Analysis

  • max time kernel
    15s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    01-09-2024 05:30

General

  • Target

    f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe

  • Size

    5.8MB

  • MD5

    ac1247ec24ed0024003f6ae568d688f8

  • SHA1

    ed3f14a80e9ff8bdcea62753799304d48e83afa0

  • SHA256

    f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353

  • SHA512

    3e4ea371139f7d4423d54e79805598f7f79e4f053c5bbff6d214045b44c9604db2fb6b1c9695ef75c786b2550176460a70d80be19e451ddc6f0ee910f8c2ee5d

  • SSDEEP

    98304:ucLhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uc1g53HRVu7vHDpS1IqBRU7kCs2q

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe
    "C:\Users\Admin\AppData\Local\Temp\f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Users\Admin\AppData\Local\Temp\uranigger.exe
      "C:\Users\Admin\AppData\Local\Temp\uranigger.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 424
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\uranigger.exe

    Filesize

    524KB

    MD5

    10b558706690282a3807ccce1b334e14

    SHA1

    49b7d8c418e6cdd0cc626033b1f02b5b8dd8377e

    SHA256

    87d0cdf3d07df967d23c4399114212dd0832cdca68b329d181ba40637972a9a9

    SHA512

    4055bfa748a86a7141e6a331517564e7fefc23f39c62577c6eb7fbf3b0741e5b22d76e5e5407f13eb824e96b21eab1c068b717ef695413ee40ca20d94da41295

  • \Users\Admin\AppData\Local\Temp\956af42f-64cf-459d-ac64-6a6100c842f9\AgileDotNetRT.dll

    Filesize

    2.2MB

    MD5

    2d86c4ad18524003d56c1cb27c549ba8

    SHA1

    123007f9337364e044b87deacf6793c2027c8f47

    SHA256

    091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280

    SHA512

    0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

  • memory/2128-2-0x00000000748E0000-0x0000000074E8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2128-0-0x00000000748E1000-0x00000000748E2000-memory.dmp

    Filesize

    4KB

  • memory/2128-9-0x00000000742D0000-0x00000000748D8000-memory.dmp

    Filesize

    6.0MB

  • memory/2128-10-0x00000000742D0000-0x00000000748D8000-memory.dmp

    Filesize

    6.0MB

  • memory/2128-11-0x00000000748E0000-0x0000000074E8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2128-12-0x00000000742D0000-0x00000000748D8000-memory.dmp

    Filesize

    6.0MB

  • memory/2128-13-0x0000000075210000-0x000000007526B000-memory.dmp

    Filesize

    364KB

  • memory/2128-1-0x00000000748E0000-0x0000000074E8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2128-26-0x00000000748E0000-0x0000000074E8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2128-25-0x00000000742D0000-0x00000000748D8000-memory.dmp

    Filesize

    6.0MB

  • memory/2696-24-0x00000000748E0000-0x0000000074E8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2696-28-0x00000000748E0000-0x0000000074E8B000-memory.dmp

    Filesize

    5.7MB