Malware Analysis Report

2024-11-15 08:31

Sample ID 240408-n5ltfsgf24
Target inst.exe
SHA256 0b06f84f2776bf4e4c28e73625defe855d3817b1de1a17183db39016f7109695
Tags
agilenet evasion themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

0b06f84f2776bf4e4c28e73625defe855d3817b1de1a17183db39016f7109695

Threat Level: Likely malicious

The file inst.exe was found to be: Likely malicious.

Malicious Activity Summary

agilenet evasion themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Themida packer

Checks whether UAC is enabled

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 11:58

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 11:58

Reported

2024-04-08 12:01

Platform

win7-20240221-en

Max time kernel

141s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\inst.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\inst.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\inst.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\inst.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\inst.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\inst.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\inst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\inst.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\inst.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\inst.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\inst.exe

"C:\Users\Admin\AppData\Local\Temp\inst.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\inst.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'inst.exe'

Network

Country Destination Domain Proto
DE 89.58.4.128:7771 tcp

Files

memory/2300-0-0x0000000000100000-0x000000000064A000-memory.dmp

memory/2300-1-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/2300-2-0x000000001B550000-0x000000001B5D0000-memory.dmp

\Users\Admin\AppData\Local\Temp\c3151015-52f5-4d47-88a4-ea55aea0d52a\AgileDotNetRT64.dll

MD5 9bb6ed08af544d3738e60200d2804180
SHA1 5a40b484ca56b1ce59add4ec283e21d60070be02
SHA256 86d49f3894cc3de038abcde03803de8b6f239c237f34930ce5c41ab725c26cb7
SHA512 63e6b90457c3e3e6e419e30fe57e35c66e08059611fbe4ffb60d28acd6ee8d9f0ccfa31d7b27e9af44ab13512490f3b7b7f5130df947c5de50a937dcee0a91a5

memory/2300-9-0x000007FEF1B60000-0x000007FEF2312000-memory.dmp

memory/2300-11-0x000007FEF1B60000-0x000007FEF2312000-memory.dmp

memory/2300-21-0x000007FEF3F20000-0x000007FEF404C000-memory.dmp

memory/2720-26-0x000000001B230000-0x000000001B512000-memory.dmp

memory/2720-28-0x000007FEEEE60000-0x000007FEEF7FD000-memory.dmp

memory/2720-27-0x00000000024E0000-0x00000000024E8000-memory.dmp

memory/2720-29-0x00000000024F0000-0x0000000002570000-memory.dmp

memory/2720-30-0x000007FEEEE60000-0x000007FEEF7FD000-memory.dmp

memory/2720-31-0x00000000024F0000-0x0000000002570000-memory.dmp

memory/2720-32-0x00000000024F0000-0x0000000002570000-memory.dmp

memory/2720-33-0x00000000024F0000-0x0000000002570000-memory.dmp

memory/2720-34-0x000007FEEEE60000-0x000007FEEF7FD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 8a9b3f289fd66999e84fd3efe3206e17
SHA1 68a2dc78ebeedd8b7eabdaa3e02a7a15e497c861
SHA256 a3e49bbf29520bb414c07f8c460913fdfefa967d7a1e4a252d7436477172a403
SHA512 5b173d2c349536fda8034cabe513b892690832ce57652bd7a9757097b11583402db18101d251d51fde7db5d54538aaaef991df19741a1e1c44ab4c63ace38207

memory/2300-40-0x000007FEF1B60000-0x000007FEF2312000-memory.dmp

memory/2808-44-0x0000000002570000-0x00000000025F0000-memory.dmp

memory/2808-43-0x000007FEED300000-0x000007FEEDC9D000-memory.dmp

memory/2808-42-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

memory/2808-41-0x000000001B280000-0x000000001B562000-memory.dmp

memory/2808-47-0x0000000002570000-0x00000000025F0000-memory.dmp

memory/2808-46-0x0000000002570000-0x00000000025F0000-memory.dmp

memory/2300-48-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/2808-49-0x0000000002570000-0x00000000025F0000-memory.dmp

memory/2808-45-0x000007FEED300000-0x000007FEEDC9D000-memory.dmp

memory/2808-50-0x000007FEED300000-0x000007FEEDC9D000-memory.dmp

memory/2300-51-0x000007FEF1B60000-0x000007FEF2312000-memory.dmp

memory/2300-52-0x000007FEF1B60000-0x000007FEF2312000-memory.dmp

memory/2300-53-0x000007FEF1B60000-0x000007FEF2312000-memory.dmp

memory/2300-54-0x000007FEF1B60000-0x000007FEF2312000-memory.dmp

memory/2300-55-0x000007FEF1B60000-0x000007FEF2312000-memory.dmp

memory/2300-56-0x000007FEF1B60000-0x000007FEF2312000-memory.dmp

memory/2300-57-0x000007FEF1B60000-0x000007FEF2312000-memory.dmp

memory/2300-58-0x000007FEF1B60000-0x000007FEF2312000-memory.dmp

memory/2300-59-0x000007FEF1B60000-0x000007FEF2312000-memory.dmp

memory/2300-60-0x000007FEF1B60000-0x000007FEF2312000-memory.dmp

memory/2300-61-0x000007FEF1B60000-0x000007FEF2312000-memory.dmp

memory/2300-62-0x000007FEF1B60000-0x000007FEF2312000-memory.dmp

memory/2300-63-0x000007FEF1B60000-0x000007FEF2312000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 11:58

Reported

2024-04-08 12:01

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\inst.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\inst.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\inst.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\inst.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\inst.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\inst.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\inst.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\inst.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\inst.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\inst.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\inst.exe

"C:\Users\Admin\AppData\Local\Temp\inst.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\inst.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'inst.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
DE 89.58.4.128:7771 tcp
US 8.8.8.8:53 128.4.58.89.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4648-0-0x0000000000EA0000-0x00000000013EA000-memory.dmp

memory/4648-1-0x00007FFFD8860000-0x00007FFFD9321000-memory.dmp

memory/4648-2-0x000000001C140000-0x000000001C150000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c3151015-52f5-4d47-88a4-ea55aea0d52a\AgileDotNetRT64.dll

MD5 9bb6ed08af544d3738e60200d2804180
SHA1 5a40b484ca56b1ce59add4ec283e21d60070be02
SHA256 86d49f3894cc3de038abcde03803de8b6f239c237f34930ce5c41ab725c26cb7
SHA512 63e6b90457c3e3e6e419e30fe57e35c66e08059611fbe4ffb60d28acd6ee8d9f0ccfa31d7b27e9af44ab13512490f3b7b7f5130df947c5de50a937dcee0a91a5

memory/4648-9-0x00007FFFD3590000-0x00007FFFD3D42000-memory.dmp

memory/4648-11-0x00007FFFD3590000-0x00007FFFD3D42000-memory.dmp

memory/4648-12-0x00007FFFD7110000-0x00007FFFD725E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o1qwaimu.1dp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3772-22-0x00007FFFD8860000-0x00007FFFD9321000-memory.dmp

memory/3772-23-0x000001A749360000-0x000001A749370000-memory.dmp

memory/3772-24-0x000001A749360000-0x000001A749370000-memory.dmp

memory/3772-25-0x000001A749610000-0x000001A749632000-memory.dmp

memory/3772-28-0x00007FFFD8860000-0x00007FFFD9321000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/4768-39-0x00007FFFD8860000-0x00007FFFD9321000-memory.dmp

memory/4768-40-0x00000237489C0000-0x00000237489D0000-memory.dmp

memory/4768-41-0x00000237489C0000-0x00000237489D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 731e9e4becec0b1ef9caad4b3562d4b4
SHA1 6dffb77aba4e92ad5bd4b7c02fdee6f328bcd457
SHA256 71c7eca538938fa4d5b470fee41cfe43734e9beb9ae409d5b41111fa1a15c2d5
SHA512 841cf559ae5b0feec4be43018717641399b3602a553112e98b07d498f1a44169924466abc7e2313b8e8cf1c0fdc1bb7635e2818aab8269b0ef349a0ba0cd6ae5

memory/4768-44-0x00007FFFD8860000-0x00007FFFD9321000-memory.dmp

memory/4648-45-0x00007FFFD3590000-0x00007FFFD3D42000-memory.dmp

memory/4648-46-0x00007FFFD8860000-0x00007FFFD9321000-memory.dmp

memory/4648-47-0x000000001C140000-0x000000001C150000-memory.dmp

memory/4648-48-0x00007FFFD3590000-0x00007FFFD3D42000-memory.dmp

memory/4648-49-0x00007FFFD3590000-0x00007FFFD3D42000-memory.dmp

memory/4648-50-0x00007FFFD3590000-0x00007FFFD3D42000-memory.dmp

memory/4648-51-0x00007FFFD3590000-0x00007FFFD3D42000-memory.dmp

memory/4648-52-0x00007FFFD3590000-0x00007FFFD3D42000-memory.dmp

memory/4648-53-0x00007FFFD3590000-0x00007FFFD3D42000-memory.dmp

memory/4648-55-0x00007FFFD3590000-0x00007FFFD3D42000-memory.dmp

memory/4648-56-0x00007FFFD3590000-0x00007FFFD3D42000-memory.dmp

memory/4648-57-0x00007FFFD3590000-0x00007FFFD3D42000-memory.dmp

memory/4648-58-0x00007FFFD3590000-0x00007FFFD3D42000-memory.dmp

memory/4648-59-0x00007FFFD3590000-0x00007FFFD3D42000-memory.dmp

memory/4648-60-0x00007FFFD3590000-0x00007FFFD3D42000-memory.dmp

memory/4648-61-0x00007FFFD3590000-0x00007FFFD3D42000-memory.dmp