01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09 | Triage

Submit
Reports

Overview

overview

Static

static

7

CD5j9fwc.exe

windows7-x64

9

CD5j9fwc.exe

windows10-2004-x64

Sharing

General

Target

CD5j9fwc.exe
Size

27.9MB
Sample

241120-17t9tsvkdt
MD5

34e055a67b10a1a14994b6b3457698e2
SHA1

6b299dca56f55a0656b23fd035f4353dc049343a
SHA256

01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09
SHA512

8437dde18940cf8197d25f729bbaaf0803b81ffa1ed13128c91e6e3a65f01fc8253a19badc6e71c187928832dbabb03cf45ddc392e19e4c5dc6f741ada13d218
SSDEEP

786432:PPhOXo+/5eJC7HRCyM1yMRUEvTHBfBRcda3:3AY+/4JOlQ7PRco3

Score

10^/10

defense_evasion discovery evasion execution persistence ransomware themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

CD5j9fwc.exe

Resource

win7-20240903-en

defense_evasion discovery evasion execution persistence themida trojan

windows7-x64

15 signatures

1800 seconds

Behavioral task

behavioral2

Sample

CD5j9fwc.exe

Resource

win10v2004-20241007-en

defense_evasion discovery evasion execution persistence ransomware themida trojan

windows10-2004-x64

22 signatures

1800 seconds

Malware Config

Targets

- Target
  
  CD5j9fwc.exe
- Size
  
  27.9MB
- MD5
  
  34e055a67b10a1a14994b6b3457698e2
- SHA1
  
  6b299dca56f55a0656b23fd035f4353dc049343a
- SHA256
  
  01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09
- SHA512
  
  8437dde18940cf8197d25f729bbaaf0803b81ffa1ed13128c91e6e3a65f01fc8253a19badc6e71c187928832dbabb03cf45ddc392e19e4c5dc6f741ada13d218
- SSDEEP
  
  786432:PPhOXo+/5eJC7HRCyM1yMRUEvTHBfBRcda3:3AY+/4JOlQ7PRco3
Score

10^/10

defense_evasion discovery evasion execution persistence themida trojan ransomware
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Server Software Component: Terminal Services DLL
  persistence
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Time Providers

Create or Modify System Process

Windows Service

Server Software Component

Terminal Services DLL

Privilege Escalation

Boot or Logon Autostart Execution

Time Providers

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Ignore Process Interrupts

Impair Defenses

Indicator Removal

File Deletion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Time Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

Inhibit System Recovery

Service Stop

Tasks

static1

behavioral1

defense_evasiondiscoveryevasionexecutionpersistencethemidatrojan

behavioral2

defense_evasiondiscoveryevasionexecutionpersistenceransomwarethemidatrojan

© 2018-2024

Terms | Privacy