Analysis Overview
SHA256
da1555cad0d5e720a785aebf0fa343270663947a436b386b81982d34f0b96094
Threat Level: Likely malicious
The file Fast Ping.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Loads dropped DLL
Checks BIOS information in registry
Obfuscated with Agile.Net obfuscator
Themida packer
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-06 23:36
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-06 23:35
Reported
2023-07-06 23:38
Platform
win7-20230705-en
Max time kernel
142s
Max time network
33s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2144 wrote to memory of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe | C:\Windows\system32\WerFault.exe |
| PID 2144 wrote to memory of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe | C:\Windows\system32\WerFault.exe |
| PID 2144 wrote to memory of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe
"C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2144 -s 620
Network
Files
memory/2144-54-0x00000000011F0000-0x0000000002180000-memory.dmp
\Users\Admin\AppData\Local\Temp\3e74ba8d-5406-4cb9-af74-f8c58cd602e5\AgileDotNetRT64.dll
| MD5 | e3bd88b3c3e9b33dfa72c814f8826cff |
| SHA1 | 6d220c9eb7ee695f2b9dec261941bed59cac15e4 |
| SHA256 | 28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796 |
| SHA512 | fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9 |
C:\Users\Admin\AppData\Local\Temp\3e74ba8d-5406-4cb9-af74-f8c58cd602e5\AgileDotNetRT64.dll
| MD5 | e3bd88b3c3e9b33dfa72c814f8826cff |
| SHA1 | 6d220c9eb7ee695f2b9dec261941bed59cac15e4 |
| SHA256 | 28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796 |
| SHA512 | fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9 |
memory/2144-61-0x000007FEF29A0000-0x000007FEF31FF000-memory.dmp
memory/2144-62-0x000000001BDF0000-0x000000001BE70000-memory.dmp
memory/2144-64-0x000007FEF6BB0000-0x000007FEF6CDC000-memory.dmp
memory/2144-63-0x000007FEF29A0000-0x000007FEF31FF000-memory.dmp
memory/2144-65-0x000007FEF29A0000-0x000007FEF31FF000-memory.dmp
memory/2144-66-0x000000001BDF0000-0x000000001BE70000-memory.dmp
memory/2144-75-0x000007FEF29A0000-0x000007FEF31FF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-06 23:35
Reported
2023-07-06 23:38
Platform
win10v2004-20230703-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe
"C:\Users\Admin\AppData\Local\Temp\Fast Ping.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4376 -ip 4376
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4376 -s 880
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.151.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.17.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.140.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| US | 92.123.26.208:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 208.26.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
memory/4376-133-0x000001C6F72E0000-0x000001C6F8270000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3e74ba8d-5406-4cb9-af74-f8c58cd602e5\AgileDotNetRT64.dll
| MD5 | e3bd88b3c3e9b33dfa72c814f8826cff |
| SHA1 | 6d220c9eb7ee695f2b9dec261941bed59cac15e4 |
| SHA256 | 28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796 |
| SHA512 | fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9 |
C:\Users\Admin\AppData\Local\Temp\3e74ba8d-5406-4cb9-af74-f8c58cd602e5\AgileDotNetRT64.dll
| MD5 | e3bd88b3c3e9b33dfa72c814f8826cff |
| SHA1 | 6d220c9eb7ee695f2b9dec261941bed59cac15e4 |
| SHA256 | 28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796 |
| SHA512 | fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9 |
memory/4376-140-0x000001C6FA790000-0x000001C6FA7A0000-memory.dmp
memory/4376-142-0x00007FFEBD8F0000-0x00007FFEBE14F000-memory.dmp
memory/4376-141-0x00007FFEBD8F0000-0x00007FFEBE14F000-memory.dmp
memory/4376-143-0x00007FFEC0530000-0x00007FFEC067E000-memory.dmp
memory/4376-144-0x00007FFEBD8F0000-0x00007FFEBE14F000-memory.dmp