01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UgrVJMxL.exe
Size

27.9MB
MD5

34e055a67b10a1a14994b6b3457698e2
SHA1

6b299dca56f55a0656b23fd035f4353dc049343a
SHA256

01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09
SHA512

8437dde18940cf8197d25f729bbaaf0803b81ffa1ed13128c91e6e3a65f01fc8253a19badc6e71c187928832dbabb03cf45ddc392e19e4c5dc6f741ada13d218
SSDEEP

786432:PPhOXo+/5eJC7HRCyM1yMRUEvTHBfBRcda3:3AY+/4JOlQ7PRco3

Score

9^/10

defense_evasion discovery evasion execution persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	UgrVJMxL.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\Parameters\ServiceDll = "C:\\Windows\\system32\\w32time.DLL"	w32tm.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UgrVJMxL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	UgrVJMxL.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1680-1-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/1680-4-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/1680-2-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/1680-3-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/1680-5-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/1680-47-0x0000000140000000-0x000000014325E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UgrVJMxL.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1680	UgrVJMxL.exe

Boot or Logon Autostart Execution: Time Providers 1 TTPs 24 IoCs

The Windows Time service (W32Time) enables time synchronization across and within domains.

persistence

Time Providers

T1547.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider\Parameters	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\EventLogFlags = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\VMICTimeProvider\Enabled = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\VMICTimeProvider\InputProvider = "1"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\DllName = "C:\\Windows\\system32\\w32time.DLL"	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpServer	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\DllName = "C:\\Windows\\system32\\w32time.DLL"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\Enabled = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\CrossSiteSyncFlags = "2"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\AllowNonstandardModeCombinations = "1"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\VMICTimeProvider\DllName = "%SystemRoot%\\System32\\vmictimeprovider.dll"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\SpecialPollInterval = "604800"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\Enabled = "0"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\AllowNonstandardModeCombinations = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\CompatibilityFlags = "2147483648"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\LargeSampleSkew = "3"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\InputProvider = "0"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\EventLogFlags = "0"	w32tm.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 0000	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\InputProvider = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes = "15"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes = "7"	w32tm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2364	powershell.exe
1260	powershell.exe
2324	powershell.exe

System Time Discovery 1 TTPs 6 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
2396	net.exe
856	net1.exe
2456	net.exe
2792	net1.exe
2484	net.exe
2840	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2092	powershell.exe
2324	powershell.exe
2364	powershell.exe
1260	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeIncreaseQuotaPrivilege	2932	wmic.exe
Token: SeSecurityPrivilege	2932	wmic.exe
Token: SeTakeOwnershipPrivilege	2932	wmic.exe
Token: SeLoadDriverPrivilege	2932	wmic.exe
Token: SeSystemProfilePrivilege	2932	wmic.exe
Token: SeSystemtimePrivilege	2932	wmic.exe
Token: SeProfSingleProcessPrivilege	2932	wmic.exe
Token: SeIncBasePriorityPrivilege	2932	wmic.exe
Token: SeCreatePagefilePrivilege	2932	wmic.exe
Token: SeBackupPrivilege	2932	wmic.exe
Token: SeRestorePrivilege	2932	wmic.exe
Token: SeShutdownPrivilege	2932	wmic.exe
Token: SeDebugPrivilege	2932	wmic.exe
Token: SeSystemEnvironmentPrivilege	2932	wmic.exe
Token: SeRemoteShutdownPrivilege	2932	wmic.exe
Token: SeUndockPrivilege	2932	wmic.exe
Token: SeManageVolumePrivilege	2932	wmic.exe
Token: 33	2932	wmic.exe
Token: 34	2932	wmic.exe
Token: 35	2932	wmic.exe
Token: SeIncreaseQuotaPrivilege	2932	wmic.exe
Token: SeSecurityPrivilege	2932	wmic.exe
Token: SeTakeOwnershipPrivilege	2932	wmic.exe
Token: SeLoadDriverPrivilege	2932	wmic.exe
Token: SeSystemProfilePrivilege	2932	wmic.exe
Token: SeSystemtimePrivilege	2932	wmic.exe
Token: SeProfSingleProcessPrivilege	2932	wmic.exe
Token: SeIncBasePriorityPrivilege	2932	wmic.exe
Token: SeCreatePagefilePrivilege	2932	wmic.exe
Token: SeBackupPrivilege	2932	wmic.exe
Token: SeRestorePrivilege	2932	wmic.exe
Token: SeShutdownPrivilege	2932	wmic.exe
Token: SeDebugPrivilege	2932	wmic.exe
Token: SeSystemEnvironmentPrivilege	2932	wmic.exe
Token: SeRemoteShutdownPrivilege	2932	wmic.exe
Token: SeUndockPrivilege	2932	wmic.exe
Token: SeManageVolumePrivilege	2932	wmic.exe
Token: 33	2932	wmic.exe
Token: 34	2932	wmic.exe
Token: 35	2932	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1680	UgrVJMxL.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2092	1680	UgrVJMxL.exe	30
PID 1680 wrote to memory of 2092	1680	UgrVJMxL.exe	30
PID 1680 wrote to memory of 2092	1680	UgrVJMxL.exe	30
PID 1680 wrote to memory of 2396	1680	UgrVJMxL.exe	32
PID 1680 wrote to memory of 2396	1680	UgrVJMxL.exe	32
PID 1680 wrote to memory of 2396	1680	UgrVJMxL.exe	32
PID 2396 wrote to memory of 856	2396	net.exe	34
PID 2396 wrote to memory of 856	2396	net.exe	34
PID 2396 wrote to memory of 856	2396	net.exe	34
PID 1680 wrote to memory of 2748	1680	UgrVJMxL.exe	35
PID 1680 wrote to memory of 2748	1680	UgrVJMxL.exe	35
PID 1680 wrote to memory of 2748	1680	UgrVJMxL.exe	35
PID 1680 wrote to memory of 2820	1680	UgrVJMxL.exe	38
PID 1680 wrote to memory of 2820	1680	UgrVJMxL.exe	38
PID 1680 wrote to memory of 2820	1680	UgrVJMxL.exe	38
PID 1680 wrote to memory of 2456	1680	UgrVJMxL.exe	40
PID 1680 wrote to memory of 2456	1680	UgrVJMxL.exe	40
PID 1680 wrote to memory of 2456	1680	UgrVJMxL.exe	40
PID 2456 wrote to memory of 2792	2456	net.exe	42
PID 2456 wrote to memory of 2792	2456	net.exe	42
PID 2456 wrote to memory of 2792	2456	net.exe	42
PID 1680 wrote to memory of 2660	1680	UgrVJMxL.exe	43
PID 1680 wrote to memory of 2660	1680	UgrVJMxL.exe	43
PID 1680 wrote to memory of 2660	1680	UgrVJMxL.exe	43
PID 1680 wrote to memory of 2484	1680	UgrVJMxL.exe	45
PID 1680 wrote to memory of 2484	1680	UgrVJMxL.exe	45
PID 1680 wrote to memory of 2484	1680	UgrVJMxL.exe	45
PID 2484 wrote to memory of 2840	2484	net.exe	47
PID 2484 wrote to memory of 2840	2484	net.exe	47
PID 2484 wrote to memory of 2840	2484	net.exe	47
PID 1680 wrote to memory of 2932	1680	UgrVJMxL.exe	48
PID 1680 wrote to memory of 2932	1680	UgrVJMxL.exe	48
PID 1680 wrote to memory of 2932	1680	UgrVJMxL.exe	48
PID 1680 wrote to memory of 2324	1680	UgrVJMxL.exe	49
PID 1680 wrote to memory of 2324	1680	UgrVJMxL.exe	49
PID 1680 wrote to memory of 2324	1680	UgrVJMxL.exe	49
PID 1680 wrote to memory of 1260	1680	UgrVJMxL.exe	50
PID 1680 wrote to memory of 1260	1680	UgrVJMxL.exe	50
PID 1680 wrote to memory of 1260	1680	UgrVJMxL.exe	50
PID 1680 wrote to memory of 2364	1680	UgrVJMxL.exe	51
PID 1680 wrote to memory of 2364	1680	UgrVJMxL.exe	51
PID 1680 wrote to memory of 2364	1680	UgrVJMxL.exe	51
PID 1680 wrote to memory of 316	1680	UgrVJMxL.exe	57
PID 1680 wrote to memory of 316	1680	UgrVJMxL.exe	57
PID 1680 wrote to memory of 316	1680	UgrVJMxL.exe	57
PID 1680 wrote to memory of 1152	1680	UgrVJMxL.exe	58
PID 1680 wrote to memory of 1152	1680	UgrVJMxL.exe	58
PID 1680 wrote to memory of 1152	1680	UgrVJMxL.exe	58

C:\Users\Admin\AppData\Local\Temp\UgrVJMxL.exe
"C:\Users\Admin\AppData\Local\Temp\UgrVJMxL.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command Remove-Item 'C:\Users\Admin\AppData\Local\Temp\UgrVJMxL.exe.bak' -force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\system32\net.exe
  net stop w32time
  2⤵
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop w32time
    3⤵
    - System Time Discovery
    PID:856
- C:\Windows\system32\w32tm.exe
  w32tm /unregister
  2⤵
  PID:2748
- C:\Windows\system32\w32tm.exe
  w32tm /register
  2⤵
  - Server Software Component: Terminal Services DLL
  - Boot or Logon Autostart Execution: Time Providers
  PID:2820
- C:\Windows\system32\net.exe
  net start w32time
  2⤵
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start w32time
    3⤵
    - System Time Discovery
    PID:2792
- C:\Windows\system32\w32tm.exe
  w32tm /resync /force
  2⤵
  PID:2660
- C:\Windows\system32\net.exe
  net stop w32time
  2⤵
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop w32time
    3⤵
    - System Time Discovery
    PID:2840
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get VirtualizationFirmwareEnabled
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "$env:firmware_type"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "confirm-securebootuefi"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Get-WmiObject -Namespace 'Root\CIMv2\Security\MicrosoftTpm' -Class Win32_Tpm"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1680 -s 868
  2⤵
  PID:316
- C:\Windows\system32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Time Providers

T1547.003

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Time Providers

T1547.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Time Discovery

T1124

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2e311888186bbc7b26b68a3764a0e88d

SHA1
6b03700d071c85cb0a08b63f047c3fc453756e47

SHA256
fabf58fbe56a68107735046d18c05f8070be1f9002ada30480f7a403b16e7da6

SHA512
a3d92b1659b853b5e8dff83b338e5e9dfa6d182cb7e173a1543744479f2cf8f094a82bae926d35168f650a8aa3fed998e3f515a20a012d7ce01d013c4b1978bf

Download Submit
memory/1680-20-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Filesize
64KB

Download
memory/1680-1-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/1680-4-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/1680-2-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/1680-3-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/1680-5-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/1680-0-0x0000000077C10000-0x0000000077C12000-memory.dmp

Filesize
8KB

Download
memory/1680-47-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/2092-10-0x0000000077BC0000-0x0000000077D69000-memory.dmp

Filesize
1.7MB

Download
memory/2092-13-0x0000000077BC0000-0x0000000077D69000-memory.dmp

Filesize
1.7MB

Download
memory/2092-12-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2092-11-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2324-36-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2324-46-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download