Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01-09-2024 05:30
Behavioral task
behavioral1
Sample
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe
Resource
win7-20240729-en
General
-
Target
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe
-
Size
5.8MB
-
MD5
ac1247ec24ed0024003f6ae568d688f8
-
SHA1
ed3f14a80e9ff8bdcea62753799304d48e83afa0
-
SHA256
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353
-
SHA512
3e4ea371139f7d4423d54e79805598f7f79e4f053c5bbff6d214045b44c9604db2fb6b1c9695ef75c786b2550176460a70d80be19e451ddc6f0ee910f8c2ee5d
-
SSDEEP
98304:ucLhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uc1g53HRVu7vHDpS1IqBRU7kCs2q
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe -
Executes dropped EXE 1 IoCs
Processes:
uranigger.exepid process 2696 uranigger.exe -
Loads dropped DLL 4 IoCs
Processes:
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exedw20.exepid process 2128 f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe 2128 f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe 2128 f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe 2740 dw20.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\uranigger.exe agile_net -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\956af42f-64cf-459d-ac64-6a6100c842f9\AgileDotNetRT.dll themida behavioral1/memory/2128-9-0x00000000742D0000-0x00000000748D8000-memory.dmp themida behavioral1/memory/2128-10-0x00000000742D0000-0x00000000748D8000-memory.dmp themida behavioral1/memory/2128-12-0x00000000742D0000-0x00000000748D8000-memory.dmp themida behavioral1/memory/2128-25-0x00000000742D0000-0x00000000748D8000-memory.dmp themida -
Processes:
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exepid process 2128 f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
dw20.exef6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exeuranigger.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uranigger.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exeuranigger.exedescription pid process target process PID 2128 wrote to memory of 2696 2128 f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe uranigger.exe PID 2128 wrote to memory of 2696 2128 f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe uranigger.exe PID 2128 wrote to memory of 2696 2128 f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe uranigger.exe PID 2128 wrote to memory of 2696 2128 f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe uranigger.exe PID 2696 wrote to memory of 2740 2696 uranigger.exe dw20.exe PID 2696 wrote to memory of 2740 2696 uranigger.exe dw20.exe PID 2696 wrote to memory of 2740 2696 uranigger.exe dw20.exe PID 2696 wrote to memory of 2740 2696 uranigger.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe"C:\Users\Admin\AppData\Local\Temp\f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\uranigger.exe"C:\Users\Admin\AppData\Local\Temp\uranigger.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 4243⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2740
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
524KB
MD510b558706690282a3807ccce1b334e14
SHA149b7d8c418e6cdd0cc626033b1f02b5b8dd8377e
SHA25687d0cdf3d07df967d23c4399114212dd0832cdca68b329d181ba40637972a9a9
SHA5124055bfa748a86a7141e6a331517564e7fefc23f39c62577c6eb7fbf3b0741e5b22d76e5e5407f13eb824e96b21eab1c068b717ef695413ee40ca20d94da41295
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c