Analysis
-
max time kernel
39s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22/04/2023, 20:27
General
-
Target
Pop.exe
-
Size
9.0MB
-
MD5
2133ef7afec1e4305982f358aae930ea
-
SHA1
91e079cf85784db58cb9f540b05718ba08dd9745
-
SHA256
6b16ad761c2320e8fc0d1b12263b3b2b54436a95eec14e8671047f7cb4188926
-
SHA512
32a7975d6498308d4b998604ba4c659d5b406a3ccbce0500ebaf41a749d647e58676c0b9314f2379b5615a3f9ea65dd0ed3b5eae38f4ec35bbe8556eebdaa92e
-
SSDEEP
196608:teEgBaHepmiOPwky+owy/rg53HRVu7vHDpS1IqBRU7kCs2q:tUBMDoky+oxc53xVu7vHhqBa4Cs
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Pop.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Pop.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Pop.exe -
Loads dropped DLL 1 IoCs
pid Process 4356 Pop.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/4356-133-0x000001C46C870000-0x000001C46D17A000-memory.dmp agile_net -
resource yara_rule behavioral1/files/0x010400000001f721-138.dat themida behavioral1/files/0x010400000001f721-140.dat themida behavioral1/memory/4356-141-0x00007FFD30880000-0x00007FFD310DF000-memory.dmp themida behavioral1/memory/4356-143-0x00007FFD30880000-0x00007FFD310DF000-memory.dmp themida behavioral1/memory/4356-144-0x00007FFD30880000-0x00007FFD310DF000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Pop.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4356 Pop.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1744 4356 WerFault.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pop.exe"C:\Users\Admin\AppData\Local\Temp\Pop.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4356 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4356 -s 8562⤵
- Program crash
PID:1744
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 4356 -ip 43561⤵PID:4016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5e3bd88b3c3e9b33dfa72c814f8826cff
SHA16d220c9eb7ee695f2b9dec261941bed59cac15e4
SHA25628e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796
SHA512fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9
-
Filesize
3.0MB
MD5e3bd88b3c3e9b33dfa72c814f8826cff
SHA16d220c9eb7ee695f2b9dec261941bed59cac15e4
SHA25628e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796
SHA512fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9