Overview

overview

10

Static

static

10

BearFlix\BearFlix.exe

windows7-x64

9

BearFlix\BearFlix.exe

windows10-2004-x64

9

BearFlix\data.exe

windows7-x64

1

BearFlix\data.exe

windows10-2004-x64

3

BearFlix\libcef.exe

windows7-x64

9

BearFlix\libcef.exe

windows10-2004-x64

9

BearFlix\strip.exe

windows7-x64

9

BearFlix\strip.exe

windows10-2004-x64

9

BruteFlix ...ed.exe

windows7-x64

9

BruteFlix ...ed.exe

windows10-2004-x64

9

BruteFlix ...le.dll

windows7-x64

1

BruteFlix ...le.dll

windows10-2004-x64

1

BruteFlix ...et.dll

windows7-x64

1

BruteFlix ...et.dll

windows10-2004-x64

1

BruteFlix ...on.dll

windows7-x64

1

BruteFlix ...on.dll

windows10-2004-x64

1

BruteFlix ...ta.exe

windows7-x64

9

BruteFlix ...ta.exe

windows10-2004-x64

9

BruteFlix ...ef.exe

windows7-x64

9

BruteFlix ...ef.exe

windows10-2004-x64

9

BruteFlix ...ec.exe

windows7-x64

1

BruteFlix ...ec.exe

windows10-2004-x64

3

Dark Star ...32.dll

windows7-x64

3

Dark Star ...32.dll

windows10-2004-x64

3

Dark Star ...64.dll

windows7-x64

1

Dark Star ...64.dll

windows10-2004-x64

1

Dark Star ...io.exe

windows7-x64

9

Dark Star ...io.exe

windows10-2004-x64

9

Dark Star ...al.exe

windows7-x64

3

Dark Star ...al.exe

windows10-2004-x64

3

Dark Star ...32.exe

windows7-x64

1

Dark Star ...32.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    293s
  • max time network
    281s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-08-2024 07:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BearFlix\BearFlix.exe

  • Size

    393KB

  • MD5

    219cc860813f9cdfad1e7e45a19da1a4

  • SHA1

    e7d27e4b0441283acc06b8270de41918dbd9ec7a

  • SHA256

    1422481834c140a96979b1618db835231b4e67475854c9a200fa08f0cdb02371

  • SHA512

    c9d7419db07c3d6820ab5dddbcfdca1ba787e6d4777248354d4f596987f9eb9bdd301ab6a102a95469c8031bf259cd9e0f58fca64df30d01861150a952574fc4

  • SSDEEP

    6144:GfUXZAwseFnp0Ak27gU6bF8ViOAOupdDCXPaKFh:GsJrrFnphE78IOQWXPaEh

Score
9/10
agilenetdiscoveryevasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Themida packer 15 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BearFlix\BearFlix.exe
    "C:\Users\Admin\AppData\Local\Temp\BearFlix\BearFlix.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\ProgramData\UserOOOBE\UserOOOBE.exe
      C:\ProgramData\\UserOOOBE\\UserOOOBE.exe ,.
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:516
    • C:\Users\Admin\AppData\Local\Temp\BearFlix\strip.cfg
      strip.cfg
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      PID:3552
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1064
        3⤵
        • Program crash
        PID:1644
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1116
        3⤵
        • Program crash
        PID:1668
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1124
        3⤵
        • Program crash
        PID:4128
    • C:\ProgramData\winsrvhost\winsrvhost.exe
      C:\ProgramData\\winsrvhost\\winsrvhost.exe 09Y6AKQAX6hG0NhUqMFisLK81XmpSpg3VcFEX7Clfm6HrBwBtPM90EJJaocrKCm0
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      PID:3252
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3552 -ip 3552
    1⤵
      PID:4588
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3552 -ip 3552
      1⤵
        PID:808
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3552 -ip 3552
        1⤵
          PID:3068

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\UserOOOBE\UserOOOBE.exe
          Filesize

          1.6MB

          MD5

          939712a4d4341fb67c0214621a78fca7

          SHA1

          53225cb2d07e8131c9fdb086a70a81cd41f588ea

          SHA256

          f594ff49ea0a51dc4a76609291b7c3e44fcc92789378f899349609407ac55b61

          SHA512

          f9cd9997394dae980b99018902e347a48b4eab44041e88bad6fc3d10c173b31cea44b0202e7233b1dc934c102c27f1ce5662a01e53b1b0f80197c9c73bb24144

          Download Submit

        • C:\ProgramData\winsrvhost\winsrvhost.exe
          Filesize

          3.0MB

          MD5

          a553208ea4a57f1334669fe1e80113b7

          SHA1

          509aebd8384adb5f0d5f37dd3dd2b799ca7ddae6

          SHA256

          c868a800bef638fd579202534fa763a584cf78a01447afc89908ed1bae308ace

          SHA512

          08765ce1ed9d095527b469495b2138e6446c9034916f4030e7c02c43ea7b39708c1d3cd4f35c9df156633e77cdcb702258f7d627c028c902ac3f450dd0643eef

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\2e082fe2-809f-4139-90cf-9dcb3fb2c4b1\AgileDotNetRT.dll
          Filesize

          2.3MB

          MD5

          105e678e6ee84e0fa7fbe34df1f9639c

          SHA1

          17e4d775f4405e3a81a793b5bf775e9c95da5af9

          SHA256

          4ef4551d44fde6e46c470314b0b89f6418a54eee3f1ad9eb7456b2a20e3065a2

          SHA512

          3a15a2f188a4f572923d1999a77ef6d14b243d1c0e3a4442b5a6825756b93b40e2c6197d106df62ae3b427c62ff6b21fc2fe8181a3b6709e9991f1ddd36e5689

          Download Submit

        • memory/3252-20-0x00000000006A0000-0x0000000000AFB000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/3252-16-0x00000000006A0000-0x0000000000AFB000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/3252-18-0x00000000006A0000-0x0000000000AFB000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/3252-17-0x00000000006A0000-0x0000000000AFB000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/3252-21-0x00000000006A0000-0x0000000000AFB000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/3252-22-0x00000000006A0000-0x0000000000AFB000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/3252-40-0x00000000006A0000-0x0000000000AFB000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/3252-14-0x00000000006A0000-0x0000000000AFB000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/3252-19-0x00000000006A0000-0x0000000000AFB000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/3552-24-0x0000000074770000-0x0000000074F20000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3552-25-0x0000000005390000-0x00000000056E4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3552-15-0x000000007477E000-0x000000007477F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3552-33-0x00000000719C0000-0x0000000071FD9000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/3552-35-0x00000000719C0000-0x0000000071FD9000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/3552-36-0x0000000074770000-0x0000000074F20000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3552-37-0x00000000757B0000-0x0000000075839000-memory.dmp

          Filesize

          548KB

          Download

        • memory/3552-34-0x00000000719C0000-0x0000000071FD9000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/3552-39-0x0000000074770000-0x0000000074F20000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3552-38-0x00000000719C0000-0x0000000071FD9000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/3552-23-0x0000000000490000-0x0000000000BA2000-memory.dmp

          Filesize

          7.1MB

          Download