General

  • Target

    RoninTweaksCLI.exe

  • Size

    20.2MB

  • Sample

    250113-a53kbazngm

  • MD5

    dec4195c43406f1f320736f60652bfe9

  • SHA1

    70dc031d189941ff459c913ac3dd6c2c3385b34d

  • SHA256

    73eb7bbb9f058df128bc5cb1d55218d3e9d42811b84f8c0b9983f84dcaaef3f2

  • SHA512

    b5807dd5afa15f6c1f05172721a5f7ac512c164b545c8f83b5871f77ee69386ff05bd8ee62ffd77aaef5ad489fdded312f33abf2dc24935bb9f3fa15086304a1

  • SSDEEP

    393216:g5tptnIVZd7p9mdLt/WVi0teZKwnOEGL26VjSQS6yL:utDGL7p8dai06KRq6RSH6yL

Malware Config

Targets

    • Target

      RoninTweaksCLI.exe

    • Size

      20.2MB

    • MD5

      dec4195c43406f1f320736f60652bfe9

    • SHA1

      70dc031d189941ff459c913ac3dd6c2c3385b34d

    • SHA256

      73eb7bbb9f058df128bc5cb1d55218d3e9d42811b84f8c0b9983f84dcaaef3f2

    • SHA512

      b5807dd5afa15f6c1f05172721a5f7ac512c164b545c8f83b5871f77ee69386ff05bd8ee62ffd77aaef5ad489fdded312f33abf2dc24935bb9f3fa15086304a1

    • SSDEEP

      393216:g5tptnIVZd7p9mdLt/WVi0teZKwnOEGL26VjSQS6yL:utDGL7p8dai06KRq6RSH6yL

    • UAC bypass

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks