Analysis

  • max time kernel
    141s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-09-2024 05:30

General

  • Target

    f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe

  • Size

    5.8MB

  • MD5

    ac1247ec24ed0024003f6ae568d688f8

  • SHA1

    ed3f14a80e9ff8bdcea62753799304d48e83afa0

  • SHA256

    f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353

  • SHA512

    3e4ea371139f7d4423d54e79805598f7f79e4f053c5bbff6d214045b44c9604db2fb6b1c9695ef75c786b2550176460a70d80be19e451ddc6f0ee910f8c2ee5d

  • SSDEEP

    98304:ucLhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uc1g53HRVu7vHDpS1IqBRU7kCs2q

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe
    "C:\Users\Admin\AppData\Local\Temp\f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3220
    • C:\Users\Admin\AppData\Local\Temp\uranigger.exe
      "C:\Users\Admin\AppData\Local\Temp\uranigger.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:636
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 840
        3⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:2724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\956af42f-64cf-459d-ac64-6a6100c842f9\AgileDotNetRT.dll

    Filesize

    2.2MB

    MD5

    2d86c4ad18524003d56c1cb27c549ba8

    SHA1

    123007f9337364e044b87deacf6793c2027c8f47

    SHA256

    091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280

    SHA512

    0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

  • C:\Users\Admin\AppData\Local\Temp\uranigger.exe

    Filesize

    524KB

    MD5

    10b558706690282a3807ccce1b334e14

    SHA1

    49b7d8c418e6cdd0cc626033b1f02b5b8dd8377e

    SHA256

    87d0cdf3d07df967d23c4399114212dd0832cdca68b329d181ba40637972a9a9

    SHA512

    4055bfa748a86a7141e6a331517564e7fefc23f39c62577c6eb7fbf3b0741e5b22d76e5e5407f13eb824e96b21eab1c068b717ef695413ee40ca20d94da41295

  • memory/636-27-0x0000000074A60000-0x0000000075011000-memory.dmp

    Filesize

    5.7MB

  • memory/636-37-0x0000000074A60000-0x0000000075011000-memory.dmp

    Filesize

    5.7MB

  • memory/636-30-0x0000000074A60000-0x0000000075011000-memory.dmp

    Filesize

    5.7MB

  • memory/3220-14-0x0000000073780000-0x00000000737DB000-memory.dmp

    Filesize

    364KB

  • memory/3220-13-0x0000000072990000-0x0000000072F98000-memory.dmp

    Filesize

    6.0MB

  • memory/3220-10-0x0000000072990000-0x0000000072F98000-memory.dmp

    Filesize

    6.0MB

  • memory/3220-2-0x0000000074A60000-0x0000000075011000-memory.dmp

    Filesize

    5.7MB

  • memory/3220-0-0x0000000074A62000-0x0000000074A63000-memory.dmp

    Filesize

    4KB

  • memory/3220-12-0x0000000074A60000-0x0000000075011000-memory.dmp

    Filesize

    5.7MB

  • memory/3220-29-0x0000000074A60000-0x0000000075011000-memory.dmp

    Filesize

    5.7MB

  • memory/3220-11-0x0000000072990000-0x0000000072F98000-memory.dmp

    Filesize

    6.0MB

  • memory/3220-28-0x0000000072990000-0x0000000072F98000-memory.dmp

    Filesize

    6.0MB

  • memory/3220-1-0x0000000074A60000-0x0000000075011000-memory.dmp

    Filesize

    5.7MB