Analysis Overview
SHA256
eeb187cdea92ed939a396ee999acfd756a09663dd8a7f444cdbf72d06b660815
Threat Level: Likely malicious
The file b4eca0c093be55ecd3e7ad17b5130e46 was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Loads dropped DLL
Checks BIOS information in registry
Obfuscated with Agile.Net obfuscator
Themida packer
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-05 14:26
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-05 14:26
Reported
2024-03-05 14:28
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
158s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe
"C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3512 -ip 3512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 992
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 21.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.141.79.40.in-addr.arpa | udp |
Files
memory/3512-0-0x00000000003B0000-0x0000000000B42000-memory.dmp
memory/3512-1-0x0000000076150000-0x0000000076240000-memory.dmp
memory/3512-2-0x0000000076150000-0x0000000076240000-memory.dmp
memory/3512-3-0x0000000076150000-0x0000000076240000-memory.dmp
memory/3512-4-0x0000000076150000-0x0000000076240000-memory.dmp
memory/3512-6-0x0000000076150000-0x0000000076240000-memory.dmp
memory/3512-5-0x0000000076150000-0x0000000076240000-memory.dmp
memory/3512-7-0x00000000775C4000-0x00000000775C6000-memory.dmp
memory/3512-11-0x00000000003B0000-0x0000000000B42000-memory.dmp
memory/3512-12-0x00000000003B0000-0x0000000000B42000-memory.dmp
memory/3512-13-0x0000000005C60000-0x0000000006204000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\13f36763-6f3c-4d36-b875-4871599d9a06\AgileDotNetRT.dll
| MD5 | edd74be9723cdc6a5692954f0e51c9f3 |
| SHA1 | e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686 |
| SHA256 | 55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7 |
| SHA512 | 80abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3 |
memory/3512-21-0x0000000072A80000-0x0000000072AA8000-memory.dmp
memory/3512-22-0x0000000073540000-0x00000000735C9000-memory.dmp
memory/3512-23-0x0000000006210000-0x00000000062A2000-memory.dmp
memory/3512-25-0x00000000003B0000-0x0000000000B42000-memory.dmp
memory/3512-26-0x0000000076150000-0x0000000076240000-memory.dmp
memory/3512-27-0x0000000076150000-0x0000000076240000-memory.dmp
memory/3512-28-0x0000000076150000-0x0000000076240000-memory.dmp
memory/3512-30-0x0000000076150000-0x0000000076240000-memory.dmp
memory/3512-31-0x00000000003B0000-0x0000000000B42000-memory.dmp
memory/3512-32-0x0000000072A80000-0x0000000072AA8000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-05 14:26
Reported
2024-03-05 14:28
Platform
win7-20240221-en
Max time kernel
142s
Max time network
123s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2812 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2812 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2812 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2812 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe
"C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 660
Network
Files
memory/2812-0-0x0000000000CC0000-0x0000000001452000-memory.dmp
memory/2812-1-0x0000000074D70000-0x0000000074E80000-memory.dmp
memory/2812-3-0x0000000074D70000-0x0000000074E80000-memory.dmp
memory/2812-4-0x0000000074D70000-0x0000000074E80000-memory.dmp
memory/2812-5-0x0000000074D70000-0x0000000074E80000-memory.dmp
memory/2812-9-0x0000000074D70000-0x0000000074E80000-memory.dmp
memory/2812-14-0x0000000074D70000-0x0000000074E80000-memory.dmp
memory/2812-16-0x0000000074D70000-0x0000000074E80000-memory.dmp
memory/2812-18-0x0000000077270000-0x0000000077272000-memory.dmp
memory/2812-17-0x0000000074D70000-0x0000000074E80000-memory.dmp
memory/2812-15-0x0000000074E80000-0x0000000074EC7000-memory.dmp
memory/2812-13-0x0000000074D70000-0x0000000074E80000-memory.dmp
memory/2812-11-0x0000000074D70000-0x0000000074E80000-memory.dmp
memory/2812-6-0x0000000074D70000-0x0000000074E80000-memory.dmp
memory/2812-20-0x0000000000CC0000-0x0000000001452000-memory.dmp
memory/2812-21-0x0000000000CC0000-0x0000000001452000-memory.dmp
memory/2812-19-0x0000000074280000-0x000000007496E000-memory.dmp
memory/2812-2-0x0000000074E80000-0x0000000074EC7000-memory.dmp
memory/2812-22-0x0000000000520000-0x0000000000560000-memory.dmp
\Users\Admin\AppData\Local\Temp\13f36763-6f3c-4d36-b875-4871599d9a06\AgileDotNetRT.dll
| MD5 | edd74be9723cdc6a5692954f0e51c9f3 |
| SHA1 | e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686 |
| SHA256 | 55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7 |
| SHA512 | 80abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3 |
memory/2812-29-0x0000000074100000-0x0000000074180000-memory.dmp
memory/2812-30-0x0000000073F00000-0x0000000073F28000-memory.dmp
memory/2812-32-0x0000000000CC0000-0x0000000001452000-memory.dmp
memory/2812-33-0x0000000074E80000-0x0000000074EC7000-memory.dmp
memory/2812-34-0x0000000074D70000-0x0000000074E80000-memory.dmp
memory/2812-35-0x0000000074D70000-0x0000000074E80000-memory.dmp
memory/2812-36-0x0000000074D70000-0x0000000074E80000-memory.dmp
memory/2812-37-0x0000000074D70000-0x0000000074E80000-memory.dmp
memory/2812-38-0x0000000074D70000-0x0000000074E80000-memory.dmp
memory/2812-39-0x0000000074D70000-0x0000000074E80000-memory.dmp
memory/2812-40-0x0000000074D70000-0x0000000074E80000-memory.dmp
memory/2812-42-0x0000000074280000-0x000000007496E000-memory.dmp
memory/2812-43-0x0000000000520000-0x0000000000560000-memory.dmp