Malware Analysis Report

2024-11-30 18:51

Sample ID 240315-xz4azsgg5z
Target Vanity.rar
SHA256 add6e9e95141df4155a54be4fe05c9226e97967aeabce83ec313903e88c7a058
Tags
agilenet evasion themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

add6e9e95141df4155a54be4fe05c9226e97967aeabce83ec313903e88c7a058

Threat Level: Likely malicious

The file Vanity.rar was found to be: Likely malicious.

Malicious Activity Summary

agilenet evasion themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Obfuscated with Agile.Net obfuscator

Themida packer

Loads dropped DLL

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-15 19:18

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-15 19:18

Reported

2024-03-15 19:24

Platform

win10v2004-20240226-en

Max time kernel

298s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe

"C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 80.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 213.80.50.20.in-addr.arpa udp

Files

memory/4384-0-0x0000000000400000-0x0000000000790000-memory.dmp

memory/4384-1-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp

memory/4384-2-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp

memory/4384-3-0x0000000000400000-0x00000000006DE000-memory.dmp

memory/4384-4-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\evb593D.tmp

MD5 09d1ba104d339bd427897a7b869e097a
SHA1 c889b5bd38c9640b8c3677ef7aa10da9fd75338d
SHA256 8a267fe0f2238ffba077c53668bcd6fb7a0dbc326f1e6396a3cd8aafb9d21168
SHA512 ed996049b3bfbcc29f5f36bf078f7afcfa243705c67c8328ca60ebd83badf09c221897a898e7406ff2524c76439b85ae33e847a8f4c64b7035b7a1ed0a8546df

memory/4384-7-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp

memory/4384-9-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp

memory/4384-8-0x0000000180000000-0x0000000181261000-memory.dmp

memory/4384-13-0x00007FFCCF8F0000-0x00007FFCCF900000-memory.dmp

memory/4384-16-0x00007FFD31300000-0x00007FFD31DC1000-memory.dmp

memory/4384-18-0x0000000180000000-0x0000000181261000-memory.dmp

memory/4384-19-0x00007FF4FDBF0000-0x00007FF4FDDDF000-memory.dmp

memory/4384-20-0x000000001D3D0000-0x000000001D520000-memory.dmp

memory/4384-21-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp

memory/4384-22-0x000000001DDB0000-0x000000001E70C000-memory.dmp

memory/4384-23-0x0000000180000000-0x0000000181261000-memory.dmp

memory/4384-24-0x0000000180000000-0x0000000181261000-memory.dmp

memory/4384-25-0x0000000180000000-0x0000000181261000-memory.dmp

memory/4384-26-0x0000000180000000-0x0000000181261000-memory.dmp

memory/4384-27-0x0000000180000000-0x0000000181261000-memory.dmp

memory/4384-28-0x0000000180000000-0x0000000181261000-memory.dmp

memory/4384-29-0x00007FFD2FBB0000-0x00007FFD2FCFE000-memory.dmp

memory/4384-32-0x000000001D5A0000-0x000000001D5B0000-memory.dmp

memory/4384-33-0x000000001D5A0000-0x000000001D5B0000-memory.dmp

memory/4384-34-0x000000001D5A0000-0x000000001D5B0000-memory.dmp

memory/4384-39-0x000000001DDB0000-0x000000001DDCC000-memory.dmp

memory/4384-41-0x0000000000400000-0x0000000000790000-memory.dmp

memory/4384-42-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp

memory/4384-43-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp

memory/4384-44-0x0000000180000000-0x0000000181261000-memory.dmp

memory/4384-45-0x00007FFD31300000-0x00007FFD31DC1000-memory.dmp

memory/4384-47-0x000000001D3D0000-0x000000001D520000-memory.dmp

memory/4384-48-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp

memory/4384-49-0x000000001D5A0000-0x000000001D5B0000-memory.dmp

memory/4384-51-0x000000001D5A0000-0x000000001D5B0000-memory.dmp

memory/4384-52-0x000000001D5A0000-0x000000001D5B0000-memory.dmp

memory/4384-58-0x0000000000400000-0x00000000006DE000-memory.dmp

memory/4384-59-0x00007FFD31300000-0x00007FFD31DC1000-memory.dmp

memory/4384-60-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp

memory/4384-61-0x0000000180000000-0x0000000181261000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-15 19:18

Reported

2024-03-15 19:20

Platform

win10-20240221-en

Max time kernel

77s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe

"C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 udp
N/A 52.111.229.19:443 tcp

Files

memory/3324-0-0x0000000000400000-0x0000000000790000-memory.dmp

memory/3324-2-0x0000000000400000-0x00000000006DE000-memory.dmp

memory/3324-1-0x00007FFBBA2D0000-0x00007FFBBA4AB000-memory.dmp

memory/3324-3-0x00007FFBBA2D0000-0x00007FFBBA4AB000-memory.dmp

memory/3324-6-0x00007FFBBA2D0000-0x00007FFBBA4AB000-memory.dmp

memory/3324-5-0x00007FFBBA2D0000-0x00007FFBBA4AB000-memory.dmp

memory/3324-7-0x0000000180000000-0x0000000181261000-memory.dmp

memory/3324-12-0x00007FFB3A4B0000-0x00007FFB3A4C0000-memory.dmp

memory/3324-14-0x00007FFB9D7E0000-0x00007FFB9E1CC000-memory.dmp

memory/3324-16-0x0000000180000000-0x0000000181261000-memory.dmp

memory/3324-17-0x00007FF5FFC40000-0x00007FF5FFE18000-memory.dmp

memory/3324-18-0x00000000018B0000-0x0000000001A00000-memory.dmp

memory/3324-19-0x00007FFBBA2D0000-0x00007FFBBA4AB000-memory.dmp

memory/3324-20-0x000000001D7F0000-0x000000001E14C000-memory.dmp

memory/3324-21-0x0000000180000000-0x0000000181261000-memory.dmp

memory/3324-22-0x0000000180000000-0x0000000181261000-memory.dmp

memory/3324-23-0x0000000180000000-0x0000000181261000-memory.dmp

memory/3324-24-0x0000000180000000-0x0000000181261000-memory.dmp

memory/3324-25-0x0000000180000000-0x0000000181261000-memory.dmp

memory/3324-26-0x0000000180000000-0x0000000181261000-memory.dmp

memory/3324-27-0x00007FFBAE5C0000-0x00007FFBAE6EC000-memory.dmp

memory/3324-30-0x0000000001A00000-0x0000000001A10000-memory.dmp

memory/3324-31-0x0000000001A00000-0x0000000001A10000-memory.dmp

memory/3324-32-0x0000000001A00000-0x0000000001A10000-memory.dmp

memory/3324-33-0x0000000001A00000-0x0000000001A10000-memory.dmp

memory/3324-38-0x0000000001E50000-0x0000000001E6C000-memory.dmp

memory/3324-40-0x0000000000400000-0x0000000000790000-memory.dmp

memory/3324-41-0x00007FFBBA2D0000-0x00007FFBBA4AB000-memory.dmp

memory/3324-42-0x00007FFB9D7E0000-0x00007FFB9E1CC000-memory.dmp

memory/3324-43-0x0000000180000000-0x0000000181261000-memory.dmp

memory/3324-45-0x00007FFBBA2D0000-0x00007FFBBA4AB000-memory.dmp

memory/3324-46-0x0000000001A00000-0x0000000001A10000-memory.dmp

memory/3324-48-0x0000000001A00000-0x0000000001A10000-memory.dmp

memory/3324-49-0x0000000001A00000-0x0000000001A10000-memory.dmp

memory/3324-50-0x0000000001A00000-0x0000000001A10000-memory.dmp

memory/3324-56-0x0000000000400000-0x00000000006DE000-memory.dmp

memory/3324-57-0x00007FFB9D7E0000-0x00007FFB9E1CC000-memory.dmp

memory/3324-58-0x00007FFBBA2D0000-0x00007FFBBA4AB000-memory.dmp

memory/3324-59-0x0000000180000000-0x0000000181261000-memory.dmp