Analysis
-
max time kernel
106s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2023, 11:32
Behavioral task
behavioral1
Sample
SirHurt V4.exe
Resource
win7-20230831-en
General
-
Target
SirHurt V4.exe
-
Size
10.8MB
-
MD5
7c3571a7144ec0c26d3a9d79372fff35
-
SHA1
3296d8dce9241321c67a16345c58258d53aa5853
-
SHA256
22e8e3d7e060d661f3d7aa3a8c1161c79ae82da32cee3b8c2c9786fb2e850da1
-
SHA512
50a94bb2cef96f31c3be268ba5680f24a94759279ac586f322fe2efb064f5fc2801dbd44735b22908b6f5f0752b9b2b67e3cbba52dda3a3f6279bb221ca2e5af
-
SSDEEP
196608:P8LSXPcSJFDBB7XDx0YVtL4Y4KPXulDpCiC1iGxukZw3SKVr8XGm:ThTXt0YV14kW1GiG1ZwCKOG
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SirHurt V4.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SirHurt V4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SirHurt V4.exe -
Obfuscated with Agile.Net obfuscator 5 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/880-17-0x0000000006360000-0x000000000636E000-memory.dmp agile_net behavioral2/memory/880-18-0x0000000006390000-0x00000000063F6000-memory.dmp agile_net behavioral2/memory/880-19-0x0000000006410000-0x00000000064CA000-memory.dmp agile_net behavioral2/memory/880-20-0x00000000064D0000-0x00000000064DE000-memory.dmp agile_net behavioral2/memory/880-25-0x0000000008F30000-0x00000000091BE000-memory.dmp agile_net -
resource yara_rule behavioral2/memory/880-12-0x0000000000400000-0x000000000144E000-memory.dmp themida behavioral2/memory/880-13-0x0000000000400000-0x000000000144E000-memory.dmp themida behavioral2/memory/880-43-0x0000000000400000-0x000000000144E000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SirHurt V4.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 880 SirHurt V4.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe 880 SirHurt V4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 880 SirHurt V4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe"C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
284B
MD512bacf75586ab89c0bd95659e7ec2e82
SHA13592b4ba99a1b077e2bf4d6e441fa87a53c9ad7d
SHA256ac6370319f1406e71b40464a12dc295745dd590c740527ccadafc71eb0d556f2
SHA512869ba0c24e54ae753007ac7330e51ae8e0663507b1151c95578e0cb700a37ab89f5ea270a83c63977461a4f9e9f57b4166a826ce2fdda054e162cb847bece27c