Resubmissions

09/04/2024, 11:52

240409-n13amshe9z 9

Analysis

  • max time kernel
    128s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2024, 11:52

General

  • Target

    AridekVM_FREE.exe

  • Size

    17.6MB

  • MD5

    7301a2e73cfa965130edb55276637e1b

  • SHA1

    0cdbdab8c96bf9f1ded2769dc1c55bec2585c042

  • SHA256

    2080b3fc0d32d1159227745a7d93de1109d5d73a2d7b997a00a681a0eb18522e

  • SHA512

    51ce6a62a4af229e3ca874c50eb84ba9beda6525ec07c3037817e0e83201b7da6e39c5d524acfb49ba72836e0be55a789c31a3f994455892a51f002793ecc93f

  • SSDEEP

    393216:mDfLJWfzOSzK10BBJ0m44hVHnv2uFYu7Z:mkfzbK10BBn44hbFB1

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 19 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Delays execution with timeout.exe 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AridekVM_FREE.exe
    "C:\Users\Admin\AppData\Local\Temp\AridekVM_FREE.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c start cmd /C "color b && title Error && echo SSL assertion fail, make sure you're not debugging Network. Disable internet firewall on router if possible. & echo: & echo If not, ask the developer of the program to use custom domains to fix this. && timeout /t 5"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\system32\cmd.exe
        cmd /C "color b && title Error && echo SSL assertion fail, make sure you're not debugging Network. Disable internet firewall on router if possible. & echo: & echo If not, ask the developer of the program to use custom domains to fix this. && timeout /t 5"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Windows\system32\timeout.exe
          timeout /t 5
          4⤵
          • Delays execution with timeout.exe
          PID:1032
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:452
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:660
      • C:\Users\Admin\AppData\Local\Temp\AridekVM_FREE.exe
        "C:\Users\Admin\AppData\Local\Temp\AridekVM_FREE.exe"
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5116
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /c start cmd /C "color b && title Error && echo SSL assertion fail, make sure you're not debugging Network. Disable internet firewall on router if possible. & echo: & echo If not, ask the developer of the program to use custom domains to fix this. && timeout /t 5"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1224
          • C:\Windows\system32\cmd.exe
            cmd /C "color b && title Error && echo SSL assertion fail, make sure you're not debugging Network. Disable internet firewall on router if possible. & echo: & echo If not, ask the developer of the program to use custom domains to fix this. && timeout /t 5"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3420
            • C:\Windows\system32\timeout.exe
              timeout /t 5
              4⤵
              • Delays execution with timeout.exe
              PID:3316

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/4736-0-0x00007FFB96710000-0x00007FFB96905000-memory.dmp

              Filesize

              2.0MB

            • memory/4736-1-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/4736-2-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/4736-3-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/4736-4-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/4736-5-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/4736-6-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/4736-7-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/4736-8-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/4736-9-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/4736-10-0x00007FFB96710000-0x00007FFB96905000-memory.dmp

              Filesize

              2.0MB

            • memory/5116-11-0x00007FFB96710000-0x00007FFB96905000-memory.dmp

              Filesize

              2.0MB

            • memory/5116-12-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/5116-13-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/5116-14-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/5116-15-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/5116-16-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/5116-17-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/5116-18-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/5116-20-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/5116-21-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/5116-24-0x00007FFB96710000-0x00007FFB96905000-memory.dmp

              Filesize

              2.0MB

            • memory/5116-27-0x00007FF7DA5C0000-0x00007FF7DD0F6000-memory.dmp

              Filesize

              43.2MB

            • memory/5116-28-0x00007FFB96710000-0x00007FFB96905000-memory.dmp

              Filesize

              2.0MB