Analysis
-
max time kernel
457s -
max time network
460s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 19:22
General
-
Target
OrangeRemover_protected_1.exe
-
Size
2.6MB
-
MD5
71b058aa939294a995f598cf39cfedf8
-
SHA1
252d2ff52f6238c587003ea57a3d8b262045e1c5
-
SHA256
4a7491599332383fa223e844530e29335565655388c5502315cbd6d431ed6297
-
SHA512
22ed588558121c9abb0497089f24aa8f17278fca973f0544e0780ab409cf574131671a75e25cd46b72e6e2407761a9ae325c2bc9f27fd9b31b85e1b6647ae9f0
-
SSDEEP
49152:827XAJi++OvJYxvFScoTSEgYlJF0dQlx3uUwIyP6gxX9jHV:17XAJiOivF0S3Y3+Wlx3uUnCF95
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
OrangeRemover_protected_1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ OrangeRemover_protected_1.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
OrangeRemover_protected_1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion OrangeRemover_protected_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OrangeRemover_protected_1.exe -
Processes:
resource yara_rule behavioral1/memory/652-0-0x0000000140000000-0x0000000140719000-memory.dmp themida behavioral1/memory/652-3-0x0000000140000000-0x0000000140719000-memory.dmp themida -
Processes:
OrangeRemover_protected_1.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OrangeRemover_protected_1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
OrangeRemover_protected_1.exepid process 652 OrangeRemover_protected_1.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 4456 sc.exe 3308 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2784 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2784 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
OrangeRemover_protected_1.execmd.execmd.execmd.exedescription pid process target process PID 652 wrote to memory of 1956 652 OrangeRemover_protected_1.exe cmd.exe PID 652 wrote to memory of 1956 652 OrangeRemover_protected_1.exe cmd.exe PID 1956 wrote to memory of 2784 1956 cmd.exe taskkill.exe PID 1956 wrote to memory of 2784 1956 cmd.exe taskkill.exe PID 652 wrote to memory of 2540 652 OrangeRemover_protected_1.exe cmd.exe PID 652 wrote to memory of 2540 652 OrangeRemover_protected_1.exe cmd.exe PID 2540 wrote to memory of 3308 2540 cmd.exe sc.exe PID 2540 wrote to memory of 3308 2540 cmd.exe sc.exe PID 652 wrote to memory of 4280 652 OrangeRemover_protected_1.exe cmd.exe PID 652 wrote to memory of 4280 652 OrangeRemover_protected_1.exe cmd.exe PID 4280 wrote to memory of 4456 4280 cmd.exe sc.exe PID 4280 wrote to memory of 4456 4280 cmd.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\OrangeRemover_protected_1.exe"C:\Users\Admin\AppData\Local\Temp\OrangeRemover_protected_1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe >nul2⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat2⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\system32\sc.exesc stop EasyAntiCheat3⤵
- Launches sc.exe
PID:3308 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete EasyAntiCheat2⤵
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\system32\sc.exesc delete EasyAntiCheat3⤵
- Launches sc.exe
PID:4456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/652-0-0x0000000140000000-0x0000000140719000-memory.dmpFilesize
7.1MB
-
memory/652-1-0x00007FFAA5CB0000-0x00007FFAA5EA5000-memory.dmpFilesize
2.0MB
-
memory/652-3-0x0000000140000000-0x0000000140719000-memory.dmpFilesize
7.1MB
-
memory/652-4-0x00007FFAA5CB0000-0x00007FFAA5EA5000-memory.dmpFilesize
2.0MB