Analysis
-
max time kernel
141s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 05:30
Behavioral task
behavioral1
Sample
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe
Resource
win7-20240729-en
General
-
Target
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe
-
Size
5.8MB
-
MD5
ac1247ec24ed0024003f6ae568d688f8
-
SHA1
ed3f14a80e9ff8bdcea62753799304d48e83afa0
-
SHA256
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353
-
SHA512
3e4ea371139f7d4423d54e79805598f7f79e4f053c5bbff6d214045b44c9604db2fb6b1c9695ef75c786b2550176460a70d80be19e451ddc6f0ee910f8c2ee5d
-
SSDEEP
98304:ucLhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uc1g53HRVu7vHDpS1IqBRU7kCs2q
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe -
Executes dropped EXE 1 IoCs
Processes:
uranigger.exepid process 636 uranigger.exe -
Loads dropped DLL 1 IoCs
Processes:
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exepid process 3220 f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\uranigger.exe agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\956af42f-64cf-459d-ac64-6a6100c842f9\AgileDotNetRT.dll themida behavioral2/memory/3220-11-0x0000000072990000-0x0000000072F98000-memory.dmp themida behavioral2/memory/3220-13-0x0000000072990000-0x0000000072F98000-memory.dmp themida behavioral2/memory/3220-10-0x0000000072990000-0x0000000072F98000-memory.dmp themida behavioral2/memory/3220-28-0x0000000072990000-0x0000000072F98000-memory.dmp themida -
Processes:
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exepid process 3220 f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exeuranigger.exedw20.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uranigger.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 2724 dw20.exe Token: SeBackupPrivilege 2724 dw20.exe Token: SeBackupPrivilege 2724 dw20.exe Token: SeBackupPrivilege 2724 dw20.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exeuranigger.exedescription pid process target process PID 3220 wrote to memory of 636 3220 f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe uranigger.exe PID 3220 wrote to memory of 636 3220 f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe uranigger.exe PID 3220 wrote to memory of 636 3220 f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe uranigger.exe PID 636 wrote to memory of 2724 636 uranigger.exe dw20.exe PID 636 wrote to memory of 2724 636 uranigger.exe dw20.exe PID 636 wrote to memory of 2724 636 uranigger.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe"C:\Users\Admin\AppData\Local\Temp\f6ac93058c6257dee00946df9f7d2c56290386750d38fc2ebc00dc23c58b2353.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Users\Admin\AppData\Local\Temp\uranigger.exe"C:\Users\Admin\AppData\Local\Temp\uranigger.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8403⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
524KB
MD510b558706690282a3807ccce1b334e14
SHA149b7d8c418e6cdd0cc626033b1f02b5b8dd8377e
SHA25687d0cdf3d07df967d23c4399114212dd0832cdca68b329d181ba40637972a9a9
SHA5124055bfa748a86a7141e6a331517564e7fefc23f39c62577c6eb7fbf3b0741e5b22d76e5e5407f13eb824e96b21eab1c068b717ef695413ee40ca20d94da41295