Analysis

  • max time kernel
    145s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2024, 02:43

General

  • Target

    Installer.exe

  • Size

    327.7MB

  • MD5

    7e25fdb1932480e3e6ec31b22d08c19e

  • SHA1

    0dfca2e6c1c89b1e85fdbb9da31a93964db7b826

  • SHA256

    fbef401c6a7ad24640f6b6583aa0d0fa02aa895c47ab08e68b0e6e312d1b42a5

  • SHA512

    2bb81a8ddda7ef4bbc9508c7c80f56b5a00215674ad38e442937c42a2ecdf4e827b906b97bf63c67c36dd0a7ef78d2c6b5b6202d96516ece8b5d2dbd355f8326

  • SSDEEP

    196608:99GeDVI5DKBWZlkgJedYs6LtYdEhqTgKDf:9kYVI5DK2NNs6LtYdEhSpz

Malware Config

Signatures

  • Detects executables packed with Agile.NET / CliSecure 6 IoCs
  • Detects executables packed with Themida 5 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Installer.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2508 -s 1072
      2⤵
        PID:2164

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\0b881921-3d0c-4e45-bfb6-1e275b7d6fb1\AgileDotNetRT64.dll

      Filesize

      4KB

      MD5

      daaef488a8bedc6139adac82202dce09

      SHA1

      86a50377f45cfb8e4d40009b4cc0de62a0720cb4

      SHA256

      d1e24a3dfd7b83c49e357e910294ad0a6e63a3807dbdfe25527d99889177c51b

      SHA512

      0e380043918e7697bf13ef8f3e2ca091a1e290dd237acbc5689271eb380e3ea76d14e9f2327f2e487bf2b5d59931cad4ecf3fa92f6509253f3a3a0b593613490

    • \Users\Admin\AppData\Local\Temp\0b881921-3d0c-4e45-bfb6-1e275b7d6fb1\AgileDotNetRT64.dll

      Filesize

      129KB

      MD5

      359aaf8cfe3000e8f9611df7060de931

      SHA1

      5157e2b29cb9bd7b7ff1e730e8c9cd6064ea0679

      SHA256

      44366da583e7bbb75b7198479b7545a08f8eb496a1cb0a7ba6c221fbd5a3f36e

      SHA512

      1ebd652f28a589450f050e936b6e3089a92a8998cf4645744d6f73c8b2e1b2fdefe3a743b61106e1fbd63a024b044775b20a6c6854feec089ea5554c857a5df1

    • memory/2508-0-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

      Filesize

      9.9MB

    • memory/2508-1-0x0000000000DF0000-0x0000000001DF0000-memory.dmp

      Filesize

      16.0MB

    • memory/2508-2-0x000000002F730000-0x000000002F7B0000-memory.dmp

      Filesize

      512KB

    • memory/2508-9-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp

      Filesize

      7.7MB

    • memory/2508-11-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp

      Filesize

      7.7MB

    • memory/2508-21-0x000007FEF3A00000-0x000007FEF3B2C000-memory.dmp

      Filesize

      1.2MB

    • memory/2508-22-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp

      Filesize

      7.7MB

    • memory/2508-24-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

      Filesize

      9.9MB

    • memory/2508-25-0x000000002F730000-0x000000002F7B0000-memory.dmp

      Filesize

      512KB