Analysis
-
max time kernel
142s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230705-en -
resource tags
arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system -
submitted
06/07/2023, 23:35
Behavioral task
behavioral1
Sample
Fast Ping.exe
Resource
win7-20230705-en
General
-
Target
Fast Ping.exe
-
Size
15.5MB
-
MD5
392b2d3744a116db898d26e01d48141d
-
SHA1
cb6277a90826411e188b73271634cafbd2646506
-
SHA256
da1555cad0d5e720a785aebf0fa343270663947a436b386b81982d34f0b96094
-
SHA512
905b05ed4a7efe3c8db8a52a8091ef1f4ae810303d94b009a841dc0c471c83fddc1f1a7446c3342acf0755efcdd49a344931cdf85beaf66385348e2b2a1a4ae3
-
SSDEEP
393216:mEw+Js1fGxg0Uo7yc2UYNOPLlPlzfwaH153xVu7vHhqBa4Cs:mExJS5EWLUYk5lzYaVpHCpqBa4C
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Fast Ping.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Fast Ping.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Fast Ping.exe -
Loads dropped DLL 1 IoCs
pid Process 2144 Fast Ping.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2144-54-0x00000000011F0000-0x0000000002180000-memory.dmp agile_net -
resource yara_rule behavioral1/files/0x000a000000014fbb-58.dat themida behavioral1/files/0x000a000000014fbb-60.dat themida behavioral1/memory/2144-61-0x000007FEF29A0000-0x000007FEF31FF000-memory.dmp themida behavioral1/memory/2144-63-0x000007FEF29A0000-0x000007FEF31FF000-memory.dmp themida behavioral1/memory/2144-65-0x000007FEF29A0000-0x000007FEF31FF000-memory.dmp themida behavioral1/memory/2144-75-0x000007FEF29A0000-0x000007FEF31FF000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Fast Ping.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2144 Fast Ping.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2280 2144 WerFault.exe 26 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2144 wrote to memory of 2280 2144 Fast Ping.exe 28 PID 2144 wrote to memory of 2280 2144 Fast Ping.exe 28 PID 2144 wrote to memory of 2280 2144 Fast Ping.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe"C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2144 -s 6202⤵
- Program crash
PID:2280
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5e3bd88b3c3e9b33dfa72c814f8826cff
SHA16d220c9eb7ee695f2b9dec261941bed59cac15e4
SHA25628e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796
SHA512fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9
-
Filesize
3.0MB
MD5e3bd88b3c3e9b33dfa72c814f8826cff
SHA16d220c9eb7ee695f2b9dec261941bed59cac15e4
SHA25628e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796
SHA512fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9