6b16ad761c2320e8fc0d1b12263b3b2b54436a95eec14e8671047f7cb4188926

General

Target

2133ef7afec1e4305982f358aae930ea.exe
Size

9.0MB
MD5

2133ef7afec1e4305982f358aae930ea
SHA1

91e079cf85784db58cb9f540b05718ba08dd9745
SHA256

6b16ad761c2320e8fc0d1b12263b3b2b54436a95eec14e8671047f7cb4188926
SHA512

32a7975d6498308d4b998604ba4c659d5b406a3ccbce0500ebaf41a749d647e58676c0b9314f2379b5615a3f9ea65dd0ed3b5eae38f4ec35bbe8556eebdaa92e
SSDEEP

196608:teEgBaHepmiOPwky+owy/rg53HRVu7vHDpS1IqBRU7kCs2q:tUBMDoky+oxc53xVu7vHhqBa4Cs

Score

9^/10

agilenet evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

2133ef7afec1e4305982f358aae930ea.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2133ef7afec1e4305982f358aae930ea.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2133ef7afec1e4305982f358aae930ea.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2133ef7afec1e4305982f358aae930ea.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2133ef7afec1e4305982f358aae930ea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2133ef7afec1e4305982f358aae930ea.exe

Loads dropped DLL 1 IoCs

Processes:

2133ef7afec1e4305982f358aae930ea.exe

pid process

1060 2133ef7afec1e4305982f358aae930ea.exe

pid	process
1060	2133ef7afec1e4305982f358aae930ea.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1060-54-0x00000000002A0000-0x0000000000BAA000-memory.dmp	agile_net
behavioral1/memory/1060-66-0x000000001B970000-0x000000001B9F0000-memory.dmp	agile_net

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\abc28e7a-8bf8-45ad-a83d-5c52b0c273f2\AgileDotNetRT64.dll	themida
C:\Users\Admin\AppData\Local\Temp\abc28e7a-8bf8-45ad-a83d-5c52b0c273f2\AgileDotNetRT64.dll	themida
behavioral1/memory/1060-62-0x000007FEF2DE0000-0x000007FEF363F000-memory.dmp	themida
behavioral1/memory/1060-63-0x000007FEF2DE0000-0x000007FEF363F000-memory.dmp	themida
behavioral1/memory/1060-65-0x000007FEF2DE0000-0x000007FEF363F000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

2133ef7afec1e4305982f358aae930ea.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2133ef7afec1e4305982f358aae930ea.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

2133ef7afec1e4305982f358aae930ea.exe

pid process

1060 2133ef7afec1e4305982f358aae930ea.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1020 1060 WerFault.exe 2133ef7afec1e4305982f358aae930ea.exe

pid	process
1060	2133ef7afec1e4305982f358aae930ea.exe

pid	pid_target	process	target process
1020	1060	WerFault.exe	2133ef7afec1e4305982f358aae930ea.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2133ef7afec1e4305982f358aae930ea.exe

description	pid	process	target process
PID 1060 wrote to memory of 1020	1060	2133ef7afec1e4305982f358aae930ea.exe	WerFault.exe
PID 1060 wrote to memory of 1020	1060	2133ef7afec1e4305982f358aae930ea.exe	WerFault.exe
PID 1060 wrote to memory of 1020	1060	2133ef7afec1e4305982f358aae930ea.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\2133ef7afec1e4305982f358aae930ea.exe
"C:\Users\Admin\AppData\Local\Temp\2133ef7afec1e4305982f358aae930ea.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1060 -s 616
2⤵
- Program crash
PID:1020

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\abc28e7a-8bf8-45ad-a83d-5c52b0c273f2\AgileDotNetRT64.dll
Filesize
3.0MB

MD5
e3bd88b3c3e9b33dfa72c814f8826cff

SHA1
6d220c9eb7ee695f2b9dec261941bed59cac15e4

SHA256
28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796

SHA512
fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

Download Submit
\Users\Admin\AppData\Local\Temp\abc28e7a-8bf8-45ad-a83d-5c52b0c273f2\AgileDotNetRT64.dll
Filesize
3.0MB

MD5
e3bd88b3c3e9b33dfa72c814f8826cff

SHA1
6d220c9eb7ee695f2b9dec261941bed59cac15e4

SHA256
28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796

SHA512
fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

Download Submit
memory/1060-54-0x00000000002A0000-0x0000000000BAA000-memory.dmp

Filesize
9.0MB

Download
memory/1060-61-0x000000001B970000-0x000000001B9F0000-memory.dmp

Filesize
512KB

Download
memory/1060-62-0x000007FEF2DE0000-0x000007FEF363F000-memory.dmp

Filesize
8.4MB

Download
memory/1060-63-0x000007FEF2DE0000-0x000007FEF363F000-memory.dmp

Filesize
8.4MB

Download
memory/1060-64-0x000007FEF6760000-0x000007FEF688C000-memory.dmp

Filesize
1.2MB

Download
memory/1060-65-0x000007FEF2DE0000-0x000007FEF363F000-memory.dmp

Filesize
8.4MB

Download
memory/1060-66-0x000000001B970000-0x000000001B9F0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads