Analysis
-
max time kernel
22s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
14/04/2023, 12:54
General
-
Target
BearFlix.exe
-
Size
7.0MB
-
MD5
ea47c348d3c190be65e02d8e27677382
-
SHA1
e7db5e65b8ba03e08383904ba04904f0f937d8dc
-
SHA256
5cd1a4b761863addef4b68ab4e7df6036b6dea41a278013fadedf91e19ddbb56
-
SHA512
86169bcdf49a620d636d2ee62bb17138e57f09680139f263efdaf602da321275d1bd8ef8a5292a527bb29ae698cc692d3ed787febf0a75b0409cecde4e569c82
-
SSDEEP
196608:trkfNWCZtV8ld98BlON2jnbNswvBXvowJgzl7GSZn7ftm:F90jVvBXvoww77rc
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BearFlix.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BearFlix.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BearFlix.exe -
Loads dropped DLL 1 IoCs
pid Process 2604 BearFlix.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2604-133-0x0000000000F50000-0x000000000164E000-memory.dmp agile_net -
resource yara_rule behavioral1/files/0x000200000001e2ac-139.dat themida behavioral1/files/0x000200000001e2ac-137.dat themida behavioral1/memory/2604-141-0x0000000071C00000-0x0000000072219000-memory.dmp themida behavioral1/memory/2604-143-0x0000000071C00000-0x0000000072219000-memory.dmp themida behavioral1/memory/2604-144-0x0000000071C00000-0x0000000072219000-memory.dmp themida behavioral1/memory/2604-146-0x0000000071C00000-0x0000000072219000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BearFlix.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2604 BearFlix.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 3096 2604 WerFault.exe 83 5012 2604 WerFault.exe 83 4516 2604 WerFault.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\BearFlix.exe"C:\Users\Admin\AppData\Local\Temp\BearFlix.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 10842⤵
- Program crash
PID:3096
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 10442⤵
- Program crash
PID:5012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 10522⤵
- Program crash
PID:4516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2604 -ip 26041⤵PID:3812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 2604 -ip 26041⤵PID:2040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2604 -ip 26041⤵PID:116
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5105e678e6ee84e0fa7fbe34df1f9639c
SHA117e4d775f4405e3a81a793b5bf775e9c95da5af9
SHA2564ef4551d44fde6e46c470314b0b89f6418a54eee3f1ad9eb7456b2a20e3065a2
SHA5123a15a2f188a4f572923d1999a77ef6d14b243d1c0e3a4442b5a6825756b93b40e2c6197d106df62ae3b427c62ff6b21fc2fe8181a3b6709e9991f1ddd36e5689
-
Filesize
2.3MB
MD5105e678e6ee84e0fa7fbe34df1f9639c
SHA117e4d775f4405e3a81a793b5bf775e9c95da5af9
SHA2564ef4551d44fde6e46c470314b0b89f6418a54eee3f1ad9eb7456b2a20e3065a2
SHA5123a15a2f188a4f572923d1999a77ef6d14b243d1c0e3a4442b5a6825756b93b40e2c6197d106df62ae3b427c62ff6b21fc2fe8181a3b6709e9991f1ddd36e5689