Analysis Overview
SHA256
bcf68a26d93f182b81cb9f211b7f4fafc8dd283e68f2957bb19185817753c605
Threat Level: Likely malicious
The file Imian ARK INI.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Checks computer location settings
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 03:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 03:22
Reported
2024-11-04 03:26
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
142s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Imian ARK INI.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Imian ARK INI.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Imian ARK INI.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Imian ARK INI.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Imian ARK INI.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Imian ARK INI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Imian ARK INI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Imian ARK INI.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Imian ARK INI.exe
"C:\Users\Admin\AppData\Local\Temp\Imian ARK INI.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keywarden.ovh | udp |
| US | 172.67.195.208:443 | keywarden.ovh | tcp |
| US | 8.8.8.8:53 | 208.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3768-0-0x00007FFD547B0000-0x00007FFD547B2000-memory.dmp
memory/3768-2-0x00007FF652620000-0x00007FF65309F000-memory.dmp
memory/3768-4-0x00007FF652620000-0x00007FF65309F000-memory.dmp
memory/3768-1-0x00007FF652620000-0x00007FF65309F000-memory.dmp
memory/3768-3-0x00007FF652620000-0x00007FF65309F000-memory.dmp
memory/3768-5-0x00007FF652620000-0x00007FF65309F000-memory.dmp
memory/3768-8-0x00007FF652620000-0x00007FF65309F000-memory.dmp
memory/3768-9-0x00007FF652620000-0x00007FF65309F000-memory.dmp
memory/3768-7-0x00007FF652620000-0x00007FF65309F000-memory.dmp
memory/3768-6-0x00007FF652620000-0x00007FF65309F000-memory.dmp
memory/3768-10-0x00007FF652620000-0x00007FF65309F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 03:22
Reported
2024-11-04 03:22
Platform
win7-20241010-en
Max time kernel
13s
Max time network
19s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Imian ARK INI.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Imian ARK INI.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Imian ARK INI.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Imian ARK INI.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Imian ARK INI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Imian ARK INI.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Imian ARK INI.exe
"C:\Users\Admin\AppData\Local\Temp\Imian ARK INI.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keywarden.ovh | udp |
| US | 104.21.65.248:443 | keywarden.ovh | tcp |
Files
memory/3040-0-0x0000000077910000-0x0000000077912000-memory.dmp
memory/3040-1-0x000000013F350000-0x000000013FDCF000-memory.dmp
memory/3040-3-0x000000013F350000-0x000000013FDCF000-memory.dmp
memory/3040-2-0x000000013F350000-0x000000013FDCF000-memory.dmp
memory/3040-9-0x000000013F350000-0x000000013FDCF000-memory.dmp
memory/3040-8-0x000000013F350000-0x000000013FDCF000-memory.dmp
memory/3040-6-0x000000013F350000-0x000000013FDCF000-memory.dmp
memory/3040-5-0x000000013F350000-0x000000013FDCF000-memory.dmp
memory/3040-4-0x000000013F350000-0x000000013FDCF000-memory.dmp
memory/3040-7-0x000000013F350000-0x000000013FDCF000-memory.dmp
memory/3040-10-0x000000013F350000-0x000000013FDCF000-memory.dmp
memory/3040-11-0x000000013F350000-0x000000013FDCF000-memory.dmp