Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    27-08-2024 13:51

General

  • Target

    notepad.exe

  • Size

    7.7MB

  • MD5

    308076a3c4302e9b4222c8acbf16d4df

  • SHA1

    c5859a06ae6a5f39477ecee29bddd29d85665e92

  • SHA256

    045eeb206a8c81482668ca5179c38f8378d077eedcc26ea50d70fa217e358f86

  • SHA512

    8bd107af9200258267928949766216800e7c716d87ceb3798ad8b0c3eff8e266bc5a1f517306fc2d0891267dceb1592fce4693f8dcc2a7e0a858a15b0981cfa7

  • SSDEEP

    98304:BVh/iB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD89:BcUG4raKu24YY7HVT4hV0AD6QgqKRgX

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

Processes

  • C:\Users\Admin\AppData\Local\Temp\notepad.exe
    "C:\Users\Admin\AppData\Local\Temp\notepad.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\d3645f78-34e2-43a5-8206-57f8eb79c42a\AgileDotNetRT64.dll

    Filesize

    4.2MB

    MD5

    05b012457488a95a05d0541e0470d392

    SHA1

    74f541d6a8365508c794ef7b4ac7c297457f9ce3

    SHA256

    1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

    SHA512

    6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

  • memory/2624-0-0x000007FEF5923000-0x000007FEF5924000-memory.dmp

    Filesize

    4KB

  • memory/2624-1-0x00000000008A0000-0x0000000001052000-memory.dmp

    Filesize

    7.7MB

  • memory/2624-2-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

    Filesize

    9.9MB

  • memory/2624-9-0x000007FEF2990000-0x000007FEF3514000-memory.dmp

    Filesize

    11.5MB

  • memory/2624-10-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

    Filesize

    9.9MB

  • memory/2624-12-0x000007FEF2990000-0x000007FEF3514000-memory.dmp

    Filesize

    11.5MB

  • memory/2624-20-0x000007FEF4160000-0x000007FEF428C000-memory.dmp

    Filesize

    1.2MB

  • memory/2624-21-0x000000001B730000-0x000000001B7D6000-memory.dmp

    Filesize

    664KB

  • memory/2624-22-0x000007FEF2990000-0x000007FEF3514000-memory.dmp

    Filesize

    11.5MB

  • memory/2624-23-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

    Filesize

    9.9MB