Analysis Overview
SHA256
add6e9e95141df4155a54be4fe05c9226e97967aeabce83ec313903e88c7a058
Threat Level: Likely malicious
The file Vanity.rar was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Obfuscated with Agile.Net obfuscator
Themida packer
Loads dropped DLL
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-15 19:18
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-15 19:18
Reported
2024-03-15 19:24
Platform
win10v2004-20240226-en
Max time kernel
298s
Max time network
301s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe
"C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.80.50.20.in-addr.arpa | udp |
Files
memory/4384-0-0x0000000000400000-0x0000000000790000-memory.dmp
memory/4384-1-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp
memory/4384-2-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp
memory/4384-3-0x0000000000400000-0x00000000006DE000-memory.dmp
memory/4384-4-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\evb593D.tmp
| MD5 | 09d1ba104d339bd427897a7b869e097a |
| SHA1 | c889b5bd38c9640b8c3677ef7aa10da9fd75338d |
| SHA256 | 8a267fe0f2238ffba077c53668bcd6fb7a0dbc326f1e6396a3cd8aafb9d21168 |
| SHA512 | ed996049b3bfbcc29f5f36bf078f7afcfa243705c67c8328ca60ebd83badf09c221897a898e7406ff2524c76439b85ae33e847a8f4c64b7035b7a1ed0a8546df |
memory/4384-7-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp
memory/4384-9-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp
memory/4384-8-0x0000000180000000-0x0000000181261000-memory.dmp
memory/4384-13-0x00007FFCCF8F0000-0x00007FFCCF900000-memory.dmp
memory/4384-16-0x00007FFD31300000-0x00007FFD31DC1000-memory.dmp
memory/4384-18-0x0000000180000000-0x0000000181261000-memory.dmp
memory/4384-19-0x00007FF4FDBF0000-0x00007FF4FDDDF000-memory.dmp
memory/4384-20-0x000000001D3D0000-0x000000001D520000-memory.dmp
memory/4384-21-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp
memory/4384-22-0x000000001DDB0000-0x000000001E70C000-memory.dmp
memory/4384-23-0x0000000180000000-0x0000000181261000-memory.dmp
memory/4384-24-0x0000000180000000-0x0000000181261000-memory.dmp
memory/4384-25-0x0000000180000000-0x0000000181261000-memory.dmp
memory/4384-26-0x0000000180000000-0x0000000181261000-memory.dmp
memory/4384-27-0x0000000180000000-0x0000000181261000-memory.dmp
memory/4384-28-0x0000000180000000-0x0000000181261000-memory.dmp
memory/4384-29-0x00007FFD2FBB0000-0x00007FFD2FCFE000-memory.dmp
memory/4384-32-0x000000001D5A0000-0x000000001D5B0000-memory.dmp
memory/4384-33-0x000000001D5A0000-0x000000001D5B0000-memory.dmp
memory/4384-34-0x000000001D5A0000-0x000000001D5B0000-memory.dmp
memory/4384-39-0x000000001DDB0000-0x000000001DDCC000-memory.dmp
memory/4384-41-0x0000000000400000-0x0000000000790000-memory.dmp
memory/4384-42-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp
memory/4384-43-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp
memory/4384-44-0x0000000180000000-0x0000000181261000-memory.dmp
memory/4384-45-0x00007FFD31300000-0x00007FFD31DC1000-memory.dmp
memory/4384-47-0x000000001D3D0000-0x000000001D520000-memory.dmp
memory/4384-48-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp
memory/4384-49-0x000000001D5A0000-0x000000001D5B0000-memory.dmp
memory/4384-51-0x000000001D5A0000-0x000000001D5B0000-memory.dmp
memory/4384-52-0x000000001D5A0000-0x000000001D5B0000-memory.dmp
memory/4384-58-0x0000000000400000-0x00000000006DE000-memory.dmp
memory/4384-59-0x00007FFD31300000-0x00007FFD31DC1000-memory.dmp
memory/4384-60-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp
memory/4384-61-0x0000000180000000-0x0000000181261000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-15 19:18
Reported
2024-03-15 19:20
Platform
win10-20240221-en
Max time kernel
77s
Max time network
17s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe
"C:\Users\Admin\AppData\Local\Temp\Vanity\Vanity.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 52.111.229.19:443 | tcp |
Files
memory/3324-0-0x0000000000400000-0x0000000000790000-memory.dmp
memory/3324-2-0x0000000000400000-0x00000000006DE000-memory.dmp
memory/3324-1-0x00007FFBBA2D0000-0x00007FFBBA4AB000-memory.dmp
memory/3324-3-0x00007FFBBA2D0000-0x00007FFBBA4AB000-memory.dmp
memory/3324-6-0x00007FFBBA2D0000-0x00007FFBBA4AB000-memory.dmp
memory/3324-5-0x00007FFBBA2D0000-0x00007FFBBA4AB000-memory.dmp
memory/3324-7-0x0000000180000000-0x0000000181261000-memory.dmp
memory/3324-12-0x00007FFB3A4B0000-0x00007FFB3A4C0000-memory.dmp
memory/3324-14-0x00007FFB9D7E0000-0x00007FFB9E1CC000-memory.dmp
memory/3324-16-0x0000000180000000-0x0000000181261000-memory.dmp
memory/3324-17-0x00007FF5FFC40000-0x00007FF5FFE18000-memory.dmp
memory/3324-18-0x00000000018B0000-0x0000000001A00000-memory.dmp
memory/3324-19-0x00007FFBBA2D0000-0x00007FFBBA4AB000-memory.dmp
memory/3324-20-0x000000001D7F0000-0x000000001E14C000-memory.dmp
memory/3324-21-0x0000000180000000-0x0000000181261000-memory.dmp
memory/3324-22-0x0000000180000000-0x0000000181261000-memory.dmp
memory/3324-23-0x0000000180000000-0x0000000181261000-memory.dmp
memory/3324-24-0x0000000180000000-0x0000000181261000-memory.dmp
memory/3324-25-0x0000000180000000-0x0000000181261000-memory.dmp
memory/3324-26-0x0000000180000000-0x0000000181261000-memory.dmp
memory/3324-27-0x00007FFBAE5C0000-0x00007FFBAE6EC000-memory.dmp
memory/3324-30-0x0000000001A00000-0x0000000001A10000-memory.dmp
memory/3324-31-0x0000000001A00000-0x0000000001A10000-memory.dmp
memory/3324-32-0x0000000001A00000-0x0000000001A10000-memory.dmp
memory/3324-33-0x0000000001A00000-0x0000000001A10000-memory.dmp
memory/3324-38-0x0000000001E50000-0x0000000001E6C000-memory.dmp
memory/3324-40-0x0000000000400000-0x0000000000790000-memory.dmp
memory/3324-41-0x00007FFBBA2D0000-0x00007FFBBA4AB000-memory.dmp
memory/3324-42-0x00007FFB9D7E0000-0x00007FFB9E1CC000-memory.dmp
memory/3324-43-0x0000000180000000-0x0000000181261000-memory.dmp
memory/3324-45-0x00007FFBBA2D0000-0x00007FFBBA4AB000-memory.dmp
memory/3324-46-0x0000000001A00000-0x0000000001A10000-memory.dmp
memory/3324-48-0x0000000001A00000-0x0000000001A10000-memory.dmp
memory/3324-49-0x0000000001A00000-0x0000000001A10000-memory.dmp
memory/3324-50-0x0000000001A00000-0x0000000001A10000-memory.dmp
memory/3324-56-0x0000000000400000-0x00000000006DE000-memory.dmp
memory/3324-57-0x00007FFB9D7E0000-0x00007FFB9E1CC000-memory.dmp
memory/3324-58-0x00007FFBBA2D0000-0x00007FFBBA4AB000-memory.dmp
memory/3324-59-0x0000000180000000-0x0000000181261000-memory.dmp