Analysis
-
max time kernel
151s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-04-2023 01:17
Behavioral task
behavioral1
Sample
2133ef7afec1e4305982f358aae930ea.exe
Resource
win7-20230220-en
General
-
Target
2133ef7afec1e4305982f358aae930ea.exe
-
Size
9.0MB
-
MD5
2133ef7afec1e4305982f358aae930ea
-
SHA1
91e079cf85784db58cb9f540b05718ba08dd9745
-
SHA256
6b16ad761c2320e8fc0d1b12263b3b2b54436a95eec14e8671047f7cb4188926
-
SHA512
32a7975d6498308d4b998604ba4c659d5b406a3ccbce0500ebaf41a749d647e58676c0b9314f2379b5615a3f9ea65dd0ed3b5eae38f4ec35bbe8556eebdaa92e
-
SSDEEP
196608:teEgBaHepmiOPwky+owy/rg53HRVu7vHDpS1IqBRU7kCs2q:tUBMDoky+oxc53xVu7vHhqBa4Cs
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
2133ef7afec1e4305982f358aae930ea.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2133ef7afec1e4305982f358aae930ea.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
2133ef7afec1e4305982f358aae930ea.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2133ef7afec1e4305982f358aae930ea.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2133ef7afec1e4305982f358aae930ea.exe -
Loads dropped DLL 1 IoCs
Processes:
2133ef7afec1e4305982f358aae930ea.exepid process 1060 2133ef7afec1e4305982f358aae930ea.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1060-54-0x00000000002A0000-0x0000000000BAA000-memory.dmp agile_net behavioral1/memory/1060-66-0x000000001B970000-0x000000001B9F0000-memory.dmp agile_net -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\abc28e7a-8bf8-45ad-a83d-5c52b0c273f2\AgileDotNetRT64.dll themida C:\Users\Admin\AppData\Local\Temp\abc28e7a-8bf8-45ad-a83d-5c52b0c273f2\AgileDotNetRT64.dll themida behavioral1/memory/1060-62-0x000007FEF2DE0000-0x000007FEF363F000-memory.dmp themida behavioral1/memory/1060-63-0x000007FEF2DE0000-0x000007FEF363F000-memory.dmp themida behavioral1/memory/1060-65-0x000007FEF2DE0000-0x000007FEF363F000-memory.dmp themida -
Processes:
2133ef7afec1e4305982f358aae930ea.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2133ef7afec1e4305982f358aae930ea.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
2133ef7afec1e4305982f358aae930ea.exepid process 1060 2133ef7afec1e4305982f358aae930ea.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1020 1060 WerFault.exe 2133ef7afec1e4305982f358aae930ea.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2133ef7afec1e4305982f358aae930ea.exedescription pid process target process PID 1060 wrote to memory of 1020 1060 2133ef7afec1e4305982f358aae930ea.exe WerFault.exe PID 1060 wrote to memory of 1020 1060 2133ef7afec1e4305982f358aae930ea.exe WerFault.exe PID 1060 wrote to memory of 1020 1060 2133ef7afec1e4305982f358aae930ea.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2133ef7afec1e4305982f358aae930ea.exe"C:\Users\Admin\AppData\Local\Temp\2133ef7afec1e4305982f358aae930ea.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1060 -s 6162⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\abc28e7a-8bf8-45ad-a83d-5c52b0c273f2\AgileDotNetRT64.dllFilesize
3.0MB
MD5e3bd88b3c3e9b33dfa72c814f8826cff
SHA16d220c9eb7ee695f2b9dec261941bed59cac15e4
SHA25628e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796
SHA512fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9
-
\Users\Admin\AppData\Local\Temp\abc28e7a-8bf8-45ad-a83d-5c52b0c273f2\AgileDotNetRT64.dllFilesize
3.0MB
MD5e3bd88b3c3e9b33dfa72c814f8826cff
SHA16d220c9eb7ee695f2b9dec261941bed59cac15e4
SHA25628e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796
SHA512fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9
-
memory/1060-54-0x00000000002A0000-0x0000000000BAA000-memory.dmpFilesize
9.0MB
-
memory/1060-61-0x000000001B970000-0x000000001B9F0000-memory.dmpFilesize
512KB
-
memory/1060-62-0x000007FEF2DE0000-0x000007FEF363F000-memory.dmpFilesize
8.4MB
-
memory/1060-63-0x000007FEF2DE0000-0x000007FEF363F000-memory.dmpFilesize
8.4MB
-
memory/1060-64-0x000007FEF6760000-0x000007FEF688C000-memory.dmpFilesize
1.2MB
-
memory/1060-65-0x000007FEF2DE0000-0x000007FEF363F000-memory.dmpFilesize
8.4MB
-
memory/1060-66-0x000000001B970000-0x000000001B9F0000-memory.dmpFilesize
512KB