f9e55b462180a3b3723631de80adae899a8e04d1a5e2e3b8a8f6f9c00cc34ff2

Analysis

max time kernel
104s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F87ED5926D4B89E4473603FA7A7F9BA73A0480DABF8536A15481371234E1D7AE.exe
Size

6.0MB
MD5

d4119d6b2c67253980444fffbee626aa
SHA1

2832d4692c01356e4ea6b6a761353021435d74d5
SHA256

f87ed5926d4b89e4473603fa7a7f9ba73a0480dabf8536a15481371234e1d7ae
SHA512

821bccb2542cf538838fd3ca38fc4c16375e15ded12754a2d4d55f22410cc42d63f14bc8a0f93a79ae177d6668e11889eb6d3f3db4e0c7d146005a5552a84706
SSDEEP

98304:FYaIkxWPEOnA0XjEhJr9/lfi7oh2B6RkNmMrTfp7ZP4Gx9SSNH8e0LXZlIz76/:F/IGiEOA599fO76RErzp7VBTF0TZlCA

Score

9^/10

agilenet evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

F87ED5926D4B89E4473603FA7A7F9BA73A0480DABF8536A15481371234E1D7AE.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ F87ED5926D4B89E4473603FA7A7F9BA73A0480DABF8536A15481371234E1D7AE.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	F87ED5926D4B89E4473603FA7A7F9BA73A0480DABF8536A15481371234E1D7AE.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

F87ED5926D4B89E4473603FA7A7F9BA73A0480DABF8536A15481371234E1D7AE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	F87ED5926D4B89E4473603FA7A7F9BA73A0480DABF8536A15481371234E1D7AE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	F87ED5926D4B89E4473603FA7A7F9BA73A0480DABF8536A15481371234E1D7AE.exe

Loads dropped DLL 1 IoCs

Processes:

F87ED5926D4B89E4473603FA7A7F9BA73A0480DABF8536A15481371234E1D7AE.exe

pid process

748 F87ED5926D4B89E4473603FA7A7F9BA73A0480DABF8536A15481371234E1D7AE.exe

pid	process
748	F87ED5926D4B89E4473603FA7A7F9BA73A0480DABF8536A15481371234E1D7AE.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/748-1-0x000001F5CDC20000-0x000001F5CE224000-memory.dmp	agile_net

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\76861f0f-c59e-4b41-ba84-182f7c04ef64\AgileDotNetRT64.dll	themida
behavioral1/memory/748-9-0x00007FFF600C0000-0x00007FFF60980000-memory.dmp	themida
behavioral1/memory/748-11-0x00007FFF600C0000-0x00007FFF60980000-memory.dmp	themida
behavioral1/memory/748-13-0x00007FFF600C0000-0x00007FFF60980000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

F87ED5926D4B89E4473603FA7A7F9BA73A0480DABF8536A15481371234E1D7AE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	F87ED5926D4B89E4473603FA7A7F9BA73A0480DABF8536A15481371234E1D7AE.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

F87ED5926D4B89E4473603FA7A7F9BA73A0480DABF8536A15481371234E1D7AE.exe

pid process

748 F87ED5926D4B89E4473603FA7A7F9BA73A0480DABF8536A15481371234E1D7AE.exe

pid	process
748	F87ED5926D4B89E4473603FA7A7F9BA73A0480DABF8536A15481371234E1D7AE.exe

C:\Users\Admin\AppData\Local\Temp\F87ED5926D4B89E4473603FA7A7F9BA73A0480DABF8536A15481371234E1D7AE.exe
"C:\Users\Admin\AppData\Local\Temp\F87ED5926D4B89E4473603FA7A7F9BA73A0480DABF8536A15481371234E1D7AE.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\76861f0f-c59e-4b41-ba84-182f7c04ef64\AgileDotNetRT64.dll
Filesize
3.2MB

MD5
e71e22fdf51c2044a19c3cf26a383c3b

SHA1
025bd5ff2ec9708f5ee7618925b1fa9083d698c4

SHA256
c524e9accca5fe53b02df45b50738e55175c135a9b8bb2762062f1094bef5d2f

SHA512
f997c44127b1361b1e56e02767e5f975357df156454d83951bafb663658c000c7ce049f550effa5ae2c8512d297611288de34f7e65d8b825dfceaadec905b503

Download Submit
memory/748-0-0x00007FFF62C03000-0x00007FFF62C05000-memory.dmp

Filesize
8KB

Download
memory/748-1-0x000001F5CDC20000-0x000001F5CE224000-memory.dmp

Filesize
6.0MB

Download
memory/748-8-0x00007FFF62C00000-0x00007FFF636C1000-memory.dmp

Filesize
10.8MB

Download
memory/748-9-0x00007FFF600C0000-0x00007FFF60980000-memory.dmp

Filesize
8.8MB

Download
memory/748-11-0x00007FFF600C0000-0x00007FFF60980000-memory.dmp

Filesize
8.8MB

Download
memory/748-12-0x00007FFF72180000-0x00007FFF722CE000-memory.dmp

Filesize
1.3MB

Download
memory/748-13-0x00007FFF600C0000-0x00007FFF60980000-memory.dmp

Filesize
8.8MB

Download
memory/748-14-0x00007FFF62C00000-0x00007FFF636C1000-memory.dmp

Filesize
10.8MB

Download