Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27-08-2024 13:51
Behavioral task
behavioral1
Sample
notepad.exe
Resource
win7-20240708-en
General
-
Target
notepad.exe
-
Size
7.7MB
-
MD5
308076a3c4302e9b4222c8acbf16d4df
-
SHA1
c5859a06ae6a5f39477ecee29bddd29d85665e92
-
SHA256
045eeb206a8c81482668ca5179c38f8378d077eedcc26ea50d70fa217e358f86
-
SHA512
8bd107af9200258267928949766216800e7c716d87ceb3798ad8b0c3eff8e266bc5a1f517306fc2d0891267dceb1592fce4693f8dcc2a7e0a858a15b0981cfa7
-
SSDEEP
98304:BVh/iB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD89:BcUG4raKu24YY7HVT4hV0AD6QgqKRgX
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
notepad.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ notepad.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
notepad.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion notepad.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion notepad.exe -
Loads dropped DLL 1 IoCs
Processes:
notepad.exepid process 2624 notepad.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2624-1-0x00000000008A0000-0x0000000001052000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\d3645f78-34e2-43a5-8206-57f8eb79c42a\AgileDotNetRT64.dll themida behavioral1/memory/2624-9-0x000007FEF2990000-0x000007FEF3514000-memory.dmp themida behavioral1/memory/2624-12-0x000007FEF2990000-0x000007FEF3514000-memory.dmp themida behavioral1/memory/2624-22-0x000007FEF2990000-0x000007FEF3514000-memory.dmp themida -
Processes:
notepad.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA notepad.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
notepad.exepid process 2624 notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
Processes
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD505b012457488a95a05d0541e0470d392
SHA174f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA2561f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA5126d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6