Malware Analysis Report

2024-11-30 19:21

Sample ID 240305-rrxwcahg92
Target b4eca0c093be55ecd3e7ad17b5130e46
SHA256 eeb187cdea92ed939a396ee999acfd756a09663dd8a7f444cdbf72d06b660815
Tags
agilenet evasion themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

eeb187cdea92ed939a396ee999acfd756a09663dd8a7f444cdbf72d06b660815

Threat Level: Likely malicious

The file b4eca0c093be55ecd3e7ad17b5130e46 was found to be: Likely malicious.

Malicious Activity Summary

agilenet evasion themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Loads dropped DLL

Checks BIOS information in registry

Obfuscated with Agile.Net obfuscator

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-05 14:26

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-05 14:26

Reported

2024-03-05 14:28

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe

"C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3512 -ip 3512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 88.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 152.141.79.40.in-addr.arpa udp

Files

memory/3512-0-0x00000000003B0000-0x0000000000B42000-memory.dmp

memory/3512-1-0x0000000076150000-0x0000000076240000-memory.dmp

memory/3512-2-0x0000000076150000-0x0000000076240000-memory.dmp

memory/3512-3-0x0000000076150000-0x0000000076240000-memory.dmp

memory/3512-4-0x0000000076150000-0x0000000076240000-memory.dmp

memory/3512-6-0x0000000076150000-0x0000000076240000-memory.dmp

memory/3512-5-0x0000000076150000-0x0000000076240000-memory.dmp

memory/3512-7-0x00000000775C4000-0x00000000775C6000-memory.dmp

memory/3512-11-0x00000000003B0000-0x0000000000B42000-memory.dmp

memory/3512-12-0x00000000003B0000-0x0000000000B42000-memory.dmp

memory/3512-13-0x0000000005C60000-0x0000000006204000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\13f36763-6f3c-4d36-b875-4871599d9a06\AgileDotNetRT.dll

MD5 edd74be9723cdc6a5692954f0e51c9f3
SHA1 e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686
SHA256 55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7
SHA512 80abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3

memory/3512-21-0x0000000072A80000-0x0000000072AA8000-memory.dmp

memory/3512-22-0x0000000073540000-0x00000000735C9000-memory.dmp

memory/3512-23-0x0000000006210000-0x00000000062A2000-memory.dmp

memory/3512-25-0x00000000003B0000-0x0000000000B42000-memory.dmp

memory/3512-26-0x0000000076150000-0x0000000076240000-memory.dmp

memory/3512-27-0x0000000076150000-0x0000000076240000-memory.dmp

memory/3512-28-0x0000000076150000-0x0000000076240000-memory.dmp

memory/3512-30-0x0000000076150000-0x0000000076240000-memory.dmp

memory/3512-31-0x00000000003B0000-0x0000000000B42000-memory.dmp

memory/3512-32-0x0000000072A80000-0x0000000072AA8000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-05 14:26

Reported

2024-03-05 14:28

Platform

win7-20240221-en

Max time kernel

142s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe

"C:\Users\Admin\AppData\Local\Temp\b4eca0c093be55ecd3e7ad17b5130e46.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 660

Network

N/A

Files

memory/2812-0-0x0000000000CC0000-0x0000000001452000-memory.dmp

memory/2812-1-0x0000000074D70000-0x0000000074E80000-memory.dmp

memory/2812-3-0x0000000074D70000-0x0000000074E80000-memory.dmp

memory/2812-4-0x0000000074D70000-0x0000000074E80000-memory.dmp

memory/2812-5-0x0000000074D70000-0x0000000074E80000-memory.dmp

memory/2812-9-0x0000000074D70000-0x0000000074E80000-memory.dmp

memory/2812-14-0x0000000074D70000-0x0000000074E80000-memory.dmp

memory/2812-16-0x0000000074D70000-0x0000000074E80000-memory.dmp

memory/2812-18-0x0000000077270000-0x0000000077272000-memory.dmp

memory/2812-17-0x0000000074D70000-0x0000000074E80000-memory.dmp

memory/2812-15-0x0000000074E80000-0x0000000074EC7000-memory.dmp

memory/2812-13-0x0000000074D70000-0x0000000074E80000-memory.dmp

memory/2812-11-0x0000000074D70000-0x0000000074E80000-memory.dmp

memory/2812-6-0x0000000074D70000-0x0000000074E80000-memory.dmp

memory/2812-20-0x0000000000CC0000-0x0000000001452000-memory.dmp

memory/2812-21-0x0000000000CC0000-0x0000000001452000-memory.dmp

memory/2812-19-0x0000000074280000-0x000000007496E000-memory.dmp

memory/2812-2-0x0000000074E80000-0x0000000074EC7000-memory.dmp

memory/2812-22-0x0000000000520000-0x0000000000560000-memory.dmp

\Users\Admin\AppData\Local\Temp\13f36763-6f3c-4d36-b875-4871599d9a06\AgileDotNetRT.dll

MD5 edd74be9723cdc6a5692954f0e51c9f3
SHA1 e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686
SHA256 55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7
SHA512 80abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3

memory/2812-29-0x0000000074100000-0x0000000074180000-memory.dmp

memory/2812-30-0x0000000073F00000-0x0000000073F28000-memory.dmp

memory/2812-32-0x0000000000CC0000-0x0000000001452000-memory.dmp

memory/2812-33-0x0000000074E80000-0x0000000074EC7000-memory.dmp

memory/2812-34-0x0000000074D70000-0x0000000074E80000-memory.dmp

memory/2812-35-0x0000000074D70000-0x0000000074E80000-memory.dmp

memory/2812-36-0x0000000074D70000-0x0000000074E80000-memory.dmp

memory/2812-37-0x0000000074D70000-0x0000000074E80000-memory.dmp

memory/2812-38-0x0000000074D70000-0x0000000074E80000-memory.dmp

memory/2812-39-0x0000000074D70000-0x0000000074E80000-memory.dmp

memory/2812-40-0x0000000074D70000-0x0000000074E80000-memory.dmp

memory/2812-42-0x0000000074280000-0x000000007496E000-memory.dmp

memory/2812-43-0x0000000000520000-0x0000000000560000-memory.dmp