01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09

Analysis

max time kernel
1563s
max time network
1564s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CD5j9fwc.exe
Size

27.9MB
MD5

34e055a67b10a1a14994b6b3457698e2
SHA1

6b299dca56f55a0656b23fd035f4353dc049343a
SHA256

01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09
SHA512

8437dde18940cf8197d25f729bbaaf0803b81ffa1ed13128c91e6e3a65f01fc8253a19badc6e71c187928832dbabb03cf45ddc392e19e4c5dc6f741ada13d218
SSDEEP

786432:PPhOXo+/5eJC7HRCyM1yMRUEvTHBfBRcda3:3AY+/4JOlQ7PRco3

Score

9^/10

defense_evasion discovery evasion execution persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

CD5j9fwc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CD5j9fwc.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

w32tm.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\Parameters\ServiceDll = "C:\\Windows\\system32\\w32time.DLL"	w32tm.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CD5j9fwc.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CD5j9fwc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CD5j9fwc.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2556-1-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/2556-4-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/2556-3-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/2556-5-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/2556-2-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/2556-48-0x0000000140000000-0x000000014325E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

CD5j9fwc.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CD5j9fwc.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

CD5j9fwc.exe

pid	Process
2556	CD5j9fwc.exe

Boot or Logon Autostart Execution: Time Providers 1 TTPs 24 IoCs

The Windows Time service (W32Time) enables time synchronization across and within domains.

persistence

Time Providers

T1547.003

Processes:

w32tm.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider\Parameters	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\Enabled = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes = "7"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\LargeSampleSkew = "3"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\AllowNonstandardModeCombinations = "1"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\VMICTimeProvider\DllName = "%SystemRoot%\\System32\\vmictimeprovider.dll"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\Enabled = "0"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\EventLogFlags = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\InputProvider = "0"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\VMICTimeProvider\Enabled = "1"	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpServer	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\AllowNonstandardModeCombinations = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\CrossSiteSyncFlags = "2"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes = "15"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\DllName = "C:\\Windows\\system32\\w32time.DLL"	w32tm.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 0000	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\SpecialPollInterval = "604800"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\InputProvider = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\CompatibilityFlags = "2147483648"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\EventLogFlags = "0"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\VMICTimeProvider\InputProvider = "1"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\DllName = "C:\\Windows\\system32\\w32time.DLL"	w32tm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid	Process
1236	powershell.exe
1408	powershell.exe
2516	powershell.exe

System Time Discovery 1 TTPs 6 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

Processes:

net.exenet.exenet1.exenet.exenet1.exenet1.exe

pid	Process
3020	net.exe
2204	net.exe
2736	net1.exe
2284	net.exe
2384	net1.exe
1704	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2996	powershell.exe
1236	powershell.exe
2516	powershell.exe
1408	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

powershell.exepowershell.exepowershell.exewmic.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeIncreaseQuotaPrivilege	1912	wmic.exe
Token: SeSecurityPrivilege	1912	wmic.exe
Token: SeTakeOwnershipPrivilege	1912	wmic.exe
Token: SeLoadDriverPrivilege	1912	wmic.exe
Token: SeSystemProfilePrivilege	1912	wmic.exe
Token: SeSystemtimePrivilege	1912	wmic.exe
Token: SeProfSingleProcessPrivilege	1912	wmic.exe
Token: SeIncBasePriorityPrivilege	1912	wmic.exe
Token: SeCreatePagefilePrivilege	1912	wmic.exe
Token: SeBackupPrivilege	1912	wmic.exe
Token: SeRestorePrivilege	1912	wmic.exe
Token: SeShutdownPrivilege	1912	wmic.exe
Token: SeDebugPrivilege	1912	wmic.exe
Token: SeSystemEnvironmentPrivilege	1912	wmic.exe
Token: SeRemoteShutdownPrivilege	1912	wmic.exe
Token: SeUndockPrivilege	1912	wmic.exe
Token: SeManageVolumePrivilege	1912	wmic.exe
Token: 33	1912	wmic.exe
Token: 34	1912	wmic.exe
Token: 35	1912	wmic.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeIncreaseQuotaPrivilege	1912	wmic.exe
Token: SeSecurityPrivilege	1912	wmic.exe
Token: SeTakeOwnershipPrivilege	1912	wmic.exe
Token: SeLoadDriverPrivilege	1912	wmic.exe
Token: SeSystemProfilePrivilege	1912	wmic.exe
Token: SeSystemtimePrivilege	1912	wmic.exe
Token: SeProfSingleProcessPrivilege	1912	wmic.exe
Token: SeIncBasePriorityPrivilege	1912	wmic.exe
Token: SeCreatePagefilePrivilege	1912	wmic.exe
Token: SeBackupPrivilege	1912	wmic.exe
Token: SeRestorePrivilege	1912	wmic.exe
Token: SeShutdownPrivilege	1912	wmic.exe
Token: SeDebugPrivilege	1912	wmic.exe
Token: SeSystemEnvironmentPrivilege	1912	wmic.exe
Token: SeRemoteShutdownPrivilege	1912	wmic.exe
Token: SeUndockPrivilege	1912	wmic.exe
Token: SeManageVolumePrivilege	1912	wmic.exe
Token: 33	1912	wmic.exe
Token: 34	1912	wmic.exe
Token: 35	1912	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CD5j9fwc.exe

pid	Process
2556	CD5j9fwc.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

CD5j9fwc.exenet.exenet.exenet.exe

description	pid	Process	procid_target
PID 2556 wrote to memory of 2996	2556	CD5j9fwc.exe	31
PID 2556 wrote to memory of 2996	2556	CD5j9fwc.exe	31
PID 2556 wrote to memory of 2996	2556	CD5j9fwc.exe	31
PID 2556 wrote to memory of 2204	2556	CD5j9fwc.exe	33
PID 2556 wrote to memory of 2204	2556	CD5j9fwc.exe	33
PID 2556 wrote to memory of 2204	2556	CD5j9fwc.exe	33
PID 2204 wrote to memory of 2736	2204	net.exe	35
PID 2204 wrote to memory of 2736	2204	net.exe	35
PID 2204 wrote to memory of 2736	2204	net.exe	35
PID 2556 wrote to memory of 2796	2556	CD5j9fwc.exe	36
PID 2556 wrote to memory of 2796	2556	CD5j9fwc.exe	36
PID 2556 wrote to memory of 2796	2556	CD5j9fwc.exe	36
PID 2556 wrote to memory of 2836	2556	CD5j9fwc.exe	38
PID 2556 wrote to memory of 2836	2556	CD5j9fwc.exe	38
PID 2556 wrote to memory of 2836	2556	CD5j9fwc.exe	38
PID 2556 wrote to memory of 2284	2556	CD5j9fwc.exe	40
PID 2556 wrote to memory of 2284	2556	CD5j9fwc.exe	40
PID 2556 wrote to memory of 2284	2556	CD5j9fwc.exe	40
PID 2284 wrote to memory of 2384	2284	net.exe	42
PID 2284 wrote to memory of 2384	2284	net.exe	42
PID 2284 wrote to memory of 2384	2284	net.exe	42
PID 2556 wrote to memory of 2652	2556	CD5j9fwc.exe	43
PID 2556 wrote to memory of 2652	2556	CD5j9fwc.exe	43
PID 2556 wrote to memory of 2652	2556	CD5j9fwc.exe	43
PID 2556 wrote to memory of 3020	2556	CD5j9fwc.exe	45
PID 2556 wrote to memory of 3020	2556	CD5j9fwc.exe	45
PID 2556 wrote to memory of 3020	2556	CD5j9fwc.exe	45
PID 3020 wrote to memory of 1704	3020	net.exe	47
PID 3020 wrote to memory of 1704	3020	net.exe	47
PID 3020 wrote to memory of 1704	3020	net.exe	47
PID 2556 wrote to memory of 1408	2556	CD5j9fwc.exe	49
PID 2556 wrote to memory of 1408	2556	CD5j9fwc.exe	49
PID 2556 wrote to memory of 1408	2556	CD5j9fwc.exe	49
PID 2556 wrote to memory of 1236	2556	CD5j9fwc.exe	50
PID 2556 wrote to memory of 1236	2556	CD5j9fwc.exe	50
PID 2556 wrote to memory of 1236	2556	CD5j9fwc.exe	50
PID 2556 wrote to memory of 1912	2556	CD5j9fwc.exe	48
PID 2556 wrote to memory of 1912	2556	CD5j9fwc.exe	48
PID 2556 wrote to memory of 1912	2556	CD5j9fwc.exe	48
PID 2556 wrote to memory of 2516	2556	CD5j9fwc.exe	52
PID 2556 wrote to memory of 2516	2556	CD5j9fwc.exe	52
PID 2556 wrote to memory of 2516	2556	CD5j9fwc.exe	52
PID 2556 wrote to memory of 404	2556	CD5j9fwc.exe	57
PID 2556 wrote to memory of 404	2556	CD5j9fwc.exe	57
PID 2556 wrote to memory of 404	2556	CD5j9fwc.exe	57
PID 2556 wrote to memory of 376	2556	CD5j9fwc.exe	58
PID 2556 wrote to memory of 376	2556	CD5j9fwc.exe	58
PID 2556 wrote to memory of 376	2556	CD5j9fwc.exe	58

C:\Users\Admin\AppData\Local\Temp\CD5j9fwc.exe
"C:\Users\Admin\AppData\Local\Temp\CD5j9fwc.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command Remove-Item 'C:\Users\Admin\AppData\Local\Temp\CD5j9fwc.exe.bak' -force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\system32\net.exe
  net stop w32time
  2⤵
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop w32time
    3⤵
    - System Time Discovery
    PID:2736
- C:\Windows\system32\w32tm.exe
  w32tm /unregister
  2⤵
  PID:2796
- C:\Windows\system32\w32tm.exe
  w32tm /register
  2⤵
  - Server Software Component: Terminal Services DLL
  - Boot or Logon Autostart Execution: Time Providers
  PID:2836
- C:\Windows\system32\net.exe
  net start w32time
  2⤵
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start w32time
    3⤵
    - System Time Discovery
    PID:2384
- C:\Windows\system32\w32tm.exe
  w32tm /resync /force
  2⤵
  PID:2652
- C:\Windows\system32\net.exe
  net stop w32time
  2⤵
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop w32time
    3⤵
    - System Time Discovery
    PID:1704
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get VirtualizationFirmwareEnabled
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "$env:firmware_type"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Get-WmiObject -Namespace 'Root\CIMv2\Security\MicrosoftTpm' -Class Win32_Tpm"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "confirm-securebootuefi"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2556 -s 908
  2⤵
  PID:404
- C:\Windows\system32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Time Providers

T1547.003

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Time Providers

T1547.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Time Discovery

T1124

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7702d82ed40e96a774f4c0dd31839817

SHA1
8741aa985e7560e3c97cff17984a427a30f7bcc3

SHA256
833b87e23aed3c6aabdcdf2f3c341936fc1899076346129eb5bdd26c92968d35

SHA512
535b98fd8f45ca2d33700ac3a5d17b62b0befc9f335ecc3a7ce023b478a549c3748df4d078c6471b5aea62543d4336439b80f6ed48703dfbecdc5e31c20e284b

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1236-42-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1236-43-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/2556-5-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/2556-2-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/2556-20-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Filesize
64KB

Download
memory/2556-0-0x0000000077270000-0x0000000077272000-memory.dmp

Filesize
8KB

Download
memory/2556-3-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/2556-4-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/2556-1-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/2556-48-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/2996-10-0x0000000077220000-0x00000000773C9000-memory.dmp

Filesize
1.7MB

Download
memory/2996-11-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2996-12-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2996-13-0x0000000077220000-0x00000000773C9000-memory.dmp

Filesize
1.7MB

Download