Analysis
-
max time kernel
18s -
max time network
22s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
05-10-2022 15:29
Errors
General
-
Target
6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe
-
Size
5.4MB
-
MD5
c2f7575dba870997fa78d2ac6206704e
-
SHA1
2ed5db2d983bd62157960049ca6339d3387949f1
-
SHA256
6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d
-
SHA512
2ab83c93aa4fabea90a04235745457e80c2431dee6b0c63ba02ff63f52b2d0ea2e24570e90da704465a6f41409bd2474efdb22c52cc6178ef0a1f4f4a99dc2f6
-
SSDEEP
98304:vxV6zRhld9E1BlYb9uto2jgrGeweoSYp2prwvLWaNFXvow17IugzlHbGSZBN7fZm:5V8ld98BlON2jnbNswvBXvowJgzl7GSO
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 3 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 2 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Themida packer 5 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
System policy modification 1 TTPs 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe"C:\Users\Admin\AppData\Local\Temp\6069f9173bdddb942a7e3cf4a93dce582ac50e785266c32967a5e958ade7ba8d.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39ef055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\767d5d80-8aab-4c3c-b5ab-b2f609ab34c1\AgileDotNetRT64.dllFilesize
3.1MB
MD54d8082b3de02f82db9a515e9dab5d2b6
SHA1057a20ade70244601d0fe50f7011c95bae335ea5
SHA256936b1537b6efcece032c05661238b06beefc61ff76e82b7c5d9fe558a9360a4c
SHA5127b9153e9948e0f911fcb0b145678a56cac4abd948fa99e07c331760f02dce096cf3be7d2d8493cf7a76460c7172e24eaa45c1283a28353501b2876c54752c60d
-
C:\Users\Admin\AppData\Local\Temp\767d5d80-8aab-4c3c-b5ab-b2f609ab34c1\AgileDotNetRT64.dllFilesize
3.1MB
MD54d8082b3de02f82db9a515e9dab5d2b6
SHA1057a20ade70244601d0fe50f7011c95bae335ea5
SHA256936b1537b6efcece032c05661238b06beefc61ff76e82b7c5d9fe558a9360a4c
SHA5127b9153e9948e0f911fcb0b145678a56cac4abd948fa99e07c331760f02dce096cf3be7d2d8493cf7a76460c7172e24eaa45c1283a28353501b2876c54752c60d
-
memory/5016-132-0x000001EE04990000-0x000001EE04EF6000-memory.dmpFilesize
5.4MB
-
memory/5016-136-0x00007FF8148F0000-0x00007FF8153B1000-memory.dmpFilesize
10.8MB
-
memory/5016-135-0x000001EE1F3D0000-0x000001EE1FC3C000-memory.dmpFilesize
8.4MB
-
memory/5016-137-0x00007FF815640000-0x00007FF81578E000-memory.dmpFilesize
1.3MB
-
memory/5016-138-0x000001EE1F3D0000-0x000001EE1FC3C000-memory.dmpFilesize
8.4MB
-
memory/5016-139-0x00007FF832C10000-0x00007FF832E05000-memory.dmpFilesize
2.0MB
-
memory/5016-140-0x000001EE1F3D0000-0x000001EE1FC3C000-memory.dmpFilesize
8.4MB
-
memory/5016-141-0x00007FF832C10000-0x00007FF832E05000-memory.dmpFilesize
2.0MB
-
memory/5016-142-0x00007FF8148F0000-0x00007FF8153B1000-memory.dmpFilesize
10.8MB