Analysis

  • max time kernel
    457s
  • max time network
    460s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 19:22

General

  • Target

    OrangeRemover_protected_1.exe

  • Size

    2.6MB

  • MD5

    71b058aa939294a995f598cf39cfedf8

  • SHA1

    252d2ff52f6238c587003ea57a3d8b262045e1c5

  • SHA256

    4a7491599332383fa223e844530e29335565655388c5502315cbd6d431ed6297

  • SHA512

    22ed588558121c9abb0497089f24aa8f17278fca973f0544e0780ab409cf574131671a75e25cd46b72e6e2407761a9ae325c2bc9f27fd9b31b85e1b6647ae9f0

  • SSDEEP

    49152:827XAJi++OvJYxvFScoTSEgYlJF0dQlx3uUwIyP6gxX9jHV:17XAJiOivF0S3Y3+Wlx3uUnCF95

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Stops running service(s) 4 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OrangeRemover_protected_1.exe
    "C:\Users\Admin\AppData\Local\Temp\OrangeRemover_protected_1.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe >nul
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EasyAntiCheat.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2784
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\system32\sc.exe
        sc stop EasyAntiCheat
        3⤵
        • Launches sc.exe
        PID:3308
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete EasyAntiCheat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4280
      • C:\Windows\system32\sc.exe
        sc delete EasyAntiCheat
        3⤵
        • Launches sc.exe
        PID:4456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/652-0-0x0000000140000000-0x0000000140719000-memory.dmp
    Filesize

    7.1MB

  • memory/652-1-0x00007FFAA5CB0000-0x00007FFAA5EA5000-memory.dmp
    Filesize

    2.0MB

  • memory/652-3-0x0000000140000000-0x0000000140719000-memory.dmp
    Filesize

    7.1MB

  • memory/652-4-0x00007FFAA5CB0000-0x00007FFAA5EA5000-memory.dmp
    Filesize

    2.0MB