Overview

overview

10

Static

static

3

downloader (5).exe

windows7-x64

9

downloader (5).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    15-08-2024 09:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    downloader (5).exe

  • Size

    70.1MB

  • MD5

    990cb2c6cadc8c36bdf40fb70419f141

  • SHA1

    18b2151d37dd6dea520d92127fc1518a8f344601

  • SHA256

    adaaba0fa5907074e6e35be2d3f1bf97e32b7630ba8bb9eb91797c0795c37e2e

  • SHA512

    a15bd95e953d2c9e4361535f3097e07a049419e14456e54f22d38295e3348e149b1dc703097f00f00f500b7684b63ed1f86dba74139cb9e10c9ab59f55bfb9f9

  • SSDEEP

    393216:lWxQN89qQk4adiJCuE2fUCdod+OvqKkZHzXhJ/KTe8uiBUtkc0k3qjsGg4GUo3NV:lWoI7zGF5ahWc3ImL

Score
9/10
agilenetevasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Themida packer 17 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\downloader (5).exe
    "C:\Users\Admin\AppData\Local\Temp\downloader (5).exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Xbox.exe""
      2⤵
        PID:612
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\XClient.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Users\Admin\AppData\Local\Temp\XClient.exe
          "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2912

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\2ee4191c-6d2b-4025-92a2-d6b9b7e459b2\AgileDotNetRT64.dll
      Filesize

      4.2MB

      MD5

      05b012457488a95a05d0541e0470d392

      SHA1

      74f541d6a8365508c794ef7b4ac7c297457f9ce3

      SHA256

      1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

      SHA512

      6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XClient.exe
      Filesize

      7.0MB

      MD5

      4fdd953a53303a4dd38242fee3b3c53a

      SHA1

      8d962de4d2f783a35b2666755e97928e446ceb1e

      SHA256

      5243fc913cc5de56bb4a58e73f9ee9715a8779146737fc7c865d4d5390ae750f

      SHA512

      5329acc05f07c5e82222877183e1e197cd6506a1cea24017930bf9f03159ea86f6853fc057378a646e8da79713e06f0f147c4b76135f058a9f21f737d8359737

      Download Submit

    • memory/2912-37-0x000007FEED390000-0x000007FEEDF14000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2912-39-0x000007FEED390000-0x000007FEEDF14000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2912-17-0x000007FEED390000-0x000007FEEDF14000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2912-27-0x000007FEF6FE0000-0x000007FEF710C000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2912-32-0x000007FEED390000-0x000007FEEDF14000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2912-33-0x000007FEED390000-0x000007FEEDF14000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2912-34-0x000007FEED390000-0x000007FEEDF14000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2912-36-0x000007FEED390000-0x000007FEEDF14000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2912-8-0x0000000000A20000-0x0000000001128000-memory.dmp

      Filesize

      7.0MB

      Download

    • memory/2912-15-0x000007FEED390000-0x000007FEEDF14000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2912-40-0x000007FEED390000-0x000007FEEDF14000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2912-41-0x000007FEED390000-0x000007FEEDF14000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2912-42-0x000007FEED390000-0x000007FEEDF14000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2912-43-0x000007FEED390000-0x000007FEEDF14000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2912-44-0x000007FEED390000-0x000007FEEDF14000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2912-45-0x000007FEED390000-0x000007FEEDF14000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2912-46-0x000007FEED390000-0x000007FEEDF14000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2912-47-0x000007FEED390000-0x000007FEEDF14000-memory.dmp

      Filesize

      11.5MB

      Download