Analysis
-
max time kernel
152s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
15/07/2023, 18:50
Behavioral task
behavioral1
Sample
Hype Regedit.exe
Resource
win7-20230712-en
General
-
Target
Hype Regedit.exe
-
Size
171.7MB
-
MD5
da1cdcc5ab856cca418521fbc589afba
-
SHA1
0f76841091b15367b0252de66d6d2b5ca3302c0e
-
SHA256
03352db4ea4b1c233237b5124f6b3f0c70c35975057e226469a8d8e0751e5e1e
-
SHA512
d211d7188dd6f3b1d57aa79fb79ac1076bfbf306b0bf8500d222b66ab3c24acc76b6cc84df16fd7b2d85c6ac65a90494dd232c6f928c567a313b305184de272b
-
SSDEEP
786432:k61g2uzRp21g2uzRxDWRO6tvUmYE84cfvSW6YMGPX7WP6/pI+RW/IE8mtDSGOH9g:k66e6TkUmVciJ6hDJEdSNFPgVz06TJ
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ vpxiis.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vpxiis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion vpxiis.exe -
Executes dropped EXE 3 IoCs
pid Process 2664 pnl.exe 2404 dowb.exe 976 vpxiis.exe -
Loads dropped DLL 8 IoCs
pid Process 2928 Hype Regedit.exe 2928 Hype Regedit.exe 2928 Hype Regedit.exe 3040 WerFault.exe 3040 WerFault.exe 3040 WerFault.exe 3040 WerFault.exe 3040 WerFault.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2928-55-0x0000000001240000-0x0000000002240000-memory.dmp agile_net -
resource yara_rule behavioral1/files/0x00090000000120d1-80.dat themida behavioral1/files/0x00090000000120d1-83.dat themida behavioral1/memory/976-101-0x0000000000D20000-0x0000000001C34000-memory.dmp themida behavioral1/memory/976-100-0x0000000000D20000-0x0000000001C34000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vpxiis.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 976 vpxiis.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3040 2664 WerFault.exe 29 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2664 pnl.exe 2664 pnl.exe 2664 pnl.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe 2404 dowb.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2928 Hype Regedit.exe Token: SeDebugPrivilege 2664 pnl.exe Token: SeDebugPrivilege 2404 dowb.exe Token: SeDebugPrivilege 976 vpxiis.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2664 2928 Hype Regedit.exe 29 PID 2928 wrote to memory of 2664 2928 Hype Regedit.exe 29 PID 2928 wrote to memory of 2664 2928 Hype Regedit.exe 29 PID 2928 wrote to memory of 2664 2928 Hype Regedit.exe 29 PID 2928 wrote to memory of 2404 2928 Hype Regedit.exe 30 PID 2928 wrote to memory of 2404 2928 Hype Regedit.exe 30 PID 2928 wrote to memory of 2404 2928 Hype Regedit.exe 30 PID 2928 wrote to memory of 2404 2928 Hype Regedit.exe 30 PID 2928 wrote to memory of 976 2928 Hype Regedit.exe 31 PID 2928 wrote to memory of 976 2928 Hype Regedit.exe 31 PID 2928 wrote to memory of 976 2928 Hype Regedit.exe 31 PID 2928 wrote to memory of 976 2928 Hype Regedit.exe 31 PID 2664 wrote to memory of 3040 2664 pnl.exe 32 PID 2664 wrote to memory of 3040 2664 pnl.exe 32 PID 2664 wrote to memory of 3040 2664 pnl.exe 32 PID 2664 wrote to memory of 3040 2664 pnl.exe 32 PID 976 wrote to memory of 1124 976 vpxiis.exe 33 PID 976 wrote to memory of 1124 976 vpxiis.exe 33 PID 976 wrote to memory of 1124 976 vpxiis.exe 33 PID 976 wrote to memory of 1124 976 vpxiis.exe 33 PID 976 wrote to memory of 1900 976 vpxiis.exe 37 PID 976 wrote to memory of 1900 976 vpxiis.exe 37 PID 976 wrote to memory of 1900 976 vpxiis.exe 37 PID 976 wrote to memory of 1900 976 vpxiis.exe 37 PID 976 wrote to memory of 3020 976 vpxiis.exe 39 PID 976 wrote to memory of 3020 976 vpxiis.exe 39 PID 976 wrote to memory of 3020 976 vpxiis.exe 39 PID 976 wrote to memory of 3020 976 vpxiis.exe 39 PID 976 wrote to memory of 1596 976 vpxiis.exe 41 PID 976 wrote to memory of 1596 976 vpxiis.exe 41 PID 976 wrote to memory of 1596 976 vpxiis.exe 41 PID 976 wrote to memory of 1596 976 vpxiis.exe 41 PID 976 wrote to memory of 1080 976 vpxiis.exe 43 PID 976 wrote to memory of 1080 976 vpxiis.exe 43 PID 976 wrote to memory of 1080 976 vpxiis.exe 43 PID 976 wrote to memory of 1080 976 vpxiis.exe 43 PID 976 wrote to memory of 788 976 vpxiis.exe 45 PID 976 wrote to memory of 788 976 vpxiis.exe 45 PID 976 wrote to memory of 788 976 vpxiis.exe 45 PID 976 wrote to memory of 788 976 vpxiis.exe 45 PID 976 wrote to memory of 1964 976 vpxiis.exe 47 PID 976 wrote to memory of 1964 976 vpxiis.exe 47 PID 976 wrote to memory of 1964 976 vpxiis.exe 47 PID 976 wrote to memory of 1964 976 vpxiis.exe 47 PID 976 wrote to memory of 2452 976 vpxiis.exe 49 PID 976 wrote to memory of 2452 976 vpxiis.exe 49 PID 976 wrote to memory of 2452 976 vpxiis.exe 49 PID 976 wrote to memory of 2452 976 vpxiis.exe 49 PID 976 wrote to memory of 1984 976 vpxiis.exe 51 PID 976 wrote to memory of 1984 976 vpxiis.exe 51 PID 976 wrote to memory of 1984 976 vpxiis.exe 51 PID 976 wrote to memory of 1984 976 vpxiis.exe 51 PID 976 wrote to memory of 1680 976 vpxiis.exe 53 PID 976 wrote to memory of 1680 976 vpxiis.exe 53 PID 976 wrote to memory of 1680 976 vpxiis.exe 53 PID 976 wrote to memory of 1680 976 vpxiis.exe 53 PID 976 wrote to memory of 332 976 vpxiis.exe 55 PID 976 wrote to memory of 332 976 vpxiis.exe 55 PID 976 wrote to memory of 332 976 vpxiis.exe 55 PID 976 wrote to memory of 332 976 vpxiis.exe 55 PID 976 wrote to memory of 436 976 vpxiis.exe 57 PID 976 wrote to memory of 436 976 vpxiis.exe 57 PID 976 wrote to memory of 436 976 vpxiis.exe 57 PID 976 wrote to memory of 436 976 vpxiis.exe 57
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe"C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\Temp\pnl.exe"C:\Windows\Temp\pnl.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 6923⤵
- Loads dropped DLL
- Program crash
PID:3040
-
-
-
C:\Windows\Temp\dowb.exe"C:\Windows\Temp\dowb.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\Temp\vpxiis.exe"C:\Windows\Temp\vpxiis.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1124
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1900
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:3020
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1596
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1080
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:788
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1964
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:2452
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1984
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1680
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:332
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:436
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1656
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1132
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1360
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1600
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:2880
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1652
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1884
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:896
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1444
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:2076
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:2260
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:2412
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:2196
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1736
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:972
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:2180
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1744
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:2456
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:2992
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:948
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:2816
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:2688
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:740
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:2476
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:2812
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:2692
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1564
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1480
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:2980
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:340
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1876
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1928
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:2856
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:2840
-
-
C:\Windows\SysWOW64\arp.exe"C:\Windows\System32\arp.exe" -a3⤵PID:1724
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.0MB
MD5d4c5a6b52a0360dd4c17ad9d32484477
SHA16f0a77dfac1ee96c696f19a3a041fd74b7cf7e24
SHA256ea8ff91c2c4701ba0a0614fbf52ac96c3bc979cdd4b81da1d81f5340efd7f2d4
SHA512d64eae4e417146b4f119c0df9cbdd1cebb141fd594920961d8e1b075a8c72db8541a0bb51b4e9136fffc7ae451c7e34841576d0e58dc9104c99a7dbbf3a79435
-
Filesize
7.0MB
MD5d4c5a6b52a0360dd4c17ad9d32484477
SHA16f0a77dfac1ee96c696f19a3a041fd74b7cf7e24
SHA256ea8ff91c2c4701ba0a0614fbf52ac96c3bc979cdd4b81da1d81f5340efd7f2d4
SHA512d64eae4e417146b4f119c0df9cbdd1cebb141fd594920961d8e1b075a8c72db8541a0bb51b4e9136fffc7ae451c7e34841576d0e58dc9104c99a7dbbf3a79435
-
Filesize
58KB
MD548ef0378eb7d125c37a825e1727bf9c6
SHA1beab162b64248eac8e070c23b706f6059ce5dcfa
SHA25677afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a
-
Filesize
58KB
MD548ef0378eb7d125c37a825e1727bf9c6
SHA1beab162b64248eac8e070c23b706f6059ce5dcfa
SHA25677afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a
-
Filesize
9.8MB
MD51339d9b2e6286b64fadaa6f8fad00091
SHA147585a5bd08ecd1f939ebd0c2e74504376855146
SHA2561555d682a099098621079072db88e6cbd306f92b9ccd4db4ad6485dd6d81fe50
SHA512572ff0bb039f77748ec36ac39e80e4f18af7364599b450a107345f608eef1587314ca50a82b4c35290107e881916dcbcc444b29692b59b3d73aa3f7f3c3ac570
-
Filesize
7.0MB
MD5d4c5a6b52a0360dd4c17ad9d32484477
SHA16f0a77dfac1ee96c696f19a3a041fd74b7cf7e24
SHA256ea8ff91c2c4701ba0a0614fbf52ac96c3bc979cdd4b81da1d81f5340efd7f2d4
SHA512d64eae4e417146b4f119c0df9cbdd1cebb141fd594920961d8e1b075a8c72db8541a0bb51b4e9136fffc7ae451c7e34841576d0e58dc9104c99a7dbbf3a79435
-
Filesize
58KB
MD548ef0378eb7d125c37a825e1727bf9c6
SHA1beab162b64248eac8e070c23b706f6059ce5dcfa
SHA25677afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a
-
Filesize
58KB
MD548ef0378eb7d125c37a825e1727bf9c6
SHA1beab162b64248eac8e070c23b706f6059ce5dcfa
SHA25677afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a
-
Filesize
58KB
MD548ef0378eb7d125c37a825e1727bf9c6
SHA1beab162b64248eac8e070c23b706f6059ce5dcfa
SHA25677afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a
-
Filesize
58KB
MD548ef0378eb7d125c37a825e1727bf9c6
SHA1beab162b64248eac8e070c23b706f6059ce5dcfa
SHA25677afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a
-
Filesize
58KB
MD548ef0378eb7d125c37a825e1727bf9c6
SHA1beab162b64248eac8e070c23b706f6059ce5dcfa
SHA25677afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a
-
Filesize
58KB
MD548ef0378eb7d125c37a825e1727bf9c6
SHA1beab162b64248eac8e070c23b706f6059ce5dcfa
SHA25677afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a
-
Filesize
9.8MB
MD51339d9b2e6286b64fadaa6f8fad00091
SHA147585a5bd08ecd1f939ebd0c2e74504376855146
SHA2561555d682a099098621079072db88e6cbd306f92b9ccd4db4ad6485dd6d81fe50
SHA512572ff0bb039f77748ec36ac39e80e4f18af7364599b450a107345f608eef1587314ca50a82b4c35290107e881916dcbcc444b29692b59b3d73aa3f7f3c3ac570