Malware Analysis Report

2024-11-30 18:48

Sample ID 240318-bg3e3sdd7x
Target 8bf840cf0d692948ec462e702fe19340.bin
SHA256 cb04375f966f2b1f3883614e37b0bf5d99cc624df7c8c1fbc39878ba4e9b1e64
Tags
agilenet evasion themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

cb04375f966f2b1f3883614e37b0bf5d99cc624df7c8c1fbc39878ba4e9b1e64

Threat Level: Likely malicious

The file 8bf840cf0d692948ec462e702fe19340.bin was found to be: Likely malicious.

Malicious Activity Summary

agilenet evasion themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Themida packer

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-18 01:07

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-18 01:07

Reported

2024-03-18 01:10

Platform

win7-20240215-en

Max time kernel

67s

Max time network

69s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe

"C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
FR 142.250.179.67:443 gstatic.com tcp
FR 142.250.179.67:443 gstatic.com tcp

Files

memory/1256-0-0x00000000003D0000-0x0000000000B1A000-memory.dmp

memory/1256-1-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

memory/1256-2-0x00000000026E0000-0x0000000002760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a9d4b4b1-e2f9-44d0-a25a-3df1490d84b5\AgileDotNetRT64.dll

MD5 05b012457488a95a05d0541e0470d392
SHA1 74f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA256 1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA512 6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

memory/1256-9-0x000007FEF2CB0000-0x000007FEF3834000-memory.dmp

memory/1256-10-0x00000000777A0000-0x0000000077949000-memory.dmp

memory/1256-12-0x000007FEF2CB0000-0x000007FEF3834000-memory.dmp

memory/1256-22-0x000007FEF4480000-0x000007FEF45AC000-memory.dmp

memory/1256-23-0x000007FEF2CB0000-0x000007FEF3834000-memory.dmp

memory/1256-24-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

memory/1256-25-0x00000000026E0000-0x0000000002760000-memory.dmp

memory/1256-26-0x000007FEF2CB0000-0x000007FEF3834000-memory.dmp

memory/1256-27-0x00000000777A0000-0x0000000077949000-memory.dmp

memory/1256-28-0x000007FEF2CB0000-0x000007FEF3834000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-18 01:07

Reported

2024-03-18 01:10

Platform

win10v2004-20240226-en

Max time kernel

2s

Max time network

13s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe

"C:\Users\Admin\AppData\Local\Temp\8bf840cf0d692948ec462e702fe19340.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
FR 142.250.179.67:443 gstatic.com tcp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp

Files

memory/4564-0-0x000001D4506A0000-0x000001D450DEA000-memory.dmp

memory/4564-1-0x00007FFC95730000-0x00007FFC961F1000-memory.dmp

memory/4564-2-0x000001D46B2E0000-0x000001D46B2F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a9d4b4b1-e2f9-44d0-a25a-3df1490d84b5\AgileDotNetRT64.dll

MD5 c0896d0bba4d8d33ea35f80e1006332a
SHA1 b5fe5e9ba38ded220659585a993703f18eba675c
SHA256 b4aa728481d5633a5f75ee60228ae257cb3bceac312adde2f05d126c92487d85
SHA512 b7146c1958c42f29b5167b820449c7243645f9db94a1294466c1d4f46ca5c1127b01977550d7b8a798f47a104790917d16be30e921e71e79f1a492a25a4395e8

C:\Users\Admin\AppData\Local\Temp\a9d4b4b1-e2f9-44d0-a25a-3df1490d84b5\AgileDotNetRT64.dll

MD5 231d164e8db8f5eeb5b10db693632548
SHA1 2f3cc01c1ae5c352b5557427256a0d5970fa4263
SHA256 c12b77b3f57f683dc730c2b954d116de6a8dbe2d230af9969aa6dee6ccf0c208
SHA512 df70d6e2560c19657fcea173ba2b1429e3c904de8ae1eae901672b9e0f1fb155011217638299296dd9ba449a1a06a855c65ed7a3451479e0f06c7e47b1b82a5b

memory/4564-9-0x00007FFC92610000-0x00007FFC93194000-memory.dmp

memory/4564-10-0x00007FFCB3890000-0x00007FFCB3A85000-memory.dmp

memory/4564-12-0x00007FFC92610000-0x00007FFC93194000-memory.dmp

memory/4564-13-0x00007FFC93FE0000-0x00007FFC9412E000-memory.dmp