Resubmissions
30-05-2024 18:56
240530-xlvfxshe33 930-05-2024 18:54
240530-xkezvagb8v 929-05-2024 23:57
240529-3zvazaeg6s 9Analysis
-
max time kernel
12s -
max time network
7s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-05-2024 23:57
General
-
Target
asa.exe
-
Size
7.0MB
-
MD5
e0c26d4ff2caf2baaa9968b6a1fd33ff
-
SHA1
5631a0da13af42bbacbcfc2e878a37b857c21157
-
SHA256
67d6547f4024b6fefc861cf459edd084508b06606d98b79cf7e323fe88057e79
-
SHA512
a3710eefa23286dbd704d26f9d5fb5f7f4cdf4433b6c4d84238e2c9b689b4e17c0dfb29912f9796f9a4f1d61c1f0e96348effb737895ff90df58088372a367d5
-
SSDEEP
98304:EB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:tcUG4raKu24YY7HVT4hV0AD6QgqKRgX
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
asa.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ asa.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
asa.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion asa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion asa.exe -
Loads dropped DLL 1 IoCs
Processes:
asa.exepid process 240 asa.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/240-1-0x0000000000EF0000-0x00000000015FA000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\46f17dfb-dd93-4b8b-9636-058b2dc118e8\AgileDotNetRT.dll themida behavioral1/memory/240-10-0x00000000722C0000-0x0000000072A45000-memory.dmp themida behavioral1/memory/240-13-0x00000000722C0000-0x0000000072A45000-memory.dmp themida behavioral1/memory/240-14-0x00000000722C0000-0x0000000072A45000-memory.dmp themida behavioral1/memory/240-21-0x00000000722C0000-0x0000000072A45000-memory.dmp themida -
Processes:
asa.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA asa.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
asa.exepid process 240 asa.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
asa.exepid process 240 asa.exe 240 asa.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
asa.exewmic.exedescription pid process Token: SeDebugPrivilege 240 asa.exe Token: SeIncreaseQuotaPrivilege 3552 wmic.exe Token: SeSecurityPrivilege 3552 wmic.exe Token: SeTakeOwnershipPrivilege 3552 wmic.exe Token: SeLoadDriverPrivilege 3552 wmic.exe Token: SeSystemProfilePrivilege 3552 wmic.exe Token: SeSystemtimePrivilege 3552 wmic.exe Token: SeProfSingleProcessPrivilege 3552 wmic.exe Token: SeIncBasePriorityPrivilege 3552 wmic.exe Token: SeCreatePagefilePrivilege 3552 wmic.exe Token: SeBackupPrivilege 3552 wmic.exe Token: SeRestorePrivilege 3552 wmic.exe Token: SeShutdownPrivilege 3552 wmic.exe Token: SeDebugPrivilege 3552 wmic.exe Token: SeSystemEnvironmentPrivilege 3552 wmic.exe Token: SeRemoteShutdownPrivilege 3552 wmic.exe Token: SeUndockPrivilege 3552 wmic.exe Token: SeManageVolumePrivilege 3552 wmic.exe Token: 33 3552 wmic.exe Token: 34 3552 wmic.exe Token: 35 3552 wmic.exe Token: 36 3552 wmic.exe Token: SeIncreaseQuotaPrivilege 3552 wmic.exe Token: SeSecurityPrivilege 3552 wmic.exe Token: SeTakeOwnershipPrivilege 3552 wmic.exe Token: SeLoadDriverPrivilege 3552 wmic.exe Token: SeSystemProfilePrivilege 3552 wmic.exe Token: SeSystemtimePrivilege 3552 wmic.exe Token: SeProfSingleProcessPrivilege 3552 wmic.exe Token: SeIncBasePriorityPrivilege 3552 wmic.exe Token: SeCreatePagefilePrivilege 3552 wmic.exe Token: SeBackupPrivilege 3552 wmic.exe Token: SeRestorePrivilege 3552 wmic.exe Token: SeShutdownPrivilege 3552 wmic.exe Token: SeDebugPrivilege 3552 wmic.exe Token: SeSystemEnvironmentPrivilege 3552 wmic.exe Token: SeRemoteShutdownPrivilege 3552 wmic.exe Token: SeUndockPrivilege 3552 wmic.exe Token: SeManageVolumePrivilege 3552 wmic.exe Token: 33 3552 wmic.exe Token: 34 3552 wmic.exe Token: 35 3552 wmic.exe Token: 36 3552 wmic.exe Token: SeDebugPrivilege 240 asa.exe Token: SeShutdownPrivilege 240 asa.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
asa.exedescription pid process target process PID 240 wrote to memory of 3552 240 asa.exe wmic.exe PID 240 wrote to memory of 3552 240 asa.exe wmic.exe PID 240 wrote to memory of 3552 240 asa.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\asa.exe"C:\Users\Admin\AppData\Local\Temp\asa.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\46f17dfb-dd93-4b8b-9636-058b2dc118e8\AgileDotNetRT.dllFilesize
2.8MB
MD51e275530f75ec0222ad0a49117819936
SHA1c469db9377442dc65d1c4c6cc5985b28cb1c26e2
SHA256d8519a2a1f40baeb1ee2e6eb1aca27745e5dcab7c046d65b27246e24af57d2bb
SHA51276af1a2193a3b4dc6adc31c9d160b368c6d1a6368af1e99065b53c01cd1c6a93533167a570e6ea68959eeb06b24664f182ad7eef5d7f1ecbfc4cd55e83a72061
-
memory/240-11-0x0000000074A50000-0x0000000075201000-memory.dmpFilesize
7.7MB
-
memory/240-2-0x0000000074A50000-0x0000000075201000-memory.dmpFilesize
7.7MB
-
memory/240-3-0x0000000006670000-0x0000000006C16000-memory.dmpFilesize
5.6MB
-
memory/240-1-0x0000000000EF0000-0x00000000015FA000-memory.dmpFilesize
7.0MB
-
memory/240-10-0x00000000722C0000-0x0000000072A45000-memory.dmpFilesize
7.5MB
-
memory/240-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmpFilesize
4KB
-
memory/240-13-0x00000000722C0000-0x0000000072A45000-memory.dmpFilesize
7.5MB
-
memory/240-14-0x00000000722C0000-0x0000000072A45000-memory.dmpFilesize
7.5MB
-
memory/240-17-0x00000000734E0000-0x000000007356A000-memory.dmpFilesize
552KB
-
memory/240-18-0x0000000007310000-0x00000000073AC000-memory.dmpFilesize
624KB
-
memory/240-19-0x00000000073B0000-0x0000000007416000-memory.dmpFilesize
408KB
-
memory/240-20-0x00000000077C0000-0x0000000007852000-memory.dmpFilesize
584KB
-
memory/240-21-0x00000000722C0000-0x0000000072A45000-memory.dmpFilesize
7.5MB