Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
02-08-2022 21:25
General
-
Target
Device/HarddiskVolume3/Users/admin/Downloads/FRPFILE AIO V2.6/FRPFILE AIO.exe
-
Size
5.7MB
-
MD5
06c1fc03d8fcb6f2fa379e11137d39bd
-
SHA1
d27416033fb3ad04fd26b0bf2676b75039595a02
-
SHA256
49081ef5b2d0f4c8f8eb944396828d4f504a213a985b9d51ea0e183d5bfde2ce
-
SHA512
f7bc55d8d18218277b5fa3a7ef26f622d805be1269ffe862301fdeba947dd031c16f21f7f0fe3f84a2400a69d64debd587e13352dfd38bbe47e23bf910699988
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 1 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Themida packer 5 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 61 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\admin\Downloads\FRPFILE AIO V2.6\FRPFILE AIO.exe"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\admin\Downloads\FRPFILE AIO V2.6\FRPFILE AIO.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 9322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3648 -ip 36481⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3a437a5c-0027-4d3d-a0f8-2634809a9ef2\AgileDotNetRT.dllFilesize
2.3MB
MD5105e678e6ee84e0fa7fbe34df1f9639c
SHA117e4d775f4405e3a81a793b5bf775e9c95da5af9
SHA2564ef4551d44fde6e46c470314b0b89f6418a54eee3f1ad9eb7456b2a20e3065a2
SHA5123a15a2f188a4f572923d1999a77ef6d14b243d1c0e3a4442b5a6825756b93b40e2c6197d106df62ae3b427c62ff6b21fc2fe8181a3b6709e9991f1ddd36e5689
-
memory/3648-130-0x0000000000470000-0x0000000000A22000-memory.dmpFilesize
5.7MB
-
memory/3648-131-0x00000000058E0000-0x0000000005E84000-memory.dmpFilesize
5.6MB
-
memory/3648-133-0x00000000720F0000-0x0000000072709000-memory.dmpFilesize
6.1MB
-
memory/3648-134-0x00000000720F0000-0x0000000072709000-memory.dmpFilesize
6.1MB
-
memory/3648-135-0x00000000731A0000-0x0000000073229000-memory.dmpFilesize
548KB
-
memory/3648-136-0x00000000720F0000-0x0000000072709000-memory.dmpFilesize
6.1MB
-
memory/3648-137-0x0000000077230000-0x00000000773D3000-memory.dmpFilesize
1.6MB
-
memory/3648-138-0x00000000720F0000-0x0000000072709000-memory.dmpFilesize
6.1MB
-
memory/3648-139-0x0000000077230000-0x00000000773D3000-memory.dmpFilesize
1.6MB