Analysis
-
max time kernel
38s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
10/10/2023, 11:32
Behavioral task
behavioral1
Sample
SirHurt V4.exe
Resource
win7-20230831-en
8 signatures
120 seconds
General
-
Target
SirHurt V4.exe
-
Size
10.8MB
-
MD5
7c3571a7144ec0c26d3a9d79372fff35
-
SHA1
3296d8dce9241321c67a16345c58258d53aa5853
-
SHA256
22e8e3d7e060d661f3d7aa3a8c1161c79ae82da32cee3b8c2c9786fb2e850da1
-
SHA512
50a94bb2cef96f31c3be268ba5680f24a94759279ac586f322fe2efb064f5fc2801dbd44735b22908b6f5f0752b9b2b67e3cbba52dda3a3f6279bb221ca2e5af
-
SSDEEP
196608:P8LSXPcSJFDBB7XDx0YVtL4Y4KPXulDpCiC1iGxukZw3SKVr8XGm:ThTXt0YV14kW1GiG1ZwCKOG
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SirHurt V4.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SirHurt V4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SirHurt V4.exe -
Obfuscated with Agile.Net obfuscator 5 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2988-20-0x00000000017D0000-0x00000000017DE000-memory.dmp agile_net behavioral1/memory/2988-21-0x0000000005650000-0x00000000056B6000-memory.dmp agile_net behavioral1/memory/2988-22-0x0000000005A40000-0x0000000005AFA000-memory.dmp agile_net behavioral1/memory/2988-23-0x00000000031A0000-0x00000000031AE000-memory.dmp agile_net behavioral1/memory/2988-28-0x0000000008CC0000-0x0000000008F4E000-memory.dmp agile_net -
resource yara_rule behavioral1/memory/2988-16-0x0000000000400000-0x000000000144E000-memory.dmp themida behavioral1/memory/2988-18-0x0000000000400000-0x000000000144E000-memory.dmp themida behavioral1/memory/2988-51-0x0000000000400000-0x000000000144E000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SirHurt V4.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2988 SirHurt V4.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe 2988 SirHurt V4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2988 SirHurt V4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe"C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988