Overview

overview

10

Static

static

7

UniversalNoRecoil.exe

windows7-x64

10

UniversalNoRecoil.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/07/2024, 03:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UniversalNoRecoil.exe

  • Size

    3.5MB

  • MD5

    09bc1e644be731132ca33f86ef2aa866

  • SHA1

    910616c61bc4b47b52840d12acad335a7296a501

  • SHA256

    402c0ab258264cc9759adc7c34627bef4c44427e0bd76eb75a0bdb577d01e40d

  • SHA512

    6a25c0e413c97b605c7081f9eef45f934067f708d7d38ea50d3c6c4cf2b33f5043558d871c509b3185860d3c06989454e0f5521e740d6700fdee91cf808cbfda

  • SSDEEP

    49152:8XzhpDtKSK1cb8PGK+Tfuqmpc3elWo8GnQAsYZEVffBcdelkuR7X39c3CnD:8XzhW148Pd+Tf1mpcOldJQ3/VffBGlA

Score
10/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Themida packer 17 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\UniversalNoRecoil.exe
    "C:\Users\Admin\AppData\Local\Temp\UniversalNoRecoil.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3600
    • \??\c:\users\admin\appdata\local\temp\universalnorecoil.exe 
      c:\users\admin\appdata\local\temp\universalnorecoil.exe 
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:5064
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2428
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1412
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4280
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in System32 directory
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:468
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetWindowsHookEx
              PID:1840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\universalnorecoil.exe 
    Filesize

    904KB

    MD5

    73ba1b093985d6b09ff3107b9f635630

    SHA1

    a8528462159913b96bbb1e870f0a738f363f2fb9

    SHA256

    c6874a0e7add4cc916b6dbe67326898f48ccd6cfc3f47eb15cd7545b409b7ef4

    SHA512

    9391130aff46a4fcfccb17d9bcfb220d4cab55958e66008d8d4691ce3aa3d13e963cfe8485a2400d915052da31233b84e02f1d547965a626f326a6c533624fd5

    Download Submit

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    2.6MB

    MD5

    4108c664df6172f02d9afd5f7eafccf5

    SHA1

    1bd7b12e4f39d89e79254de2fe138ca76fb4cde4

    SHA256

    58be7352b8be71ce006022a39ef775a93e0b1e93d7fcc75ae028400f43df1d9f

    SHA512

    31d0d67cc6440e94b0de17a0c317a6e625886e560e19d30af050624be59b9b007830a707bb9d79c31910bac53e52595a851b0eb3e27cb08871f90d52c40d52f7

    Download Submit

  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    2.6MB

    MD5

    0e4a7348e7f8e650078b9ba71b41cb1f

    SHA1

    915a1307afa15b869c126f1ad53ff117adb92a2f

    SHA256

    b6b91aaae7444b22a1d25744fcb441069fc18e9be3675f4953429650bd5acd33

    SHA512

    03c634b9c97525b3918748bfafc8be126abddd27f3810eef93c94e8b1f569d3164559b2ecd0d35e2c3c26271863a5be30aae1cf82e60a3a53a46da4f7718df60

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    2.6MB

    MD5

    5ef304451541e0f70d18f63abed4f576

    SHA1

    7149df1a5b99cd3952dbdbdde0f1175444375ee5

    SHA256

    7595ab0bce054c5a9e2f445839f3267a60466745d23f25769177fa64a0d4e731

    SHA512

    33ae7cb4a443ec0b18378f380be4f9d3aa8602c1f296af12bda3dcdaa4023739c8da8401f76c9e16c4da720fe6b019473cc9ae820f0b7b1b6a73aec945de64a3

    Download Submit

  • \??\c:\windows\resources\svchost.exe
    Filesize

    2.6MB

    MD5

    da3654bbee0ebb961012f8d0e3b91736

    SHA1

    35bdc6558fa5ab229a1d16b084415051e8db2f3c

    SHA256

    6daa5d138e5241b0e0da54e3ca71a71d3177c788e5ae33efbc7b72901a6b2476

    SHA512

    cfb0dfc3a26dca9c4986c8f68d2cc101dbdbac6549e1c77bdd34490d32a6036ba232e1fb073c59b0e1d3489324f42f63c54440d6f345a5611ce46c89df88920b

    Download Submit

  • memory/468-58-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/468-40-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1412-22-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1412-70-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1412-57-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1840-52-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1840-45-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2428-13-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2428-55-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3600-56-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3600-0-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3600-1-0x0000000077454000-0x0000000077456000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4280-51-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4280-31-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download