Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 22:47
Behavioral task
behavioral1
Sample
Guna.UI.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Guna.UI.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Guna.UI2.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Guna.UI2.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Onyx Free Crypter.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Onyx Free Crypter.exe
Resource
win10v2004-20240226-en
General
-
Target
Onyx Free Crypter.exe
-
Size
4.6MB
-
MD5
0639440ebf99e58c833be2870e4259b0
-
SHA1
afbfeb6cce8b5710ddbf227f31e386ccc9c3b669
-
SHA256
f28df7a1b0093d68e0230388c11bab5bf87ba5efc979f1a6a717f2e92d470443
-
SHA512
3a559375273344fccc7e4cdd7ebda4eb3df439a63944208352792dc09bb478a68ec8c4a381141887e06eb0fea6dc9f88c8722f0764803f56a09d131ff31bc26b
-
SSDEEP
98304:8b0dJK6mzAKcsfyllmpSzvyAKrtvCFbLADJyaWoKuxG/:hdJK69llcpSpKrMF3QG
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
Onyx Free Crypter.exepid Process 1364 Onyx Free Crypter.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral6/memory/1364-10-0x000000000BF70000-0x000000000C1BC000-memory.dmp agile_net -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
Processes:
taskmgr.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
taskmgr.exepid Process 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
taskmgr.exeOnyx Free Crypter.exedescription pid Process Token: SeDebugPrivilege 3956 taskmgr.exe Token: SeSystemProfilePrivilege 3956 taskmgr.exe Token: SeCreateGlobalPrivilege 3956 taskmgr.exe Token: SeDebugPrivilege 1364 Onyx Free Crypter.exe Token: 33 3956 taskmgr.exe Token: SeIncBasePriorityPrivilege 3956 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid Process 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid Process 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe 3956 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Onyx Free Crypter.exepid Process 1364 Onyx Free Crypter.exe 1364 Onyx Free Crypter.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Onyx Free Crypter.exe"C:\Users\Admin\AppData\Local\Temp\Onyx Free Crypter.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1364
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3592 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:1384
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD59af5eb006bb0bab7f226272d82c896c7
SHA1c2a5bb42a5f08f4dc821be374b700652262308f0
SHA25677dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA5127badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a