01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MfYecZ9i.exe
Size

27.9MB
MD5

34e055a67b10a1a14994b6b3457698e2
SHA1

6b299dca56f55a0656b23fd035f4353dc049343a
SHA256

01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09
SHA512

8437dde18940cf8197d25f729bbaaf0803b81ffa1ed13128c91e6e3a65f01fc8253a19badc6e71c187928832dbabb03cf45ddc392e19e4c5dc6f741ada13d218
SSDEEP

786432:PPhOXo+/5eJC7HRCyM1yMRUEvTHBfBRcda3:3AY+/4JOlQ7PRco3

Score

9^/10

defense_evasion discovery evasion execution persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MfYecZ9i.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\Parameters\ServiceDll = "C:\\Windows\\system32\\w32time.DLL"	w32tm.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MfYecZ9i.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MfYecZ9i.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1964-1-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/1964-3-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/1964-2-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/1964-5-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/1964-4-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/1964-47-0x0000000140000000-0x000000014325E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MfYecZ9i.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1964	MfYecZ9i.exe

Boot or Logon Autostart Execution: Time Providers 1 TTPs 24 IoCs

The Windows Time service (W32Time) enables time synchronization across and within domains.

persistence

Time Providers

T1547.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\InputProvider = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes = "7"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\EventLogFlags = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\VMICTimeProvider\Enabled = "1"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\DllName = "C:\\Windows\\system32\\w32time.DLL"	w32tm.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 0000	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\SpecialPollInterval = "604800"	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes = "15"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\InputProvider = "0"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\DllName = "C:\\Windows\\system32\\w32time.DLL"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\VMICTimeProvider\DllName = "%SystemRoot%\\System32\\vmictimeprovider.dll"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\VMICTimeProvider\InputProvider = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\Enabled = "0"	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider\Parameters	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\AllowNonstandardModeCombinations = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\CrossSiteSyncFlags = "2"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\LargeSampleSkew = "3"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\AllowNonstandardModeCombinations = "1"	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpServer	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\Enabled = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\CompatibilityFlags = "2147483648"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\EventLogFlags = "0"	w32tm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2508	powershell.exe
2264	powershell.exe
2836	powershell.exe

System Time Discovery 1 TTPs 6 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
2600	net.exe
2000	net1.exe
1516	net.exe
2060	net1.exe
2640	net.exe
2700	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2716	powershell.exe
2836	powershell.exe
2508	powershell.exe
2264	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeIncreaseQuotaPrivilege	1684	wmic.exe
Token: SeSecurityPrivilege	1684	wmic.exe
Token: SeTakeOwnershipPrivilege	1684	wmic.exe
Token: SeLoadDriverPrivilege	1684	wmic.exe
Token: SeSystemProfilePrivilege	1684	wmic.exe
Token: SeSystemtimePrivilege	1684	wmic.exe
Token: SeProfSingleProcessPrivilege	1684	wmic.exe
Token: SeIncBasePriorityPrivilege	1684	wmic.exe
Token: SeCreatePagefilePrivilege	1684	wmic.exe
Token: SeBackupPrivilege	1684	wmic.exe
Token: SeRestorePrivilege	1684	wmic.exe
Token: SeShutdownPrivilege	1684	wmic.exe
Token: SeDebugPrivilege	1684	wmic.exe
Token: SeSystemEnvironmentPrivilege	1684	wmic.exe
Token: SeRemoteShutdownPrivilege	1684	wmic.exe
Token: SeUndockPrivilege	1684	wmic.exe
Token: SeManageVolumePrivilege	1684	wmic.exe
Token: 33	1684	wmic.exe
Token: 34	1684	wmic.exe
Token: 35	1684	wmic.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeIncreaseQuotaPrivilege	1684	wmic.exe
Token: SeSecurityPrivilege	1684	wmic.exe
Token: SeTakeOwnershipPrivilege	1684	wmic.exe
Token: SeLoadDriverPrivilege	1684	wmic.exe
Token: SeSystemProfilePrivilege	1684	wmic.exe
Token: SeSystemtimePrivilege	1684	wmic.exe
Token: SeProfSingleProcessPrivilege	1684	wmic.exe
Token: SeIncBasePriorityPrivilege	1684	wmic.exe
Token: SeCreatePagefilePrivilege	1684	wmic.exe
Token: SeBackupPrivilege	1684	wmic.exe
Token: SeRestorePrivilege	1684	wmic.exe
Token: SeShutdownPrivilege	1684	wmic.exe
Token: SeDebugPrivilege	1684	wmic.exe
Token: SeSystemEnvironmentPrivilege	1684	wmic.exe
Token: SeRemoteShutdownPrivilege	1684	wmic.exe
Token: SeUndockPrivilege	1684	wmic.exe
Token: SeManageVolumePrivilege	1684	wmic.exe
Token: 33	1684	wmic.exe
Token: 34	1684	wmic.exe
Token: 35	1684	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1964	MfYecZ9i.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2716	1964	MfYecZ9i.exe	30
PID 1964 wrote to memory of 2716	1964	MfYecZ9i.exe	30
PID 1964 wrote to memory of 2716	1964	MfYecZ9i.exe	30
PID 1964 wrote to memory of 2640	1964	MfYecZ9i.exe	32
PID 1964 wrote to memory of 2640	1964	MfYecZ9i.exe	32
PID 1964 wrote to memory of 2640	1964	MfYecZ9i.exe	32
PID 2640 wrote to memory of 2700	2640	net.exe	34
PID 2640 wrote to memory of 2700	2640	net.exe	34
PID 2640 wrote to memory of 2700	2640	net.exe	34
PID 1964 wrote to memory of 1724	1964	MfYecZ9i.exe	35
PID 1964 wrote to memory of 1724	1964	MfYecZ9i.exe	35
PID 1964 wrote to memory of 1724	1964	MfYecZ9i.exe	35
PID 1964 wrote to memory of 2520	1964	MfYecZ9i.exe	37
PID 1964 wrote to memory of 2520	1964	MfYecZ9i.exe	37
PID 1964 wrote to memory of 2520	1964	MfYecZ9i.exe	37
PID 1964 wrote to memory of 2600	1964	MfYecZ9i.exe	39
PID 1964 wrote to memory of 2600	1964	MfYecZ9i.exe	39
PID 1964 wrote to memory of 2600	1964	MfYecZ9i.exe	39
PID 2600 wrote to memory of 2000	2600	net.exe	41
PID 2600 wrote to memory of 2000	2600	net.exe	41
PID 2600 wrote to memory of 2000	2600	net.exe	41
PID 1964 wrote to memory of 2376	1964	MfYecZ9i.exe	42
PID 1964 wrote to memory of 2376	1964	MfYecZ9i.exe	42
PID 1964 wrote to memory of 2376	1964	MfYecZ9i.exe	42
PID 1964 wrote to memory of 1516	1964	MfYecZ9i.exe	44
PID 1964 wrote to memory of 1516	1964	MfYecZ9i.exe	44
PID 1964 wrote to memory of 1516	1964	MfYecZ9i.exe	44
PID 1516 wrote to memory of 2060	1516	net.exe	46
PID 1516 wrote to memory of 2060	1516	net.exe	46
PID 1516 wrote to memory of 2060	1516	net.exe	46
PID 1964 wrote to memory of 2264	1964	MfYecZ9i.exe	47
PID 1964 wrote to memory of 2264	1964	MfYecZ9i.exe	47
PID 1964 wrote to memory of 2264	1964	MfYecZ9i.exe	47
PID 1964 wrote to memory of 1684	1964	MfYecZ9i.exe	48
PID 1964 wrote to memory of 1684	1964	MfYecZ9i.exe	48
PID 1964 wrote to memory of 1684	1964	MfYecZ9i.exe	48
PID 1964 wrote to memory of 2508	1964	MfYecZ9i.exe	49
PID 1964 wrote to memory of 2508	1964	MfYecZ9i.exe	49
PID 1964 wrote to memory of 2508	1964	MfYecZ9i.exe	49
PID 1964 wrote to memory of 2836	1964	MfYecZ9i.exe	51
PID 1964 wrote to memory of 2836	1964	MfYecZ9i.exe	51
PID 1964 wrote to memory of 2836	1964	MfYecZ9i.exe	51
PID 1964 wrote to memory of 1060	1964	MfYecZ9i.exe	56
PID 1964 wrote to memory of 1060	1964	MfYecZ9i.exe	56
PID 1964 wrote to memory of 1060	1964	MfYecZ9i.exe	56

C:\Users\Admin\AppData\Local\Temp\MfYecZ9i.exe
"C:\Users\Admin\AppData\Local\Temp\MfYecZ9i.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command Remove-Item 'C:\Users\Admin\AppData\Local\Temp\MfYecZ9i.exe.bak' -force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\system32\net.exe
  net stop w32time
  2⤵
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop w32time
    3⤵
    - System Time Discovery
    PID:2700
- C:\Windows\system32\w32tm.exe
  w32tm /unregister
  2⤵
  PID:1724
- C:\Windows\system32\w32tm.exe
  w32tm /register
  2⤵
  - Server Software Component: Terminal Services DLL
  - Boot or Logon Autostart Execution: Time Providers
  PID:2520
- C:\Windows\system32\net.exe
  net start w32time
  2⤵
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start w32time
    3⤵
    - System Time Discovery
    PID:2000
- C:\Windows\system32\w32tm.exe
  w32tm /resync /force
  2⤵
  PID:2376
- C:\Windows\system32\net.exe
  net stop w32time
  2⤵
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop w32time
    3⤵
    - System Time Discovery
    PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "$env:firmware_type"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get VirtualizationFirmwareEnabled
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "confirm-securebootuefi"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Get-WmiObject -Namespace 'Root\CIMv2\Security\MicrosoftTpm' -Class Win32_Tpm"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1964 -s 664
  2⤵
  PID:1060
- C:\Windows\system32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Time Providers

T1547.003

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Time Providers

T1547.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Time Discovery

T1124

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6f5da07cea8af36a41f13665b9af09d3

SHA1
9c39ed660c00642c2342437b1191d8fe4a8cfc92

SHA256
cceb6ce094261e600c0b56750a64cf0c6294e5fb4bb486afdd156ac7b485fe61

SHA512
63bc6fabd41783b531349f0e1b385b76b12c83088aac878924c5cbd59c306c67ebdfd82c876d83eff50852e6353648bc00f4f876b0cab43cfd1231e7c97c443e

Download Submit
memory/1964-20-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Filesize
64KB

Download
memory/1964-1-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/1964-3-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/1964-2-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/1964-5-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/1964-4-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/1964-0-0x0000000076D60000-0x0000000076D62000-memory.dmp

Filesize
8KB

Download
memory/1964-47-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/2716-10-0x0000000076D10000-0x0000000076EB9000-memory.dmp

Filesize
1.7MB

Download
memory/2716-13-0x0000000076D10000-0x0000000076EB9000-memory.dmp

Filesize
1.7MB

Download
memory/2716-12-0x00000000021E0000-0x00000000021E8000-memory.dmp

Filesize
32KB

Download
memory/2716-11-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2836-45-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2836-46-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download