.exe
1484	inject.exe
1484	inject.exe
1484	inject.exe
1484	inject.exe
796	inject.exe
796	inject.exe
796	inject.exe
796	inject.exe
796	inject.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1484	inject.exe
Token: SeLoadDriverPrivilege	1484	inject.exe
Token: SeLoadDriverPrivilege	1484	inject.exe
Token: SeLoadDriverPrivilege	1484	inject.exe
Token: SeLoadDriverPrivilege	1484	inject.exe
Token: SeLoadDriverPrivilege	796	inject.exe
Token: SeLoadDriverPrivilege	796	inject.exe
Token: SeLoadDriverPrivilege	796	inject.exe
Token: SeLoadDriverPrivilege	796	inject.exe
Token: SeLoadDriverPrivilege	796	inject.exe
Token: SeLoadDriverPrivilege	500	inject.exe
Token: SeDebugPrivilege	496	CW_DARK_AETHER_TOOL.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 496 wrote to memory of 4580	496	CW_DARK_AETHER_TOOL.exe	88
PID 496 wrote to memory of 4580	496	CW_DARK_AETHER_TOOL.exe	88
PID 496 wrote to memory of 4580	496	CW_DARK_AETHER_TOOL.exe	88
PID 496 wrote to memory of 4336	496	CW_DARK_AETHER_TOOL.exe	90
PID 496 wrote to memory of 4336	496	CW_DARK_AETHER_TOOL.exe	90
PID 496 wrote to memory of 4336	496	CW_DARK_AETHER_TOOL.exe	90
PID 4336 wrote to memory of 1484	4336	cmd.exe	92
PID 4336 wrote to memory of 1484	4336	cmd.exe	92
PID 4336 wrote to memory of 796	4336	cmd.exe	93
PID 4336 wrote to memory of 796	4336	cmd.exe	93
PID 4336 wrote to memory of 500	4336	cmd.exe	94
PID 4336 wrote to memory of 500	4336	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\CW_DARK_AETHER_TOOL.exe
"C:\Users\Admin\AppData\Local\Temp\CW_DARK_AETHER_TOOL.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:496
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  PID:4580
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\$Recycle.bin\inject.exe
    inject.exe /i
    3⤵
    - Drops file in Drivers directory
    - Sets service image path in registry
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\$Recycle.bin\inject.exe
    inject.exe /l C:\$Recycle.Bin\Driver.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:796
- - C:\$Recycle.bin\inject.exe
    inject.exe /u
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.bin\inject.exe

Filesize
90KB

MD5
b3e139bfd2e14bca0eb5deec2655c28a

SHA1
07b63316715597be493ae0c82a7e8f786d2133ec

SHA256
7105fd467a7965e32eef4c0a8ae113fb57f32d9334e83f2b1887d4eb65960a31

SHA512
da7d3213736c487668075e50b663d0a11d558d460c82e11a1ea7ea245d75424781ae621434335d90858f224e81f3e518b3079cc00ccea506f98b6a48035d8e7e

Download Submit
C:\$Recycle.bin\inject.exe

Filesize
90KB

MD5
b3e139bfd2e14bca0eb5deec2655c28a

SHA1
07b63316715597be493ae0c82a7e8f786d2133ec

SHA256
7105fd467a7965e32eef4c0a8ae113fb57f32d9334e83f2b1887d4eb65960a31

SHA512
da7d3213736c487668075e50b663d0a11d558d460c82e11a1ea7ea245d75424781ae621434335d90858f224e81f3e518b3079cc00ccea506f98b6a48035d8e7e

Download Submit
C:\$Recycle.bin\inject.exe

Filesize
90KB

MD5
b3e139bfd2e14bca0eb5deec2655c28a

SHA1
07b63316715597be493ae0c82a7e8f786d2133ec

SHA256
7105fd467a7965e32eef4c0a8ae113fb57f32d9334e83f2b1887d4eb65960a31

SHA512
da7d3213736c487668075e50b663d0a11d558d460c82e11a1ea7ea245d75424781ae621434335d90858f224e81f3e518b3079cc00ccea506f98b6a48035d8e7e

Download Submit
C:\$Recycle.bin\inject.exe

Filesize
90KB

MD5
b3e139bfd2e14bca0eb5deec2655c28a

SHA1
07b63316715597be493ae0c82a7e8f786d2133ec

SHA256
7105fd467a7965e32eef4c0a8ae113fb57f32d9334e83f2b1887d4eb65960a31

SHA512
da7d3213736c487668075e50b663d0a11d558d460c82e11a1ea7ea245d75424781ae621434335d90858f224e81f3e518b3079cc00ccea506f98b6a48035d8e7e

Download Submit
C:\Windows\system32\WinD64.dll

Filesize
4KB

MD5
2a9a1567d3914e23702c60f66e55fc46

SHA1
d414342656184f478cb299c8660ae292d21c11b8

SHA256
6a0115a5dfb2a7eca6465a72d611992d9f98c22967f0ac6695e64d443b803289

SHA512
b2f100d55d7e69e626697c6f98371787d5f3aa0632f6e90ad2818cc402e59e0e33f33eac3b48af8c7c2647218799656b10ef1f7118241f65410553ad89190c71

Download Submit
C:\Windows\system32\WinD64.exe

Filesize
90KB

MD5
b3e139bfd2e14bca0eb5deec2655c28a

SHA1
07b63316715597be493ae0c82a7e8f786d2133ec

SHA256
7105fd467a7965e32eef4c0a8ae113fb57f32d9334e83f2b1887d4eb65960a31

SHA512
da7d3213736c487668075e50b663d0a11d558d460c82e11a1ea7ea245d75424781ae621434335d90858f224e81f3e518b3079cc00ccea506f98b6a48035d8e7e

Download Submit
C:\Windows\system32\drivers\WinD64.sys

Filesize
7KB

MD5
1cbb31af934ff6aa4295bcb1088896c4

SHA1
cb619c99be350116af66f800d769342b6e7b0adb

SHA256
7322b65170e50f08d6f34062bdd8f78fd9bb5b5c11085660e40e0dae567c6891

SHA512
751c63ec09a48d0d60c144e140faf80dc5516ec1bc7d4db2c3dbe8c56d9628fb30c562eb1c8810bda273735fe92df45e86fb09e560c207b23799536578392c45

Download Submit
C:\Windows\system32\drivers\WinD64loader.sys

Filesize
61KB

MD5
561e7e1f06895d78de991e01dd0fb6e5

SHA1
f7089f6d7bb2b386e932aec5211689ea85fde9cc

SHA256
83bfa50a528762ec52a011302ac3874636fb7e26628cd7acfbf2bdc9faa8110d

SHA512
b8c76f65181b224a37af7a1d71ffe08e535038df55b82b2163c71fa798c88f0c3fd73db41ced3e028e63e833ef3511f469c312f25e21dd741e85a2b20067e3d4

Download Submit
memory/496-6-0x00000000767B0000-0x00000000768A0000-memory.dmp

Filesize
960KB

Download
memory/496-5-0x00000000767B0000-0x00000000768A0000-memory.dmp

Filesize
960KB

Download
memory/496-12-0x00000000076D0000-0x0000000007C74000-memory.dmp

Filesize
5.6MB

Download
memory/496-13-0x00000000071C0000-0x0000000007252000-memory.dmp

Filesize
584KB

Download
memory/496-14-0x0000000007150000-0x0000000007172000-memory.dmp

Filesize
136KB

Download
memory/496-10-0x0000000000FA0000-0x0000000002B0A000-memory.dmp

Filesize
27.4MB

Download
memory/496-7-0x0000000076FD4000-0x0000000076FD6000-memory.dmp

Filesize
8KB

Download
memory/496-37-0x00000000767B0000-0x00000000768A0000-memory.dmp

Filesize
960KB

Download
memory/496-0-0x0000000000FA0000-0x0000000002B0A000-memory.dmp

Filesize
27.4MB

Download
memory/496-11-0x0000000000FA0000-0x0000000002B0A000-memory.dmp

Filesize
27.4MB

Download
memory/496-4-0x00000000767B0000-0x00000000768A0000-memory.dmp

Filesize
960KB

Download
memory/496-3-0x00000000767B0000-0x00000000768A0000-memory.dmp

Filesize
960KB

Download
memory/496-2-0x00000000767B0000-0x00000000768A0000-memory.dmp

Filesize
960KB

Download
memory/496-1-0x00000000767B0000-0x00000000768A0000-memory.dmp

Filesize
960KB

Download
memory/496-33-0x0000000000FA0000-0x0000000002B0A000-memory.dmp

Filesize
27.4MB

Download
memory/496-34-0x00000000767B0000-0x00000000768A0000-memory.dmp

Filesize
960KB

Download
memory/496-36-0x0000000008100000-0x000000000810A000-memory.dmp

Filesize
40KB

Download
memory/1484-24-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads