Analysis
-
max time kernel
22s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
14-04-2023 12:54
General
-
Target
BearFlix.exe
-
Size
7.0MB
-
MD5
ea47c348d3c190be65e02d8e27677382
-
SHA1
e7db5e65b8ba03e08383904ba04904f0f937d8dc
-
SHA256
5cd1a4b761863addef4b68ab4e7df6036b6dea41a278013fadedf91e19ddbb56
-
SHA512
86169bcdf49a620d636d2ee62bb17138e57f09680139f263efdaf602da321275d1bd8ef8a5292a527bb29ae698cc692d3ed787febf0a75b0409cecde4e569c82
-
SSDEEP
196608:trkfNWCZtV8ld98BlON2jnbNswvBXvowJgzl7GSZn7ftm:F90jVvBXvoww77rc
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
BearFlix.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BearFlix.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
BearFlix.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BearFlix.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BearFlix.exe -
Loads dropped DLL 1 IoCs
Processes:
BearFlix.exepid process 2604 BearFlix.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2604-133-0x0000000000F50000-0x000000000164E000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3552fb05-326e-47b6-881a-b7e27c7fb1c6\AgileDotNetRT.dll themida C:\Users\Admin\AppData\Local\Temp\3552fb05-326e-47b6-881a-b7e27c7fb1c6\AgileDotNetRT.dll themida behavioral1/memory/2604-141-0x0000000071C00000-0x0000000072219000-memory.dmp themida behavioral1/memory/2604-143-0x0000000071C00000-0x0000000072219000-memory.dmp themida behavioral1/memory/2604-144-0x0000000071C00000-0x0000000072219000-memory.dmp themida behavioral1/memory/2604-146-0x0000000071C00000-0x0000000072219000-memory.dmp themida -
Processes:
BearFlix.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BearFlix.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
BearFlix.exepid process 2604 BearFlix.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3096 2604 WerFault.exe BearFlix.exe 5012 2604 WerFault.exe BearFlix.exe 4516 2604 WerFault.exe BearFlix.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BearFlix.exe"C:\Users\Admin\AppData\Local\Temp\BearFlix.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 10842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 10442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 10522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2604 -ip 26041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 2604 -ip 26041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2604 -ip 26041⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3552fb05-326e-47b6-881a-b7e27c7fb1c6\AgileDotNetRT.dllFilesize
2.3MB
MD5105e678e6ee84e0fa7fbe34df1f9639c
SHA117e4d775f4405e3a81a793b5bf775e9c95da5af9
SHA2564ef4551d44fde6e46c470314b0b89f6418a54eee3f1ad9eb7456b2a20e3065a2
SHA5123a15a2f188a4f572923d1999a77ef6d14b243d1c0e3a4442b5a6825756b93b40e2c6197d106df62ae3b427c62ff6b21fc2fe8181a3b6709e9991f1ddd36e5689
-
C:\Users\Admin\AppData\Local\Temp\3552fb05-326e-47b6-881a-b7e27c7fb1c6\AgileDotNetRT.dllFilesize
2.3MB
MD5105e678e6ee84e0fa7fbe34df1f9639c
SHA117e4d775f4405e3a81a793b5bf775e9c95da5af9
SHA2564ef4551d44fde6e46c470314b0b89f6418a54eee3f1ad9eb7456b2a20e3065a2
SHA5123a15a2f188a4f572923d1999a77ef6d14b243d1c0e3a4442b5a6825756b93b40e2c6197d106df62ae3b427c62ff6b21fc2fe8181a3b6709e9991f1ddd36e5689
-
memory/2604-133-0x0000000000F50000-0x000000000164E000-memory.dmpFilesize
7.0MB
-
memory/2604-141-0x0000000071C00000-0x0000000072219000-memory.dmpFilesize
6.1MB
-
memory/2604-142-0x0000000005F60000-0x0000000005F70000-memory.dmpFilesize
64KB
-
memory/2604-143-0x0000000071C00000-0x0000000072219000-memory.dmpFilesize
6.1MB
-
memory/2604-144-0x0000000071C00000-0x0000000072219000-memory.dmpFilesize
6.1MB
-
memory/2604-145-0x0000000073A70000-0x0000000073AF9000-memory.dmpFilesize
548KB
-
memory/2604-146-0x0000000071C00000-0x0000000072219000-memory.dmpFilesize
6.1MB