Resubmissions
09/04/2024, 11:52
240409-n13amshe9z 9Analysis
-
max time kernel
128s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 11:52
General
-
Target
AridekVM_FREE.exe
-
Size
17.6MB
-
MD5
7301a2e73cfa965130edb55276637e1b
-
SHA1
0cdbdab8c96bf9f1ded2769dc1c55bec2585c042
-
SHA256
2080b3fc0d32d1159227745a7d93de1109d5d73a2d7b997a00a681a0eb18522e
-
SHA512
51ce6a62a4af229e3ca874c50eb84ba9beda6525ec07c3037817e0e83201b7da6e39c5d524acfb49ba72836e0be55a789c31a3f994455892a51f002793ecc93f
-
SSDEEP
393216:mDfLJWfzOSzK10BBJ0m44hVHnv2uFYu7Z:mkfzbK10BBn44hbFB1
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AridekVM_FREE.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AridekVM_FREE.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AridekVM_FREE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AridekVM_FREE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AridekVM_FREE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AridekVM_FREE.exe -
resource yara_rule behavioral1/memory/4736-1-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida behavioral1/memory/4736-2-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida behavioral1/memory/4736-3-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida behavioral1/memory/4736-4-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida behavioral1/memory/4736-5-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida behavioral1/memory/4736-6-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida behavioral1/memory/4736-7-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida behavioral1/memory/4736-8-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida behavioral1/memory/4736-9-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida behavioral1/memory/5116-12-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida behavioral1/memory/5116-13-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida behavioral1/memory/5116-14-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida behavioral1/memory/5116-15-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida behavioral1/memory/5116-16-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida behavioral1/memory/5116-17-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida behavioral1/memory/5116-18-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida behavioral1/memory/5116-20-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida behavioral1/memory/5116-21-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida behavioral1/memory/5116-27-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AridekVM_FREE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AridekVM_FREE.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4736 AridekVM_FREE.exe 5116 AridekVM_FREE.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 1032 timeout.exe 3316 timeout.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4736 AridekVM_FREE.exe Token: SeDebugPrivilege 5116 AridekVM_FREE.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5116 AridekVM_FREE.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4736 wrote to memory of 2712 4736 AridekVM_FREE.exe 96 PID 4736 wrote to memory of 2712 4736 AridekVM_FREE.exe 96 PID 2712 wrote to memory of 1512 2712 cmd.exe 98 PID 2712 wrote to memory of 1512 2712 cmd.exe 98 PID 1512 wrote to memory of 1032 1512 cmd.exe 100 PID 1512 wrote to memory of 1032 1512 cmd.exe 100 PID 5116 wrote to memory of 1224 5116 AridekVM_FREE.exe 119 PID 5116 wrote to memory of 1224 5116 AridekVM_FREE.exe 119 PID 1224 wrote to memory of 3420 1224 cmd.exe 121 PID 1224 wrote to memory of 3420 1224 cmd.exe 121 PID 3420 wrote to memory of 3316 3420 cmd.exe 123 PID 3420 wrote to memory of 3316 3420 cmd.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\AridekVM_FREE.exe"C:\Users\Admin\AppData\Local\Temp\AridekVM_FREE.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c start cmd /C "color b && title Error && echo SSL assertion fail, make sure you're not debugging Network. Disable internet firewall on router if possible. & echo: & echo If not, ask the developer of the program to use custom domains to fix this. && timeout /t 5"2⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\system32\cmd.execmd /C "color b && title Error && echo SSL assertion fail, make sure you're not debugging Network. Disable internet firewall on router if possible. & echo: & echo If not, ask the developer of the program to use custom domains to fix this. && timeout /t 5"3⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
PID:1032
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:452
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:660
-
C:\Users\Admin\AppData\Local\Temp\AridekVM_FREE.exe"C:\Users\Admin\AppData\Local\Temp\AridekVM_FREE.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c start cmd /C "color b && title Error && echo SSL assertion fail, make sure you're not debugging Network. Disable internet firewall on router if possible. & echo: & echo If not, ask the developer of the program to use custom domains to fix this. && timeout /t 5"2⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\system32\cmd.execmd /C "color b && title Error && echo SSL assertion fail, make sure you're not debugging Network. Disable internet firewall on router if possible. & echo: & echo If not, ask the developer of the program to use custom domains to fix this. && timeout /t 5"3⤵
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\system32\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
PID:3316
-
-
-