Analysis
-
max time kernel
145s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/03/2024, 02:43
Behavioral task
behavioral1
Sample
Installer.exe
Resource
win7-20240221-en
General
-
Target
Installer.exe
-
Size
327.7MB
-
MD5
7e25fdb1932480e3e6ec31b22d08c19e
-
SHA1
0dfca2e6c1c89b1e85fdbb9da31a93964db7b826
-
SHA256
fbef401c6a7ad24640f6b6583aa0d0fa02aa895c47ab08e68b0e6e312d1b42a5
-
SHA512
2bb81a8ddda7ef4bbc9508c7c80f56b5a00215674ad38e442937c42a2ecdf4e827b906b97bf63c67c36dd0a7ef78d2c6b5b6202d96516ece8b5d2dbd355f8326
-
SSDEEP
196608:99GeDVI5DKBWZlkgJedYs6LtYdEhqTgKDf:9kYVI5DK2NNs6LtYdEhSpz
Malware Config
Signatures
-
Detects executables packed with Agile.NET / CliSecure 6 IoCs
resource yara_rule behavioral1/memory/2508-1-0x0000000000DF0000-0x0000000001DF0000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral1/files/0x0009000000016332-6.dat INDICATOR_EXE_Packed_AgileDotNet behavioral1/files/0x0009000000016332-8.dat INDICATOR_EXE_Packed_AgileDotNet behavioral1/memory/2508-9-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral1/memory/2508-11-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet behavioral1/memory/2508-22-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp INDICATOR_EXE_Packed_AgileDotNet -
Detects executables packed with Themida 5 IoCs
resource yara_rule behavioral1/files/0x0009000000016332-6.dat INDICATOR_EXE_Packed_Themida behavioral1/files/0x0009000000016332-8.dat INDICATOR_EXE_Packed_Themida behavioral1/memory/2508-9-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2508-11-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2508-22-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp INDICATOR_EXE_Packed_Themida -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Installer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Installer.exe -
Loads dropped DLL 1 IoCs
pid Process 2508 Installer.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2508-1-0x0000000000DF0000-0x0000000001DF0000-memory.dmp agile_net -
resource yara_rule behavioral1/files/0x0009000000016332-6.dat themida behavioral1/files/0x0009000000016332-8.dat themida behavioral1/memory/2508-9-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp themida behavioral1/memory/2508-11-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp themida behavioral1/memory/2508-22-0x000007FEEE7C0000-0x000007FEEEF72000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Installer.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2164 2508 Installer.exe 28 PID 2508 wrote to memory of 2164 2508 Installer.exe 28 PID 2508 wrote to memory of 2164 2508 Installer.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2508 -s 10722⤵PID:2164
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5daaef488a8bedc6139adac82202dce09
SHA186a50377f45cfb8e4d40009b4cc0de62a0720cb4
SHA256d1e24a3dfd7b83c49e357e910294ad0a6e63a3807dbdfe25527d99889177c51b
SHA5120e380043918e7697bf13ef8f3e2ca091a1e290dd237acbc5689271eb380e3ea76d14e9f2327f2e487bf2b5d59931cad4ecf3fa92f6509253f3a3a0b593613490
-
Filesize
129KB
MD5359aaf8cfe3000e8f9611df7060de931
SHA15157e2b29cb9bd7b7ff1e730e8c9cd6064ea0679
SHA25644366da583e7bbb75b7198479b7545a08f8eb496a1cb0a7ba6c221fbd5a3f36e
SHA5121ebd652f28a589450f050e936b6e3089a92a8998cf4645744d6f73c8b2e1b2fdefe3a743b61106e1fbd63a024b044775b20a6c6854feec089ea5554c857a5df1