Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-10-2024 23:25
Behavioral task
behavioral1
Sample
MfYecZ9i.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MfYecZ9i.exe
Resource
win10v2004-20241007-en
General
-
Target
MfYecZ9i.exe
-
Size
27.9MB
-
MD5
34e055a67b10a1a14994b6b3457698e2
-
SHA1
6b299dca56f55a0656b23fd035f4353dc049343a
-
SHA256
01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09
-
SHA512
8437dde18940cf8197d25f729bbaaf0803b81ffa1ed13128c91e6e3a65f01fc8253a19badc6e71c187928832dbabb03cf45ddc392e19e4c5dc6f741ada13d218
-
SSDEEP
786432:PPhOXo+/5eJC7HRCyM1yMRUEvTHBfBRcda3:3AY+/4JOlQ7PRco3
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MfYecZ9i.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\Parameters\ServiceDll = "C:\\Windows\\system32\\w32time.DLL" w32tm.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MfYecZ9i.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MfYecZ9i.exe -
resource yara_rule behavioral1/memory/1964-1-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/1964-3-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/1964-2-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/1964-5-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/1964-4-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/1964-47-0x0000000140000000-0x000000014325E000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MfYecZ9i.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1964 MfYecZ9i.exe -
Boot or Logon Autostart Execution: Time Providers 1 TTPs 24 IoCs
The Windows Time service (W32Time) enables time synchronization across and within domains.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\InputProvider = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes = "7" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\EventLogFlags = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\VMICTimeProvider\Enabled = "1" w32tm.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\DllName = "C:\\Windows\\system32\\w32time.DLL" w32tm.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 0000 w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\SpecialPollInterval = "604800" w32tm.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes = "15" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\InputProvider = "0" w32tm.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\DllName = "C:\\Windows\\system32\\w32time.DLL" w32tm.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\VMICTimeProvider\DllName = "%SystemRoot%\\System32\\vmictimeprovider.dll" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\VMICTimeProvider\InputProvider = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\Enabled = "0" w32tm.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider\Parameters w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\AllowNonstandardModeCombinations = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\CrossSiteSyncFlags = "2" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\LargeSampleSkew = "3" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\AllowNonstandardModeCombinations = "1" w32tm.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient w32tm.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpServer w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\Enabled = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\CompatibilityFlags = "2147483648" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\EventLogFlags = "0" w32tm.exe -
pid Process 2508 powershell.exe 2264 powershell.exe 2836 powershell.exe -
System Time Discovery 1 TTPs 6 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 2600 net.exe 2000 net1.exe 1516 net.exe 2060 net1.exe 2640 net.exe 2700 net1.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2716 powershell.exe 2836 powershell.exe 2508 powershell.exe 2264 powershell.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 2716 powershell.exe Token: SeIncreaseQuotaPrivilege 1684 wmic.exe Token: SeSecurityPrivilege 1684 wmic.exe Token: SeTakeOwnershipPrivilege 1684 wmic.exe Token: SeLoadDriverPrivilege 1684 wmic.exe Token: SeSystemProfilePrivilege 1684 wmic.exe Token: SeSystemtimePrivilege 1684 wmic.exe Token: SeProfSingleProcessPrivilege 1684 wmic.exe Token: SeIncBasePriorityPrivilege 1684 wmic.exe Token: SeCreatePagefilePrivilege 1684 wmic.exe Token: SeBackupPrivilege 1684 wmic.exe Token: SeRestorePrivilege 1684 wmic.exe Token: SeShutdownPrivilege 1684 wmic.exe Token: SeDebugPrivilege 1684 wmic.exe Token: SeSystemEnvironmentPrivilege 1684 wmic.exe Token: SeRemoteShutdownPrivilege 1684 wmic.exe Token: SeUndockPrivilege 1684 wmic.exe Token: SeManageVolumePrivilege 1684 wmic.exe Token: 33 1684 wmic.exe Token: 34 1684 wmic.exe Token: 35 1684 wmic.exe Token: SeDebugPrivilege 2836 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeIncreaseQuotaPrivilege 1684 wmic.exe Token: SeSecurityPrivilege 1684 wmic.exe Token: SeTakeOwnershipPrivilege 1684 wmic.exe Token: SeLoadDriverPrivilege 1684 wmic.exe Token: SeSystemProfilePrivilege 1684 wmic.exe Token: SeSystemtimePrivilege 1684 wmic.exe Token: SeProfSingleProcessPrivilege 1684 wmic.exe Token: SeIncBasePriorityPrivilege 1684 wmic.exe Token: SeCreatePagefilePrivilege 1684 wmic.exe Token: SeBackupPrivilege 1684 wmic.exe Token: SeRestorePrivilege 1684 wmic.exe Token: SeShutdownPrivilege 1684 wmic.exe Token: SeDebugPrivilege 1684 wmic.exe Token: SeSystemEnvironmentPrivilege 1684 wmic.exe Token: SeRemoteShutdownPrivilege 1684 wmic.exe Token: SeUndockPrivilege 1684 wmic.exe Token: SeManageVolumePrivilege 1684 wmic.exe Token: 33 1684 wmic.exe Token: 34 1684 wmic.exe Token: 35 1684 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1964 MfYecZ9i.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2716 1964 MfYecZ9i.exe 30 PID 1964 wrote to memory of 2716 1964 MfYecZ9i.exe 30 PID 1964 wrote to memory of 2716 1964 MfYecZ9i.exe 30 PID 1964 wrote to memory of 2640 1964 MfYecZ9i.exe 32 PID 1964 wrote to memory of 2640 1964 MfYecZ9i.exe 32 PID 1964 wrote to memory of 2640 1964 MfYecZ9i.exe 32 PID 2640 wrote to memory of 2700 2640 net.exe 34 PID 2640 wrote to memory of 2700 2640 net.exe 34 PID 2640 wrote to memory of 2700 2640 net.exe 34 PID 1964 wrote to memory of 1724 1964 MfYecZ9i.exe 35 PID 1964 wrote to memory of 1724 1964 MfYecZ9i.exe 35 PID 1964 wrote to memory of 1724 1964 MfYecZ9i.exe 35 PID 1964 wrote to memory of 2520 1964 MfYecZ9i.exe 37 PID 1964 wrote to memory of 2520 1964 MfYecZ9i.exe 37 PID 1964 wrote to memory of 2520 1964 MfYecZ9i.exe 37 PID 1964 wrote to memory of 2600 1964 MfYecZ9i.exe 39 PID 1964 wrote to memory of 2600 1964 MfYecZ9i.exe 39 PID 1964 wrote to memory of 2600 1964 MfYecZ9i.exe 39 PID 2600 wrote to memory of 2000 2600 net.exe 41 PID 2600 wrote to memory of 2000 2600 net.exe 41 PID 2600 wrote to memory of 2000 2600 net.exe 41 PID 1964 wrote to memory of 2376 1964 MfYecZ9i.exe 42 PID 1964 wrote to memory of 2376 1964 MfYecZ9i.exe 42 PID 1964 wrote to memory of 2376 1964 MfYecZ9i.exe 42 PID 1964 wrote to memory of 1516 1964 MfYecZ9i.exe 44 PID 1964 wrote to memory of 1516 1964 MfYecZ9i.exe 44 PID 1964 wrote to memory of 1516 1964 MfYecZ9i.exe 44 PID 1516 wrote to memory of 2060 1516 net.exe 46 PID 1516 wrote to memory of 2060 1516 net.exe 46 PID 1516 wrote to memory of 2060 1516 net.exe 46 PID 1964 wrote to memory of 2264 1964 MfYecZ9i.exe 47 PID 1964 wrote to memory of 2264 1964 MfYecZ9i.exe 47 PID 1964 wrote to memory of 2264 1964 MfYecZ9i.exe 47 PID 1964 wrote to memory of 1684 1964 MfYecZ9i.exe 48 PID 1964 wrote to memory of 1684 1964 MfYecZ9i.exe 48 PID 1964 wrote to memory of 1684 1964 MfYecZ9i.exe 48 PID 1964 wrote to memory of 2508 1964 MfYecZ9i.exe 49 PID 1964 wrote to memory of 2508 1964 MfYecZ9i.exe 49 PID 1964 wrote to memory of 2508 1964 MfYecZ9i.exe 49 PID 1964 wrote to memory of 2836 1964 MfYecZ9i.exe 51 PID 1964 wrote to memory of 2836 1964 MfYecZ9i.exe 51 PID 1964 wrote to memory of 2836 1964 MfYecZ9i.exe 51 PID 1964 wrote to memory of 1060 1964 MfYecZ9i.exe 56 PID 1964 wrote to memory of 1060 1964 MfYecZ9i.exe 56 PID 1964 wrote to memory of 1060 1964 MfYecZ9i.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\MfYecZ9i.exe"C:\Users\Admin\AppData\Local\Temp\MfYecZ9i.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command Remove-Item 'C:\Users\Admin\AppData\Local\Temp\MfYecZ9i.exe.bak' -force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\system32\net.exenet stop w32time2⤵
- System Time Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop w32time3⤵
- System Time Discovery
PID:2700
-
-
-
C:\Windows\system32\w32tm.exew32tm /unregister2⤵PID:1724
-
-
C:\Windows\system32\w32tm.exew32tm /register2⤵
- Server Software Component: Terminal Services DLL
- Boot or Logon Autostart Execution: Time Providers
PID:2520
-
-
C:\Windows\system32\net.exenet start w32time2⤵
- System Time Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start w32time3⤵
- System Time Discovery
PID:2000
-
-
-
C:\Windows\system32\w32tm.exew32tm /resync /force2⤵PID:2376
-
-
C:\Windows\system32\net.exenet stop w32time2⤵
- System Time Discovery
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop w32time3⤵
- System Time Discovery
PID:2060
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "$env:firmware_type"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\System32\Wbem\wmic.exewmic cpu get VirtualizationFirmwareEnabled2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "confirm-securebootuefi"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-WmiObject -Namespace 'Root\CIMv2\Security\MicrosoftTpm' -Class Win32_Tpm"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1964 -s 6642⤵PID:1060
-
-
C:\Windows\system32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:964
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Time Providers
1Server Software Component
1Terminal Services DLL
1Defense Evasion
Indicator Removal
1File Deletion
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD56f5da07cea8af36a41f13665b9af09d3
SHA19c39ed660c00642c2342437b1191d8fe4a8cfc92
SHA256cceb6ce094261e600c0b56750a64cf0c6294e5fb4bb486afdd156ac7b485fe61
SHA51263bc6fabd41783b531349f0e1b385b76b12c83088aac878924c5cbd59c306c67ebdfd82c876d83eff50852e6353648bc00f4f876b0cab43cfd1231e7c97c443e