Analysis

  • max time kernel
    149s
  • max time network
    132s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    22/09/2022, 16:17 UTC

General

  • Target

    launcher (1).exe

  • Size

    12.3MB

  • MD5

    1f2b01f1b19f99014203783908b60e90

  • SHA1

    ffa1cd057c490976007f84e5f408d6d242449b30

  • SHA256

    9cf8699c3b57588c8073d861e0e608c4447683225bd6dae7c63288e94d36f5dc

  • SHA512

    09d0e9dcea66e24863017690a58e36c7b258bd145c3e405e6531b6798a60808e74c5ef3c9c8f9ea113218f53661e3a2b7720a0c77d8d64986afc9570bfc7f517

  • SSDEEP

    98304:1zaYWTelH/kP5YK+SGBv1F+qz3ZJ9xr9+rqNqpTPiX7tZ2mz7mb:1zaYWTAYb+Fv19zJbj+rqNyPgv1g

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • NTFS ADS 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\launcher (1).exe
    "C:\Users\Admin\AppData\Local\Temp\launcher (1).exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • NTFS ADS
    PID:2736

Network

  • flag-us
    DNS
    edenity.services
    launcher (1).exe
    Remote address:
    8.8.8.8:53
    Request
    edenity.services
    IN A
    Response
    edenity.services
    IN A
    188.114.97.0
    edenity.services
    IN A
    188.114.96.0
  • flag-us
    GET
    https://edenity.services/lcrdata
    launcher (1).exe
    Remote address:
    188.114.97.0:443
    Request
    GET /lcrdata HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Sciter.JS/4.4.8.21 (Windows;Windows-8;en)
    Host: edenity.services
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Thu, 22 Sep 2022 16:17:37 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EiB%2F1mzvbHI9Y0pk8of1aokRAyIWgIvcNubTzb86ZvlGkG4z56E1AeX94nVaa2gFwAibVt%2Foe2cXyUx97KOL2M9kVJJ83BWkjwD6f65Cnu%2Bo%2BLBr70ANmfbQeedAcAlOYTX4"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 74ec5a0f8a6bb972-AMS
    Content-Encoding: gzip
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
  • flag-us
    POST
    https://edenity.services/lcrdata
    launcher (1).exe
    Remote address:
    188.114.97.0:443
    Request
    POST /lcrdata HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;charset=utf-8
    Content-Length: 56
    User-Agent: Sciter.JS/4.4.8.21 (Windows;Windows-8;en)
    Host: edenity.services
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Thu, 22 Sep 2022 16:18:00 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7MUR%2Bc0gVJjSQFdzvtAG9g6G1a6VLETJQtDUaZQV3R7IiMlqqGETdjaNVKyO5RII2wk7Ck0suqQpSU2ez%2BiL8oTp7uZlWTJa2Hbc8A40NmC7s7e7gWUFZfQUL71ef8jhKg6N"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 74ec5aa0cc5eb972-AMS
    Content-Encoding: gzip
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
  • 188.114.97.0:443
    https://edenity.services/lcrdata
    tls, http
    launcher (1).exe
    1.6kB
    5.4kB
    16
    14

    HTTP Request

    GET https://edenity.services/lcrdata

    HTTP Response

    200

    HTTP Request

    POST https://edenity.services/lcrdata

    HTTP Response

    200
  • 13.78.111.198:443
    322 B
    7
  • 104.110.191.140:80
    322 B
    7
  • 8.8.8.8:53
    edenity.services
    dns
    launcher (1).exe
    62 B
    94 B
    1
    1

    DNS Request

    edenity.services

    DNS Response

    188.114.97.0
    188.114.96.0

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2736-120-0x00007FF661DD0000-0x00007FF662CC8000-memory.dmp

    Filesize

    15.0MB

  • memory/2736-121-0x00007FFB6F470000-0x00007FFB6F64B000-memory.dmp

    Filesize

    1.9MB

  • memory/2736-122-0x00007FF661DD0000-0x00007FF662CC8000-memory.dmp

    Filesize

    15.0MB

  • memory/2736-123-0x00007FF661DD0000-0x00007FF662CC8000-memory.dmp

    Filesize

    15.0MB

  • memory/2736-124-0x00007FFB6F470000-0x00007FFB6F64B000-memory.dmp

    Filesize

    1.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.