Malware Analysis Report

2024-11-13 16:17

Sample ID 221121-kbabsabc54
Target 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe
SHA256 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897
Tags
agilenet evasion persistence ransomware themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897

Threat Level: Likely malicious

The file 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe was found to be: Likely malicious.

Malicious Activity Summary

agilenet evasion persistence ransomware themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies extensions of user files

Checks BIOS information in registry

Themida packer

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Drops desktop.ini file(s)

Adds Run key to start application

Checks whether UAC is enabled

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-21 08:25

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-21 08:25

Reported

2022-11-21 08:27

Platform

win7-20220812-en

Max time kernel

86s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File created C:\Users\Admin\Pictures\UnblockStop.crw.getfuckedretard C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe\"" C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\screensaver.png" C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe

"C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe"

Network

N/A

Files

memory/748-54-0x0000000000030000-0x0000000000750000-memory.dmp

\Users\Admin\AppData\Local\Temp\e65fffb7-3d5c-4db1-92e4-3612a04c6c8b\AgileDotNetRT.dll

MD5 1e275530f75ec0222ad0a49117819936
SHA1 c469db9377442dc65d1c4c6cc5985b28cb1c26e2
SHA256 d8519a2a1f40baeb1ee2e6eb1aca27745e5dcab7c046d65b27246e24af57d2bb
SHA512 76af1a2193a3b4dc6adc31c9d160b368c6d1a6368af1e99065b53c01cd1c6a93533167a570e6ea68959eeb06b24664f182ad7eef5d7f1ecbfc4cd55e83a72061

memory/748-56-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

memory/748-57-0x0000000073BE0000-0x0000000074365000-memory.dmp

memory/748-58-0x0000000073BE0000-0x0000000074365000-memory.dmp

memory/748-59-0x0000000074C10000-0x0000000074C90000-memory.dmp

memory/748-60-0x0000000073BE0000-0x0000000074365000-memory.dmp

memory/748-61-0x0000000077530000-0x00000000776B0000-memory.dmp

memory/748-62-0x0000000073BE0000-0x0000000074365000-memory.dmp

memory/748-63-0x0000000077530000-0x00000000776B0000-memory.dmp

memory/748-64-0x0000000002400000-0x000000000240C000-memory.dmp

memory/748-65-0x00000000050A5000-0x00000000050B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-21 08:25

Reported

2022-11-21 08:27

Platform

win10v2004-20221111-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\RegisterProtect.tiff C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
File created C:\Users\Admin\Pictures\SubmitExpand.png.getfuckedretard C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
File created C:\Users\Admin\Pictures\UnpublishEdit.png.getfuckedretard C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
File created C:\Users\Admin\Pictures\AddSuspend.tif.getfuckedretard C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
File created C:\Users\Admin\Pictures\ConfirmResolve.crw.getfuckedretard C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
File created C:\Users\Admin\Pictures\ExportBackup.tif.getfuckedretard C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
File created C:\Users\Admin\Pictures\RedoConvert.png.getfuckedretard C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
File created C:\Users\Admin\Pictures\RegisterProtect.tiff.getfuckedretard C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
File created C:\Users\Admin\Pictures\ExitAdd.tif.getfuckedretard C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
File created C:\Users\Admin\Pictures\GetResize.png.getfuckedretard C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
File created C:\Users\Admin\Pictures\HideFind.raw.getfuckedretard C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
File created C:\Users\Admin\Pictures\LimitRead.tif.getfuckedretard C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
File created C:\Users\Admin\Pictures\UndoUnblock.png.getfuckedretard C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe\"" C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\screensaver.png" C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe

"C:\Users\Admin\AppData\Local\Temp\9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897.exe"

Network

Country Destination Domain Proto
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 204.79.197.200:443 tcp
N/A 40.79.189.59:443 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 40.126.32.140:443 tcp
N/A 104.80.225.205:443 tcp
N/A 72.21.81.240:80 tcp
N/A 40.126.32.76:443 tcp
N/A 72.21.81.240:80 tcp

Files

memory/4896-132-0x0000000000600000-0x0000000000D20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e65fffb7-3d5c-4db1-92e4-3612a04c6c8b\AgileDotNetRT.dll

MD5 1e275530f75ec0222ad0a49117819936
SHA1 c469db9377442dc65d1c4c6cc5985b28cb1c26e2
SHA256 d8519a2a1f40baeb1ee2e6eb1aca27745e5dcab7c046d65b27246e24af57d2bb
SHA512 76af1a2193a3b4dc6adc31c9d160b368c6d1a6368af1e99065b53c01cd1c6a93533167a570e6ea68959eeb06b24664f182ad7eef5d7f1ecbfc4cd55e83a72061

memory/4896-134-0x0000000072680000-0x0000000072E05000-memory.dmp

memory/4896-135-0x0000000072680000-0x0000000072E05000-memory.dmp

memory/4896-136-0x0000000072680000-0x0000000072E05000-memory.dmp

memory/4896-137-0x00000000778B0000-0x0000000077A53000-memory.dmp

memory/4896-138-0x00000000738A0000-0x0000000073929000-memory.dmp

memory/4896-139-0x0000000006680000-0x0000000006C24000-memory.dmp

memory/4896-140-0x00000000062B0000-0x0000000006342000-memory.dmp

memory/4896-142-0x00000000778B0000-0x0000000077A53000-memory.dmp

memory/4896-141-0x0000000072680000-0x0000000072E05000-memory.dmp

memory/4896-143-0x0000000001670000-0x000000000167A000-memory.dmp