General
-
Target
RoninTweaksCLI.exe
-
Size
20.2MB
-
Sample
250113-a53kbazngm
-
MD5
dec4195c43406f1f320736f60652bfe9
-
SHA1
70dc031d189941ff459c913ac3dd6c2c3385b34d
-
SHA256
73eb7bbb9f058df128bc5cb1d55218d3e9d42811b84f8c0b9983f84dcaaef3f2
-
SHA512
b5807dd5afa15f6c1f05172721a5f7ac512c164b545c8f83b5871f77ee69386ff05bd8ee62ffd77aaef5ad489fdded312f33abf2dc24935bb9f3fa15086304a1
-
SSDEEP
393216:g5tptnIVZd7p9mdLt/WVi0teZKwnOEGL26VjSQS6yL:utDGL7p8dai06KRq6RSH6yL
Malware Config
Targets
-
-
Target
RoninTweaksCLI.exe
-
Size
20.2MB
-
MD5
dec4195c43406f1f320736f60652bfe9
-
SHA1
70dc031d189941ff459c913ac3dd6c2c3385b34d
-
SHA256
73eb7bbb9f058df128bc5cb1d55218d3e9d42811b84f8c0b9983f84dcaaef3f2
-
SHA512
b5807dd5afa15f6c1f05172721a5f7ac512c164b545c8f83b5871f77ee69386ff05bd8ee62ffd77aaef5ad489fdded312f33abf2dc24935bb9f3fa15086304a1
-
SSDEEP
393216:g5tptnIVZd7p9mdLt/WVi0teZKwnOEGL26VjSQS6yL:utDGL7p8dai06KRq6RSH6yL
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Virtualization/Sandbox Evasion
1