Analysis
-
max time kernel
93s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22/04/2023, 18:46
General
-
Target
Pop.exe
-
Size
9.0MB
-
MD5
2133ef7afec1e4305982f358aae930ea
-
SHA1
91e079cf85784db58cb9f540b05718ba08dd9745
-
SHA256
6b16ad761c2320e8fc0d1b12263b3b2b54436a95eec14e8671047f7cb4188926
-
SHA512
32a7975d6498308d4b998604ba4c659d5b406a3ccbce0500ebaf41a749d647e58676c0b9314f2379b5615a3f9ea65dd0ed3b5eae38f4ec35bbe8556eebdaa92e
-
SSDEEP
196608:teEgBaHepmiOPwky+owy/rg53HRVu7vHDpS1IqBRU7kCs2q:tUBMDoky+oxc53xVu7vHhqBa4Cs
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Pop.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Pop.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Pop.exe -
Loads dropped DLL 1 IoCs
pid Process 3708 Pop.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/3708-133-0x000001F066F00000-0x000001F06780A000-memory.dmp agile_net -
resource yara_rule behavioral1/files/0x00040000000230dd-137.dat themida behavioral1/files/0x00040000000230dd-139.dat themida behavioral1/memory/3708-140-0x00007FF953340000-0x00007FF953B9F000-memory.dmp themida behavioral1/memory/3708-143-0x00007FF953340000-0x00007FF953B9F000-memory.dmp themida behavioral1/memory/3708-144-0x00007FF953340000-0x00007FF953B9F000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Pop.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3708 Pop.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1320 3708 WerFault.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pop.exe"C:\Users\Admin\AppData\Local\Temp\Pop.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3708 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3708 -s 8562⤵
- Program crash
PID:1320
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 464 -p 3708 -ip 37081⤵PID:1740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5e3bd88b3c3e9b33dfa72c814f8826cff
SHA16d220c9eb7ee695f2b9dec261941bed59cac15e4
SHA25628e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796
SHA512fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9
-
Filesize
3.0MB
MD5e3bd88b3c3e9b33dfa72c814f8826cff
SHA16d220c9eb7ee695f2b9dec261941bed59cac15e4
SHA25628e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796
SHA512fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9