Analysis Overview
SHA256
9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897
Threat Level: Likely malicious
The file 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies extensions of user files
Checks BIOS information in registry
Themida packer
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Drops desktop.ini file(s)
Adds Run key to start application
Checks whether UAC is enabled
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-21 08:25
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-21 08:25
Reported
2022-11-21 08:27
Platform
win7-20220812-en
Max time kernel
86s
Max time network
102s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Pictures\UnblockStop.crw.getfuckedretard | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe\"" | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\screensaver.png" | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe
"C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe"
Network
Files
memory/748-54-0x0000000000030000-0x0000000000750000-memory.dmp
\Users\Admin\AppData\Local\Temp\e65fffb7-3d5c-4db1-92e4-3612a04c6c8b\AgileDotNetRT.dll
| MD5 | 1e275530f75ec0222ad0a49117819936 |
| SHA1 | c469db9377442dc65d1c4c6cc5985b28cb1c26e2 |
| SHA256 | d8519a2a1f40baeb1ee2e6eb1aca27745e5dcab7c046d65b27246e24af57d2bb |
| SHA512 | 76af1a2193a3b4dc6adc31c9d160b368c6d1a6368af1e99065b53c01cd1c6a93533167a570e6ea68959eeb06b24664f182ad7eef5d7f1ecbfc4cd55e83a72061 |
memory/748-56-0x0000000074FB1000-0x0000000074FB3000-memory.dmp
memory/748-57-0x0000000073BE0000-0x0000000074365000-memory.dmp
memory/748-58-0x0000000073BE0000-0x0000000074365000-memory.dmp
memory/748-59-0x0000000074C10000-0x0000000074C90000-memory.dmp
memory/748-60-0x0000000073BE0000-0x0000000074365000-memory.dmp
memory/748-61-0x0000000077530000-0x00000000776B0000-memory.dmp
memory/748-62-0x0000000073BE0000-0x0000000074365000-memory.dmp
memory/748-63-0x0000000077530000-0x00000000776B0000-memory.dmp
memory/748-64-0x0000000002400000-0x000000000240C000-memory.dmp
memory/748-65-0x00000000050A5000-0x00000000050B6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-21 08:25
Reported
2022-11-21 08:27
Platform
win10v2004-20221111-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Modifies extensions of user files
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe\"" | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\screensaver.png" | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe
"C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 40.79.189.59:443 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 40.126.32.140:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 40.126.32.76:443 | tcp | |
| N/A | 72.21.81.240:80 | tcp |
Files
memory/4896-132-0x0000000000600000-0x0000000000D20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e65fffb7-3d5c-4db1-92e4-3612a04c6c8b\AgileDotNetRT.dll
| MD5 | 1e275530f75ec0222ad0a49117819936 |
| SHA1 | c469db9377442dc65d1c4c6cc5985b28cb1c26e2 |
| SHA256 | d8519a2a1f40baeb1ee2e6eb1aca27745e5dcab7c046d65b27246e24af57d2bb |
| SHA512 | 76af1a2193a3b4dc6adc31c9d160b368c6d1a6368af1e99065b53c01cd1c6a93533167a570e6ea68959eeb06b24664f182ad7eef5d7f1ecbfc4cd55e83a72061 |
memory/4896-134-0x0000000072680000-0x0000000072E05000-memory.dmp
memory/4896-135-0x0000000072680000-0x0000000072E05000-memory.dmp
memory/4896-136-0x0000000072680000-0x0000000072E05000-memory.dmp
memory/4896-137-0x00000000778B0000-0x0000000077A53000-memory.dmp
memory/4896-138-0x00000000738A0000-0x0000000073929000-memory.dmp
memory/4896-139-0x0000000006680000-0x0000000006C24000-memory.dmp
memory/4896-140-0x00000000062B0000-0x0000000006342000-memory.dmp
memory/4896-142-0x00000000778B0000-0x0000000077A53000-memory.dmp
memory/4896-141-0x0000000072680000-0x0000000072E05000-memory.dmp
memory/4896-143-0x0000000001670000-0x000000000167A000-memory.dmp