f8b2a71a34172076cc65f15d14ed43099a1ddf0a294ffe34c6004ae430a10317

General

Target

Installer.exe
Size

327.7MB
MD5

7e25fdb1932480e3e6ec31b22d08c19e
SHA1

0dfca2e6c1c89b1e85fdbb9da31a93964db7b826
SHA256

fbef401c6a7ad24640f6b6583aa0d0fa02aa895c47ab08e68b0e6e312d1b42a5
SHA512

2bb81a8ddda7ef4bbc9508c7c80f56b5a00215674ad38e442937c42a2ecdf4e827b906b97bf63c67c36dd0a7ef78d2c6b5b6202d96516ece8b5d2dbd355f8326
SSDEEP

196608:99GeDVI5DKBWZlkgJedYs6LtYdEhqTgKDf:9kYVI5DK2NNs6LtYdEhSpz

Score

9^/10

Malware Config

Signatures

Detects executables packed with Agile.NET / CliSecure 6 IoCs

resource	yara_rule
behavioral1/memory/2508-1-0x0000000000DF0000-0x0000000001DF0000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/files/0x0009000000016332-6.dat	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/files/0x0009000000016332-8.dat	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2508-9-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2508-11-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet
behavioral1/memory/2508-22-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp	INDICATOR_EXE_Packed_AgileDotNet

Detects executables packed with Themida 5 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016332-6.dat	INDICATOR_EXE_Packed_Themida
behavioral1/files/0x0009000000016332-8.dat	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2508-9-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2508-11-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2508-22-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp	INDICATOR_EXE_Packed_Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Installer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Installer.exe

Loads dropped DLL 1 IoCs

pid	Process
2508	Installer.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/2508-1-0x0000000000DF0000-0x0000000001DF0000-memory.dmp	agile_net

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0009000000016332-6.dat	themida
behavioral1/files/0x0009000000016332-8.dat	themida
behavioral1/memory/2508-9-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp	themida
behavioral1/memory/2508-11-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp	themida
behavioral1/memory/2508-22-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Installer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2164	2508	Installer.exe	28
PID 2508 wrote to memory of 2164	2508	Installer.exe	28
PID 2508 wrote to memory of 2164	2508	Installer.exe	28

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2508 -s 1072
  2⤵
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0b881921-3d0c-4e45-bfb6-1e275b7d6fb1\AgileDotNetRT64.dll

Filesize
4KB

MD5
daaef488a8bedc6139adac82202dce09

SHA1
86a50377f45cfb8e4d40009b4cc0de62a0720cb4

SHA256
d1e24a3dfd7b83c49e357e910294ad0a6e63a3807dbdfe25527d99889177c51b

SHA512
0e380043918e7697bf13ef8f3e2ca091a1e290dd237acbc5689271eb380e3ea76d14e9f2327f2e487bf2b5d59931cad4ecf3fa92f6509253f3a3a0b593613490

Download Submit
\Users\Admin\AppData\Local\Temp\0b881921-3d0c-4e45-bfb6-1e275b7d6fb1\AgileDotNetRT64.dll

Filesize
129KB

MD5
359aaf8cfe3000e8f9611df7060de931

SHA1
5157e2b29cb9bd7b7ff1e730e8c9cd6064ea0679

SHA256
44366da583e7bbb75b7198479b7545a08f8eb496a1cb0a7ba6c221fbd5a3f36e

SHA512
1ebd652f28a589450f050e936b6e3089a92a8998cf4645744d6f73c8b2e1b2fdefe3a743b61106e1fbd63a024b044775b20a6c6854feec089ea5554c857a5df1

Download Submit
memory/2508-0-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-1-0x0000000000DF0000-0x0000000001DF0000-memory.dmp

Filesize
16.0MB

Download
memory/2508-2-0x000000002F730000-0x000000002F7B0000-memory.dmp

Filesize
512KB

Download
memory/2508-9-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp

Filesize
7.7MB

Download
memory/2508-11-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp

Filesize
7.7MB

Download
memory/2508-21-0x000007FEF3A00000-0x000007FEF3B2C000-memory.dmp

Filesize
1.2MB

Download
memory/2508-22-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp

Filesize
7.7MB

Download
memory/2508-24-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-25-0x000000002F730000-0x000000002F7B0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads